One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8599884 |
| Date de publication | 2024-10-18 19:13:56 (vue: 2024-10-18 20:16:55) |
| Titre | AVERTISSEMENT contre les e-mails de phishing qui usurpent les grandes agences de divertissement coréennes Warning Against Phishing Emails Impersonating Major Korean Entertainment Agencies (Recyclage) |
| Texte | #### Targeted Geolocations - Korea ## Snapshot AhnLab Security Intelligence Center (ASEC) has reported that phishing emails impersonating major Korean entertainment agencies are being distributed in Korea. These emails attempt to trick recipients into clicking a link by claiming unauthorized use of their images in Facebook and Instagram advertisements. ## Description The link downloads a python-based [infostealer](https://security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6), which is disguised as a PDF by changing the icon and adding spaces in the file name to conceal the .EXE extension. When executed, the malware presents a normal PDF document to distract the user while it collects a variety of sensitive information, including system and browser data, messenger information, screen captures, and Steam account details. This collected data is then sent to the threat actor\'s Telegram chat room. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for the different authentication methods and features. - For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled still succeeded due to users clicking “Yes” on the prompt on their phones even when they were not at their [devices](https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match?ocid=magicti_ta_learndoc). Refer to [this article](https://learn.microsoft.com/azure/acti |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | #### **© 2024 2024** 365 365/security/defender 365/security/office about account accounts acquired actor adding advertisements advice: against age agencies ahnlab all antivirus any app apps are article asec attachments attack attacker attempt authentication authenticator auto based being block blocks browser browsers bullet can captures card center changing chat check claiming classes click clicking cloud code collected collects com/azure/active com/deployedge/microsoft com/en/83953/ com/intel com/microsoft common conceal configure content copyright cover coverage credential credentials criterion customers data defender delete delivered deployment description details devices different directory/authentication/concept directory/authentication/how directory/identity disguised distract distributed distribution document downloads due edge email emails employees enable enabled encourage endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entertainment entire equivalent even evolving example excluded exe executable executed execution extension facebook features fido file files filtering first following from geolocations group guidance has hello host hour https://asec https://learn https://security icon identifies identity images impact impersonating inbound including infections information infostealer infostealers instagram intelligence intrusions keys korea korean learndoc learndoc#block learning like link links list locations machine mail major majority malicious malware managed many match meet messenger methods mfa microsoft mitigation mitigations mode monitored more name new newly normal not number obfuscated ocid=magicti off offer office organizations other overview part password passwordless passwords pdf permission personal phishing phones points policies policy polymorphic possible potentially presents prevalence prevent product profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6 prohibited prompt protection protection/howto protections pua purge python ransomware rapidly recheck recipients recommendations recommends reduce reduction refer reference references remind remove reported reproduction require requires reserved response rights room rules running safe scam screen scripts secured security security/defender security/safe security/zero sensitive sent settings should sight site sites smartscreen snapshot spaces spam specific spoofed status stealers steam stop stored strictly succeeded support surface sweeping sync#sync syncing system targeted techniques telegram theft then thereof these threat threats times tools trick trusted turn typed unauthorized unknown unless unwanted use used user users uses using variants variety vaults warning web websites when where which windows without workplace written your “yes” |
| Tags | Ransomware Spam Malware Tool Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8598927 |
| Date de publication | 2024-10-16 20:34:29 (vue: 2024-10-16 21:12:41) |
| Titre | Distribution du voleur de Meduza via Telegram, prétendument au nom de la réserve + soutien technique Distribution of Meduza Stealer via Telegram, allegedly on behalf of Reserve+ technical support (Recyclage) |
