SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8601196
Date de publication	2024-10-21 20:43:52 (vue: 2024-10-21 21:12:46)
Titre	Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia
Texte	## Snapshot Kaspersky researchers identified a new threat group known as "Crypt Ghouls," which has been targeting Russian businesses and government agencies across various sectors, including mining, energy, finance, and retail. ## Description The group has been deploying ransomware such as LockBit 3.0 and Babuk, and their toolkit includes utilities like Mimikatz, XenAllPasswordPro, AnyDesk, and others. Initial access was often achieved using a contractor\'s login credentials to connect to the victim\'s internal systems via VPN, with subsequent maintenance of access through utilities like NSSM and Localtonet. The Crypt Ghouls have demonstrated a range of techniques for credential harvesting, domain controller access, network reconnaissance, and lateral movement. They have used tools like the MiniDump Tool to extract credentials from memory, copied browser-stored credentials, and employed PowerShell scripts for reconnaissance. For domain controller access, they connected via WMI, modified scheduler tasks, and dumped NTDS.dit. Network navigation was facilitated by tools such as PingCastle, SoftPerfect Network Scanner, WmiExec.py Impacket module, and PAExec. They also engaged in DLL sideloading using a legitimate Windows installer management application and a malicious loader. The group\'s ransomware attacks have been sophisticated, with LockBit 3.0 configured to encrypt specific files and directories, disable Windows Defender, and delete event logs, while Babuk targeted virtual machines on ESXi servers. Crypt Ghouls left ransom notes with contact links via the Session messaging service and used IP addresses from a Surfshark VPN subnet and hosting provider VDSina\'s network for remote connections. Their activities have shown similarities with other groups such as MorLock, BlackJack, Twelve, and Shedding Zmiy, indicating potential collaboration or resource sharing among these threat actors. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-ref
Notes	★★
Envoyé	Oui
Condensat	© 2024 2024 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed achieved across action activities actors addresses af74 against age agencies alert alerts all allow also among analysis analysis/114217/ antivirus any anydesk application are artifacts attack attacker attacks authority automated babuk based been behind blackjack block breach breaches browser businesses can changes client cloud collaboration com/crypt com/en com/microsoft com/threatanalytics3/9382203e common configure configured connect connected connections contact content continuing contractor controlled controller copied copyright cover credential credentials criterion crypt customers defend defender delete delivered demonstrated deploying description detect detected directories disable distribution dit dll does domain dumped edr email employed enable enabled encrypt endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent energy engaged ensure equivalent esxi even event evolving executable extract facilitated files finance folder folders follow following from full ghouls government group group: groups hacktivists hardening harvesting has have hosting https://learn https://securelist https://security identified immediate impacket impact includes including indicating initial installer internal investigation investigations kaspersky known lateral learndoc learning left legitimate like links list loader local localtonet lockbit login logs lsa lsass machine machines maintenance majority malicious manage management meet memory messaging microsoft mimikatz minidump mining mitigations mode modified module morlock movement navigation network new non not notes nssm ntds ocid=magicti often other others overlap overview paexec part passive permission pingcastle post potential powershell preferences premises prevalence prevent product prohibited protection protection#how protections provider range ransom ransomware rapidly recommendations recommends reconnaissance reduce reducing reduction reference#block references remediate remediation remote reproduction researchers reserved resolve resource retail rights rule rules run running russia russian scanner scenes scheduler scripts sectors security series servers service session settings sharing shedding shown sideloading significantly similarities site snapshot softperfect sophisticated specific stealing stored subnet subsequent subsystem such surface surfshark systems take tamper targeted targeting tasks techniques theft thereof these threat threats through tool toolkit tools trusted turn twelve unknown unless us/defender used using utilities various vdsina victim view=o365 virtual volume vpn webmail when which windows without wmi wmiexec works worldwide written xdr xenallpasswordpro your zmiy network
