One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8603045 |
| Date de publication | 2024-10-28 23:31:21 (vue: 2024-10-29 00:07:22) |
| Titre | Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives (Recyclage) |
| Texte | #### Géolocations ciblées - Ukraine ## Instantané En septembre 2024, le groupe de renseignement sur les menaces de Google a identifié une opération russe, UNC5812, en utilisant des logiciels malveillants pour compromettre les recrues militaires ukrainiennes sous le couvert d'un personnage télégramme nommé «Défense civile».Grâce à ce personnage, UNC5812 livre des logiciels malveillants Android et Windows, promeut les récits d'influence anti-ukrainienne et encourage les recrues à partager des informations sensibles sur les pratiques présumées de recrutement militaire. ## Description Les logiciels malveillants de UNC5812 \\ sont livrés via une chaîne télégramme et un site Web créé par le groupe, où la «défense civile» annonce des programmes gratuits pour surveiller les recruteurs militaires ukrainiens.Pour atteindre un public plus large, UNC5812 serait payé pour la promotion dans les canaux télégrammes légitimes de langue ukrainienne, conduisant des victimes potentielles vers le site Web chargé de logiciels malveillants.Les charges utiles de logiciels malveillants, y compris le chargeur de prévision pour Windows (qui déploie le voleur d'informations PueSesEaler) et le Craxsrat de la porte dérobée Android, compromettent les données sensibles en volant des informations d'identification et d'autres informations aux victimes. Cette opération exploite les tactiques psychologiques aux côtés de celles techniques, demandant aux utilisateurs d'Android de désactiver Google Play Protect pour éviter la détection.En plus de ses logiciels malveillants, UNC5812 engage des opérations d'influence, affichant un contenu anti-mobilisation pour favoriser la méfiance dans les pratiques de recrutement de l'Ukraine.Cette stratégie hybride souligne la poursuite de l'accent mis par la Russie sur l'impact cognitif dans le conflit ukrainien, avec des applications de messagerie comme Telegram servant de vecteurs critiques pour les campagnes de livraison de logiciels malveillants et d'influencer. ## Analyse Microsoft et contexte OSINT supplémentaire La Russie s'est avérée apte à tirer parti du télégramme dans les campagnes de logiciels malveillants et à influencer les opérations pour atteindre ses objectifs politiques.For example, in October 2024, the [Computer Emergency Response Team of Ukraine (CERT-UA) reported](https://sip.security.microsoft.com/intel-explorer/articles/ac988484) on the distribution of malicious messages throughUn compte télégramme exhortant les destinataires à installer des "logiciels spéciaux" qui ont finalement livré le malware du voleur de Meduza.Également en octobre, [Vérifier les recherches sur les points rapportés] (https://sip.security.microsoft.com/intel-explorer/articles/05cff118) sur une opération d'influence russe qui a utilisé des bottes télégrammes contrôlées par des attaquants pour amplifier le contenu têtueux autour de Moldova \Les élections présidentielles de \ sont susceptibles de collecter des données dans un environnement de victime et de mener des attaques de logiciels malveillants ciblés. Le Centre d'analyse des menaces de Microsoft (MTAC) suit de près les efforts d'influence russe contre les États-Unis et à l'étranger.Lire le dernier rapport électoral de [MTAC \\] (https://sip.security.microsoft.com/intel-explorer/articles/0d9fec7e) pour avoir un aperçu de la façon dont les acteurs de la menace russe utilisent des canaux télégrammes et d'autres tactiques dans les campagnes d'influence ciblantL'élection américaine. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'ap |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 abroad access accessed accomplish account action actors addition additional adept advertises af74 against age aims alert alerts all alleged allow allow alongside also always amplify analysis android anti antivirus any applicable applications apps apps disabled are around artifacts as attack attacker attackers attacks audience authority automated avoid backdoor based behind being block both bots breach breaches broader campaign campaigns can center cert changes channel channels check client closely cloud cognitive collect com/blog/topics/threat com/en com/intel com/microsoft com/threatanalytics3/9382203e common components compromise computer conduct configure conflict consider content context continued controlled copyright cover craxsrat created credential credentials criterion critical customers data defend defender defense defense” deliver delivered delivers delivery deploys description detect detected detection detections/hunting detects device disable distribution distrust does driving edr efforts election elections email emergency emphasis enable enabled enable encourages endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/microsoft endpoint/prevent engages ensure environment equivalent espionage evaluate even evolving example executable explorer/articles/05cff118 explorer/articles/0d9fec7e explorer/articles/ac988484 files folder folders follow following following foster free from full geolocations goals google group guise hardening has how https://cloud https://learn https://security https://sip hybrid identified immediate impact including influence information insights install installed instructing intelligence intelligence/russian internet investigation investigations iot iot/organizations/overview its keep install laden language latest learndoc learning legitimate leverages leveraging like likely list loader local longer lsass machine majority malicious malware malware: manage meduza meet messages messaging microsoft military misleading mitigations mobile mobilization mode moldova monitor mtac named narratives narratives/ network new non not ocid=magicti october official ones only on operation operations osint other overview part passive payloads pays permission persona play point policy post posting potential practices preferences premises presidential prevalence prevent product programs prohibited promotes promotion pronsis protect protection protection#how