One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8601602 |
| Date de publication | 2024-10-24 19:44:18 (vue: 2024-10-24 20:07:47) |
| Titre | Sujet des comptes dans le service UAC-0218: Vol de fichiers avec Homesteel Subject of accounts in service UAC-0218: file theft with HOMESTEEL (Recyclage) |
| Texte | ## Instantané CERT-UA, l'équipe du gouvernement d'urgence informatique d'Ukraine \\, a récemment identifié une campagne de phishing en utilisant des e-mails avec des sujets tels que "compte" et "détails". ## Description Ces e-mails contiennent des liens se faisant passer pour Edisk, ce qui conduit à des archives RAR qui incluent des documents de leurre protégés par mot de passe et un script VBS malveillant nommé "Password.vbe".Le script recherche divers types de fichiers (par exemple, .doc, .pdf, .xlsx) dans les répertoires de l'utilisateur \\ et exfiltre les fichiers jusqu'à 10 Mo vers un serveur d'attaquant \\ à l'aide de requêtes de put http. CERT-UA a également découvert une archive auto-extraite basée sur PowerShell qui effectue des recherches de fichiers similaires et les transfère via HTTP Post.Cette campagne, active depuis au moins août 2024, utilise des infrastructures liées au registraire de domaine HostZealot et présente des serveurs basés sur Python.CERT-UA suit cette activité sous l'identifiant UAC-0218. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécutez [EDR en mode bloc] (https: // apprendre.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) de sorte que Microsoft Defender pour le point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft DefenderPour que le point final prenne des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ensemble du vol d'identification sur prémisse] (https://security.microsoft.com/Thereatanalytics3/9382203E-5155-4B5E-AF74-21562B1004D5/analyStreport) pour défendre contre des techniques de vol de vol de crédits communs comme LSASS comme LSASSE SEASSS Techniques de volet LSASS comme LSASSS comme LSASSS.accéder. - [Activer] (https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-redulation-Rules-reference #block-credential-staling-from-the-windows-local-security-autehority-Subsystème) Protection LSA. - Les clients de Microsoft Defender XDR peuvent activer la [Règle de réduction de surface d'attaque] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction) pour empêcher les techniques d'attaque courantes utilisées pourransomware. - - [Block] (https://learn.microsoft.com/en-us/defender-endpoin |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© 0218 0218: 10mb 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed account accounts action active activity af74 against age alert alerts all allow also antivirus any archive archives are artifacts attack attacker august authority automated based behind block breach breaches campaign can cert changes client cloud com/en com/microsoft com/threatanalytics3/9382203e common computer configure contain content controlled copyright cover credential criterion customers decoy defend defender delivered description details detect detected directories discovered distribution doc documents does domain edisk edr email emails emergency enable enabled endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure equivalent even evolving executable exfiltrates extracting features file files folder folders follow following from full gov government hardening homesteel hostzealot http https://cert https://learn https://security identified identifier immediate impact include infrastructure investigation investigations lead learndoc learning least like linked links list local lsa lsass machine majority malicious manage masquerading meet microsoft mitigations mode named network new non not ocid=magicti overview part passive password pdf performs permission phishing post powershell preferences premises prevalence prevent product prohibited protected protection protection#how protections put python ransomware rapidly rar recently recommendations recommends reduce reducing reduction reference#block references registrar remediate remediation reproduction requests reserved resolve response rights rule rules run running scenes script searches security self server servers service settings significantly similar since site snapshot stealing subject subjects subsystem surface take tamper team techniques theft them thereof these threat threats tools tracking transfers trusted turn types ua/article/6281095 uac ukraine under unknown unless us/defender used user using utilizes various vbe vbs view=o365 volume webmail when which windows within without works worldwide written xdr xlsx your |
| Tags | Ransomware Tool Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8601196 |
| Date de publication | 2024-10-21 20:43:52 (vue: 2024-10-21 21:12:46) |
| Titre | Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia |
| Texte | ## Snapshot Kaspersky researchers identified a new threat group known as "Crypt Ghouls," which has been targeting Russian businesses and government agencies across various sectors, including mining, energy, finance, and retail. ## Description The group has been deploying ransomware such as LockBit 3.0 and Babuk, and their toolkit includes utilities like Mimikatz, XenAllPasswordPro, AnyDesk, and others. Initial access was often achieved using a contractor\'s login credentials to connect to the victim\'s internal systems via VPN, with subsequent maintenance of access through utilities like NSSM and Localtonet. The Crypt Ghouls have demonstrated a range of techniques for credential harvesting, domain controller access, network reconnaissance, and lateral movement. They have used tools like the MiniDump Tool to extract credentials from memory, copied browser-stored credentials, and employed PowerShell scripts for reconnaissance. For domain controller access, they connected via WMI, modified scheduler tasks, and dumped NTDS.dit. Network navigation was facilitated by tools such as PingCastle, SoftPerfect Network Scanner, WmiExec.py Impacket module, and PAExec. They also engaged in DLL sideloading using a legitimate Windows installer management application and a malicious loader. The group\'s ransomware attacks have been sophisticated, with LockBit 3.0 configured to encrypt specific files and directories, disable Windows Defender, and delete event logs, while Babuk targeted virtual machines on ESXi servers. Crypt Ghouls left ransom notes with contact links via the Session messaging service and used IP addresses from a Surfshark VPN subnet and hosting provider VDSina\'s network for remote connections. Their activities have shown similarities with other groups such as MorLock, BlackJack, Twelve, and Shedding Zmiy, indicating potential collaboration or resource sharing among these threat actors. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-ref |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed achieved across action activities actors addresses af74 against age agencies alert alerts all allow also among analysis analysis/114217/ antivirus any anydesk application are artifacts attack attacker attacks authority automated babuk based been behind blackjack block breach breaches browser businesses can changes client cloud collaboration com/crypt com/en com/microsoft com/threatanalytics3/9382203e common configure configured connect connected connections contact content continuing contractor controlled controller copied copyright cover credential credentials criterion crypt customers defend defender delete delivered demonstrated deploying description detect detected directories disable distribution dit dll does domain dumped edr email employed enable enabled encrypt endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent energy engaged ensure equivalent esxi even event evolving executable extract facilitated files finance folder folders follow following from full ghouls government group group: groups hacktivists hardening harvesting has have hosting https://learn https://securelist https://security identified immediate impacket impact includes including indicating initial installer internal investigation investigations kaspersky known lateral learndoc learning left legitimate like links list loader local localtonet lockbit login logs lsa lsass machine machines maintenance majority malicious manage management meet memory messaging microsoft mimikatz minidump mining mitigations mode modified module morlock movement navigation network new non not notes nssm ntds ocid=magicti often other others overlap overview paexec part passive permission pingcastle post potential powershell preferences premises prevalence prevent product prohibited protection protection#how protections provider range ransom ransomware rapidly recommendations recommends reconnaissance reduce reducing reduction reference#block references remediate remediation remote reproduction researchers reserved resolve resource retail rights rule rules run running russia russian scanner scenes scheduler scripts sectors security series servers service session settings sharing shedding shown sideloading significantly similarities site snapshot softperfect sophisticated specific stealing stored subnet subsequent subsystem such surface surfshark systems take tamper targeted targeting tasks techniques theft thereof these threat threats through tool toolkit tools trusted turn twelve unknown unless us/defender used using utilities various vdsina victim view=o365 virtual volume vpn webmail when which windows without wmi wmiexec works worldwide written xdr xenallpasswordpro your zmiy network |
| Tags | Ransomware Tool Threat |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.