| Texte | ## Snapshot The Computer Emergency Response Team of Ukraine (CERT-UA) reported the distribution of malicious messages through the Telegram account @reserveplusbot, which was previously associated with the Reserve+ technical support. These messages urged recipients to install "special software" and included a ZIP file that ultimately delivered the Meduza Stealer malware. ## Description The ZIP archive contained an executable that downloaded additional malware designed to steal various document types (.txt, .doc, .pdf, etc.) before deleting itself. To evade detection, the malware added its directory to Microsoft Defender\'s exclusion list using a PowerShell command (example: \'Add-MpPreference -ExclusionPath "%USERPROFILE%\yqpedcpefpenrwim"\'). ## Microsoft Analysis and Additional OSINT Context The [Meduza Stealer](https://www.silentpush.com/blog/meduza-stealer/), first sold on a Russian-speaking dark web forum in June 2023, is a lightweight C++ malware known for its adaptability and competitive pricing. It targets Windows systems, stealing sensitive information like cookies, login credentials, and data from browser extensions, including password managers and cryptocurrency wallets. Meduza terminates itself if it detects the host machine is in specific countries, including Russia and many former Soviet republics, but otherwise connects to a command-and-control server for data exfiltration. Its advanced evasion techniques allow it to bypass most popular antivirus software, making it difficult to detect through both static and dynamic analysis. Meduza\'s operators use Telegram to communicate malware updates to their user base. Read more [here](https://sip.security.microsoft.com/intel-explorer/articles/1bdfb795) about CERT-UA warning about recent cybercriminal activity using Meduza Stealer. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of the threat of information stealers. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Mic |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2023 2024 2024** 365 365/security/defender 365/security/office @reserveplusbot about accessed account accounts acquired activity adaptability add added additional advanced advice: against age alerts all allegedly allow analysis antivirus any app apps archive are article associated attachments attack attacker authentication authenticator auto base based before behalf block blocks both browser browsers bullet but bypass c++ can can cards cert check classes click clicking cloud code com/azure/active com/blog/meduza com/deployedge/microsoft com/intel com/microsoft command common communicate competitive computer configure connects contained content context control cookies copyright countries cover coverage credential credentials criterion cryptocurrency customers cybercriminal dark data defender delete deleting delivered description designed detect detection detections/hunting detects devices different difficult directory directory/authentication/concept directory/authentication/how directory/identity distribution doc document downloaded due dynamic edge email emails emergency employees enable enabled encourage endpoint endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent etc evade evasion even evolving example example: excluded exclusion exclusionpath executable execution exfiltration explorer/articles/1bdfb795 extensions features fido file files filtering first following former forum from gov group guidance hello here host hour however https://cert https://learn https://sip https://www identifies identity impact inbound included including indicate infections information infostealer infostealers install intelligence intrusions its itself june keys known learndoc learndoc#block learning lightweight like links list locations login machine mail majority making malicious malware managed managers many match meduza meet messages methods mfa microsoft might mitigation mitigations mode monitored more most mppreference new newly not number obfuscated ocid=magicti off offer office on operators organizations osint other otherwise overview part password passwordless passwords pdf permission personal phishing phones points policies policy polymorphic popular possible potentially powershell prevalence prevent previously pricing product prohibited prompt protection protection/howto protections provided pua purge queries ransomware rapidly read recent recheck recipients recommendations recommends reduce reduction refer reference references remind remove report reported reproduction republics require requires reserve+ reserved response rights rules running russia russian safe scam scripts secured security security/defender security/safe security/zero sensitive sent server settings should sight silentpush site sites smartscreen snapshot software sold soviet spam speaking special specific spoofed static status steal stealer stealer/ stealers stealing stop stored strictly succeeded support support surface sweeping sync#sync syncing systems targets team technical techniques telegram terminates theft their thereof these threat threats through times tools to triggered trusted turn txt typed types ua/article/6281018 ukraine ultimately unknown unless unrelated unwanted updates urged use used user userprofile users uses use using using variants various vaults wallets warning web websites when where which windows without workplace written your yqpedcpefpenrwim zip and cert for from in meduza to “yes” |
| Tags | Ransomware Spam Malware Tool Threat Technical |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.