SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8597716
Date de publication	2024-10-14 15:50:22 (vue: 2024-10-14 16:18:14)
Titre	Telekopye transitions to targeting tourists via hotel booking scam (Recyclage)
Texte	#### Géolocations ciblées - Amérique du Nord - Europe du Nord - Europe du Sud - Europe occidentale ## Instantané ESET Research a permis à un rapport sur Telekopye, une boîte à outils d'escroquerie utilisée pour frauder les gens sur les marchés en ligne, qui s'est désormais développé pour cibler des plateformes de réservation d'hébergement comme Booking.com et Airbnb. ## Description À l'origine découvert par ESET en 2023, Telekopye a été utilisé par des groupes d'escroquerie organisés pour voler des informations de paiement auprès des utilisateurs sans méfiance sur divers services en ligne, avec un accent récent sur le ciblage des réservations d'hébergement. Les escrocs, appelés Néandertaliens, fonctionnent via une structure bien organisée à l'aide de la boîte à outils Telekopye pour créer des e-mails de phishing, des messages SMS et des pages Web qui incitent les victimes à la saisie des informations de paiement.En 2024, ils ont commencé à compromettre les récits d'hôtels légitimes et de fournisseurs d'hébergement pour escroquer les utilisateurs en imitant de vrais détails de réservation, ce qui rend la fraude plus convaincante.Ce changement de mise au point a coïncidé avec la saison des fêtes d'été, au cours de laquelle les escroqueries sur le thème de l'hébergement ont dépassé les escroqueries du marché. Les groupes Telekopye améliorent continuellement leurs techniques, en utilisant des grattoirs Web et des chatbots pour accélérer le processus d'arnaque et interagir avec les victimes en temps réel.Les actions des forces de l'ordre ont conduit à des arrestations de certains membres clés, mais la boîte à outils reste une menace persistante à travers l'Europe et l'Amérique du Nord. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft DefenderPour que le point final prenne des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ensemble du vol d'identification sur prémisse] (https://security.microsoft.com/Thereatanalytics3/9382203E-5155-4B5E-AF74-21562B1004D5/analyStrepo
Notes	★★★
Envoyé	Oui
Condensat	#### © 2023 2024 2024 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed accommodation accounts across action actions af74 against age airbnb alert alerts all allow america antivirus any are arrests artifacts attack attacker authority automated based been began behind block booking bookings breach breaches but can changes chatbots client cloud coincided com com/en com/en/eset com/microsoft com/threatanalytics3/9382203e common compromising configure content continuously controlled convincing copyright cover create credential criterion customers defend defender defraud delivered description details detect detected distribution does during edr email emails enable enabled endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent enforcement ensure entering equivalent eset europe even evolving executable expanded files focus folder folders follow following fraud from full geolocations ground groups hardening has have hits holiday hotel hotels https://learn https://security https://www hunting immediate impact improve information interact investigation investigations key law learndoc learning led legitimate like list local lsa lsass machine majority making malicious manage marketplace marketplaces meet members messages microsoft mimicking mitigations mode more neanderthals network new non north northern not now ocid=magicti online operate organized originally outpaced overview pages part passive payment people permission persistent phishing platforms post preferences premises prevalence prevent process product prohibited protection protection#how protections providers ransomware rapidly real recent recommendations recommends reduce reducing reduction reference#block references referred remains remediate remediation report reproduction research research/telekopye reseased reserved resolve rights rule rules run running scam scammers scams scams/ scenes scrapers season security services settings shift significantly site sms snapshot some southern speed steal stealing structure subsystem summer surface take tamper target targeted targeting techniques telekopye theft themed thereof threat threats through time toolkit tools tourists transitions trick trusted turn uncovered unknown unless unsuspecting us/defender used users using various victims view=o365 volume web webmail welivesecurity well western when which windows without works worldwide written xdr your
Tags	Ransomware Tool Threat Legislation
Stories
Move

Les reprises de l'article (1):

