SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8598402
Date de publication	2024-10-15 20:34:15 (vue: 2024-10-15 21:12:45)
Titre	UAC-0050: cyber-espionnage, crimes financiers, informations et opérations psychologiques UAC-0050: Cyber Espionage, Financial Crimes, Information and Psychological Operations
Texte	#### Géolocations ciblées - Ukraine ## Instantané L'équipe gouvernementale d'intervention d'urgence informatique d'Ukraine (CERT-UA) a suivi l'UAC-0050, un groupe cybercriminal impliqué dans l'espionnage, le vol financier et les opérations psychologiques.Entre septembre et octobre 2024, l'UAC-0050 a fait au moins 30 tentatives de voler des fonds auprès des entreprises ukrainiennes et des entrepreneurs individuels. ## Description En utilisant des outils tels que Remcos et Tektonit RMS, l'UAC-0050 a acquis un accès non autorisé aux comptables \\ 'Comptabilisateurs, falsification des transactions financières pour voler des montants allant de dizaines de milliers à des millions de hryvnias.Leurs attaques sont sophistiquées, tirant parti de divers outils de logiciels malveillants comme Meduza Stealer, [Lumma Stealer] (https://sip.security.microsoft.com/intel-profiles/33933578825488511C30B0728D3C4F8B5CA20E41C285A rat ack.Les fonds volés sont généralement convertis en crypto-monnaie pour financer d'autres attaques, notamment les opérations d'influence sous le [groupe de cellules de feu] (https://imi.org.ua/en/news/police-bomb-stherets-proved-false-and-Brand de la marque-Russian-IP-Addreses-I64294). ## Analyse Microsoft et contexte OSINT supplémentaire [UAC-0050] (https://thehackernews.com/2024/01/uac-0050-group-using-new-phishing.html) est un acteur de menace actif depuis 2020, ciblant principalement les agences gouvernementales ukrainiennes.Dans les campagnes précédentes, ils déploient les logiciels malveillants de Remcos Rat par le biais de [Campagnes de phishing] (https://cert.gov.ua/article/3804703), usurpant souvent l'identité du service de sécurité de l'Ukraine et distribuant des courriels avec des pièces jointes malveillantes.Le groupe a précédemment utilisé des outils d'administration à distance tels que les services publics distants.Leurs attaques semblent être motivées par l'espionnage. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de la menace des voleurs d'informations. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-foro-office-365?ocid=Magicti_Ta_learnDoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [derete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_ta_learndoc) en réponse à l'intelligence de menace nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-polies-configure?ocid=Magicti_TA_LearnDoc) pour vérifier les pièces jointes à l'e-mail entrant. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https: //learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=Magicti_ta_learndoc), quel idenTifes et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus, ou l'équivalent de votre produit antivirus, pour couvrir les outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouv
Notes	★★
Envoyé	Oui
Condensat	### #### © 0050 0050: 2020 2024 2024 2147078266 2147117932 2147216637 365 365/security/defender 365/security/office about access accessed accountants accounts acquired active activity actor additional addresses administration advice: against age agencies alerts all amounts analysis antivirus any app appear apps are article associated attachments attack attacker attacks attempts authentication authenticator auto based been between block blocks bomb brand browser browsers bullet campaigns can can cards cells cert check classes click clicking cloud code com/2024/01/uac com/azure/active com/deployedge/microsoft com/en com/intel com/microsoft common components computer computers configure content context converted copyright cover coverage credential credentials crimes criterion cryptocurrency customers cyber cybercriminal darktrack defender delete delivered deploy description detections/hunting detects devices different directory/authentication/concept directory/authentication/how directory/identity distributing distribution due edge email emails emergency employees enable enabled encourage encyclopedia endpoint endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise enterprises entire entrepreneurs equivalent espionage even evolving example excluded executable execution false falsifying features fido files filtering finance financial fire first following from funds further gained geolocations gov government group guidance has hello host hour however hryvnias html https://cert https://imi https://learn https://sip https://thehackernews https://www