Tags	Ransomware Tool Threat
Stories
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ressemble à 2 autre(s) article(s):

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-10-24 19:44:18	(Déjà vu) Sujet des comptes dans le service UAC-0218: Vol de fichiers avec Homesteel Subject of accounts in service UAC-0218: file theft with HOMESTEEL (lien direct)	## Instantané CERT-UA, l'équipe du gouvernement d'urgence informatique d'Ukraine \\, a récemment identifié une campagne de phishing en utilisant des e-mails avec des sujets tels que "compte" et "détails". ## Description Ces e-mails contiennent des liens se faisant passer pour Edisk, ce qui conduit à des archives RAR qui incluent des documents de leurre protégés par mot de passe et un script VBS malveillant nommé "Password.vbe".Le script recherche divers types de fichiers (par exemple, .doc, .pdf, .xlsx) dans les répertoires de l'utilisateur \\ et exfiltre les fichiers jusqu'à 10 Mo vers un serveur d'attaquant \\ à l'aide de requêtes de put http. CERT-UA a également découvert une archive auto-extraite basée sur PowerShell qui effectue des recherches de fichiers similaires et les transfère via HTTP Post.Cette campagne, active depuis au moins août 2024, utilise des infrastructures liées au registraire de domaine HostZealot et présente des serveurs basés sur Python.CERT-UA suit cette activité sous l'identifiant UAC-0218. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécutez [EDR en mode bloc] (https: // apprendre.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) de sorte que Microsoft Defender pour le point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft DefenderPour que le point final prenne des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ensemble du vol d'identification sur prémisse] (https://security.microsoft.com/Thereatanalytics3/9382203E-5155-4B5E-AF74-21562B1004D5/analyStreport) pour défendre contre des techniques de vol de vol de crédits communs comme LSASS comme LSASSE SEASSS Techniques de volet LSASS comme LSASSS comme LSASSS.accéder. - [Activer] (https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-redulation-Rules-reference #block-credential-staling-from-the-windows-local-security-autehority-Subsystème) Protection LSA. - Les clients de Microsoft Defender XDR peuvent activer la [Règle de réduction de surface d'attaque] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction) pour empêcher les techniques d'attaque courantes utilisées pourransomware. - - [Block] (https://learn.microsoft.com/en-us/defender-endpoin	Ransomware Tool Threat		★★★
	2024-10-25 17:22:14	(Déjà vu) Opération Cobalt Whisper: l'acteur de menace cible plusieurs industries à travers Hong Kong et le Pakistan Operation Cobalt Whisper: Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan (lien direct)	#### Targeted Geolocations - Pakistan - China #### Targeted Industries - Defense Industrial Base - Education - Higher Education - Energy - Information Technology - Healthcare & Public Health ## Snapshot SEQRITE Labs\' APT team has exposed an advanced cyber-espionage campaign known as Operation Cobalt Whisper, impacting multiple industries in Hong Kong and Pakistan. ## Description This operation extensively uses the Cobalt Strike post-exploitation tool, delivered via obfuscated VBScript in infected archives. SEQRITE identified over 20 infection chains, primarily affecting organizations in Hong Kong but also Pakistan, with decoy documents in RAR archives containing both PDF and LNK files. Industries impacted by the campaign include defense, education, enviornmental engineering, energy, cybersecurity, aviation, and healthcare. Technical analysis reveals a two-stage infection process, where an initial LNK executes a VBScript to achieve persistence and hide activity, followed by a Cobalt Strike beacon disguised as a legitimate executable that connects back to the attacker. SEQRITE\'s investigations found commonalities in naming conventions, particularly using the filename “ImeBroker.exe,” to deploy Cobalt Strike implants across multiple activity clusters. Through file path artifacts, machine IDs, and configuration similarities, SEQRITE linked clusters of activity to Operation Cobalt Whisperer, including those aimed at the Pakistani defense sector and electrotechnical researchers. These campaigns reveal sophisticated tactics designed to exploit high-value information from specific industry sectors across Asia, with consistent command-and-control patterns registered with Tencent\'s network infrastructure. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. - Microsoft	Ransomware Malware Tool Threat Industrial Medical		★★