Source	RiskIQ
Identifiant	8597688
Date de publication	2024-10-14 14:53:34 (vue: 2024-10-14 15:18:10)
Titre	Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign, Targets Brazil With Astaroth Malware
Texte	#### Targeted Geolocations - Brazil - South America #### Targeted Industries - Consumer Retail - Government Agencies & Services - Critical Manufacturing ## Snapshot A recent spear phishing campaign dubbed Water Makara has been targeting businesses in Latin America, particularly in Brazil, with a notable focus on manufacturing, retail, and government sectors. ## Description This campaign exploits Astaroth, a well-known banking malware, which has resurfaced with new evasion techniques. Attackers send phishing emails that mimic official tax documents, preying on users\' urgency to file personal income taxes. These emails contain malicious ZIP files, which execute obfuscated JavaScript via mshta.exe, establishing a connection to a command-and-control (C&C) server. The infection begins when a user downloads and opens a ZIP file that contains an LNK file, which runs malicious commands, leading to Astaroth\'s installation. The malware employs various methods to evade detection, including using Base64 encoding and abusing legitimate Windows utilities. Attackers use a domain generation algorithm (DGA) to create multiple URLs that connect to the malware\'s C&C servers. ## Microsoft Analysis and Additional OSINT Context [First observed in 2017](https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth), Astaroth is an information stealer malware that has impacted users in Latin America, North America, and Europe. While the malware\'s capabilities and attributes have evolved over time, [Astorath employs](https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/?msockid=11175395187c6b993d06473919876a3b) a number of fileless techniques and abuses various legitimate process to run undetected on compromised machines, making it a pervasive threat. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#bl
Notes	★★
Envoyé	Oui
Condensat	### #### ##references © 2017 2024 2024 21562b1004d5/analystreport 365/security/defender 4b5e 5155 abuses abusing access accessed action additional af74 against age agencies alert alerts algorithm all allow america analysis antivirus any are artifacts astaroth astorath attack attacker attackers attacks attributes authority automated banking base64 based been begins behind block brazil breach breaches businesses but c&c caad campai campaign can capabilities changes client cloud com/en com/microsoft com/threatanalytics3/9382203e command commands common components compromised configure connect connection consumer contain contains content context control controlled copyright cover create credential criterion critical customers de/details/win defend defender delivered description detect detected detection detections/hunting detects dga distribution documents does domain downloads dubbed edr email emails employs enable enabled encoding encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure equivalent establishing europe evade evasion even evolved evolving exe executable execute exploits file fileless files first fkie focus folder folders follow following fraunhofer from full generation geolocations government hardening has have html https://learn https://malpedia https://security https://www immediate impact impacted including income industries infection information installation investigation investigations invisible javascript known land latest latin leading learndoc learning legitimate less like list living lnk local lsa lsass machine machines majority makara making malicious malware malware: manage manufacturing meet methods micro microsoft mimic mitigations mode more mshta msockid=11175395187c6b993d06473919876a3b multiple name=trojan:win32/astaroth network new non north not notable number obfuscated observable observable/ observed ocid=magicti off official opens osint over overview part particularly passive permission personal pervasive phishing post preferences premises prevalence prevent preying process product prohibited protection protection#how protections queries ransomware rapidly recent recommendations recommends reduce reducing reduction reference#block remediate remediation reproduction reserved resolve resurfaced retail rights rule rules run running runs scenes sectors security send server servers services settings significantly site snapshot south spear stealer stealing subsystem surface take tamper targeted targeting targets tax taxes techniques theft thereof these threat threats time tools trend trendmicro trojan:win32/astaroth trusted turn undetected unknown unless urgency urls us/defender us/research/24/j/water us/security/blog/2020/03/23/latest us/wdsi/threats/malware use used user users uses using utilities various view=o365 volume water webmail well when which windows without works worldwide written xdr your zip
Tags	Ransomware Malware Tool Threat Prediction
Stories
Move

L'article ressemble à 1 autre(s) article(s):

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-10-15 19:57:54	(Déjà vu) Beyond the Surface: the evolution and expansion of the SideWinder APT group (lien direct)	#### Targeted Geolocations - Bangladesh - Djibouti - Jordan - Malaysia - Maldives - Myanmar - Nepal - Pakistan - Saudi Arabia - Sri Lanka - Türkiye - United Arab Emirates - Afghanistan - France - China - India - Indonesia - Morocco - Middle East - North Africa - Sub-Saharan Africa - South Asia - Southeast Asia #### Targeted Industries - Government Agencies & Services - Defense - Diplomacy/International Relations - Education - Higher Education - Financial Services ## Snapshot SideWinder, also known as T-APT-04 or RattleSnake, is a highly active advanced persistent threat (APT) group that has been targeting entities in South and Southeast Asia since 2012. Its primary targets have included military and government institutions in countries such as Pakistan, Sri Lanka, and Nepal. Recently, SideWinder expanded its reach, launching new attacks on strategic infrastructures and other high-profile entities in the Middle East and Africa. ## Description A hallmark of SideWinder\'s newly observed activities is its use of spear-phishing emails to deliver malicious files, often Microsoft OOXML documents or ZIP archives containing malicious LNK files. Once these files are opened, they initiate a multi-stage infection process, which ultimately installs the StealerBot espionage tool. This tool is designed for post-compromise activities, such as stealing sensitive information, capturing screenshots, logging keystrokes, and stealing credentials. SideWinder\'s tactics include exploiting vulnerabilities like [CVE-2017-11882](https://security.microsoft.com/intel-explorer/cves/CVE-2017-11882/) through malicious RTF files. The group also utilizes public exploits, malicious scripts, and remote template injection. Their malware employs multiple evasion techniques, such as detecting sandboxes and using encrypted payloads to avoid detection. SideWinder\'s infrastructure includes numerous domains and servers, often hosted on virtual private servers (VPS) for short periods of time. The group primarily targets government, military, and infrastructure sectors, as well as diplomatic entities in several countries. While much is known about their initial infection techniques, according to Kapersky, their post-compromise operations remain less well-understood. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender fo	Ransomware Malware Tool Vulnerability Threat	APT-C-17	★★★