i64294 identifies identity impact impersonating inbound including indicate individual infections influence information infostealer infostealers intelligence intrusions involved keys learndoc learndoc#block learning least leveraging like links list locations lumma machine made mail majority malicious malware malware: managed many match meduza meet methods mfa microsoft might millions mitigation mitigations mode monitored more motivated msr&threatid= mtb&threatid= name=pws:win32/lumma name=pws:win32/remcos name=trojan:win32/delf name=trojan:win32/lummacstealer name=trojan:win32/remcos new newly not number obfuscated ocid=magicti october off offer office often on operations org organizations osint other overview part password passwordless passwords permission personal phishing phones points policies policy polymorphic possible potentially prevalence prevent previous previously primarily product profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad prohibited prompt protection protection/howto protections proved provided psychological pua purge pws:win32/lumma pws:win32/remcos queries ranging ransomware rapidly rat recheck recommendations recommends reduce reduction refer reference references remcos remind remote remove report reproduction require requires reserved response rights rms rules running russian safe scam scripts secured security security/defender security/safe security/zero sent september service settings should sight since site sites smartscreen snapshot sophisticated spam specific spoofed status steal stealer stealers stealing stolen stop stored strictly succeeded such support support surface sweeping sync#sync syncing targeted targeting team techniques tektonit tens theft their thereof these thousands threat threats through times tools to tracking transactions triggered trojan:win32/delf trojan:win32/lummacstealer trojan:win32/remcos trusted turn typed typically ua/article/3804703 ua/article/6281009 ua/en/news/police uac ukraine ukrainian unauthorized under unknown unless unrelated unwanted us/wdsi/threats/malware use used users uses use using using utilities variants various vaults web websites when where which windows without workplace written your and for from in to “yes”
Tags	Ransomware Spam Malware Tool Threat
Stories
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ressemble à 1 autre(s) article(s):

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-10-16 20:34:29	(Déjà vu) Distribution du voleur de Meduza via Telegram, prétendument au nom de la réserve + soutien technique Distribution of Meduza Stealer via Telegram, allegedly on behalf of Reserve+ technical support (lien direct)	## Snapshot The Computer Emergency Response Team of Ukraine (CERT-UA) reported the distribution of malicious messages through the Telegram account @reserveplusbot, which was previously associated with the Reserve+ technical support. These messages urged recipients to install "special software" and included a ZIP file that ultimately delivered the Meduza Stealer malware. ## Description The ZIP archive contained an executable that downloaded additional malware designed to steal various document types (.txt, .doc, .pdf, etc.) before deleting itself. To evade detection, the malware added its directory to Microsoft Defender\'s exclusion list using a PowerShell command (example: \'Add-MpPreference -ExclusionPath "%USERPROFILE%\yqpedcpefpenrwim"\'). ## Microsoft Analysis and Additional OSINT Context The [Meduza Stealer](https://www.silentpush.com/blog/meduza-stealer/), first sold on a Russian-speaking dark web forum in June 2023, is a lightweight C++ malware known for its adaptability and competitive pricing. It targets Windows systems, stealing sensitive information like cookies, login credentials, and data from browser extensions, including password managers and cryptocurrency wallets. Meduza terminates itself if it detects the host machine is in specific countries, including Russia and many former Soviet republics, but otherwise connects to a command-and-control server for data exfiltration. Its advanced evasion techniques allow it to bypass most popular antivirus software, making it difficult to detect through both static and dynamic analysis. Meduza\'s operators use Telegram to communicate malware updates to their user base. Read more [here](https://sip.security.microsoft.com/intel-explorer/articles/1bdfb795) about CERT-UA warning about recent cybercriminal activity using Meduza Stealer. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of the threat of information stealers. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Mic	Ransomware Spam Malware Tool Threat Technical		★★★