protections proved psychological purestealer queries ransomware rapidly reach read receiving recipients recommendations recommends recruiters recruiting recruitment recruits reduce reducing reduction reference#block references remediate remediation replacing report reported reportedly reproduction research reserved resolve response rights rule rules running run russia russian scenes security sensitive september serving settings share significantly site snapshot software solutions sources special states stealer stealing stores strategy strongly subsystem such surface tactics take tamper targeted targeting team technical techniques telegram that theft thereof the things threat threats through tools tracking trojan:androidos/spynote trojan:msil/stealer trojan:win32/stealer trusted turn ukraine ukrainian ultimately unc5812 under underscores united unknown unless updates urging us/azure/defender us/defender use used users using vectors victim victims view=o365 volume webmail website well when where whether which windows without works worldwide written xdr your controlled executable google in is lsa services so to “civil |
| Tags | Ransomware Malware Tool Threat Mobile Cloud Technical |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8603028 |
| Date de publication | 2024-10-28 22:05:17 (vue: 2024-10-28 23:07:25) |
| Titre | Amazon a identifié les domaines Internet maltraités par APT29 Amazon identified internet domains abused by APT29 (Recyclage) |
| Texte | ## Snapshot Amazon, building on reporting by the Computer Emergency Response Team of Ukraine (CERT-UA), identifed and disrupted a phishing campaign attributed to [Midnight Blizzard](https://security.microsoft.com/intel-explorer/articles/2c8cb717). ## Description The campaign, active since at least August 2024, has a broad target set and includes entities related to government, enterprise, and military in countries of interest to Russia. The group leveraged Ukrainian language phishing emails to collect its targets\' Windows credentials through Microsoft Remote Desktop. Many of the domains used by Midnight Blizzard spoofed Amazon Web Services (AWS), among other organizations. Amazon has siezed many of the domains to disrupt the campaign. ## Microsoft Analysis and Additional OSINT Context Microsoft attributes this malicious activity to [Midnight Blizzard](https://security.microsoft.com/intel-explorer/articles/2c8cb717) based on the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) reported by Amazon and CERT-UA. The actor Microsoft tracks as Midnight Blizzard is known to primarily target governments, diplomatic entities, NGOs, and IT service providers in primarily the United States and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018 by leveraging the use of identity. Midnight Blizzard is consistent and persistent in their operational targeting and their objectives rarely change. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers\' trust chain to gain access to downstream customers, and the Active Directory Federation Services (ADFS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard is tracked by partner security companies as APT29, UNC2452, and Cozy Bear. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-u |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2018 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 abused access accessed action active activity actor additional adfs af74 against age alert alerts all allow amazon among analysis antivirus any apt29 apt29/ are artifacts attack attacker attacks attributed attributes august authority automated aws backdoor:script/hustlecon based bear behind blizzard blizzard is block breach breaches broad building campaign can cert chain change changes client cloud collect com/blogs/security/amazon com/en com/intel com/microsoft com/threatanalytics3/9382203e common companies components compromise computer configuration configure consistent content context controlled copyright countries cover cozy credential credentials criterion customers dedicated defend defender delivered description desktop detect detected detections/hunting detects dha diplomatic directory disrupt disrupted distribution diverse does domains downstream early edr email emails emergency enable enabled endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure enterprise entities environments equivalent espionage europe even evolving executable exploitation explorer/articles/2c8cb717 federation files focus foggyweb folder folders follow following foreign from full gain gov government governments group hardening has https://aws https://cert https://learn https://security identifed identified identity immediate impact includes indicators initial intelligence interest interests internet investigation investigations iocs its known language laterally learndoc learning least leveraged leveraging like list local longstanding lsa lsass machine magicweb majority malicious malware malware: manage many means meet methods microsoft midnight military mitigations mode move network new ngos non not objectives obtaining ocid=magicti operational organizations osint other overview part partner passive permission persistent phishing post preferences premises prevalence prevent primarily procedures product prohibited protection protection#how protections providers queries ranging ransomware rapidly rarely rdp recommendations recommends reduce reducing reduction reference#block references related remediate remediation remote reported reporting reproduction reserved resolve response rights rogue rule rules run running russia scenes security service services set settings siezed significantly since site snapshot spoofed states stealing stolen subsystem supply surface tactics take tamper target targeting targets team techniques theft thereof threat threats through tools traced tracked tracks trust trusted ttps turn ua/article/6281076 ukraine ukrainian unc2452 united unknown unless us/defender use used utilize view=o365 volume web webmail when windows without works worldwide written xdr your |
| Tags | Ransomware Malware Tool Threat Cloud |
| Stories | APT 29 |
| Move |
|
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2024-10-29 21:50:28 | (Déjà vu) CloudScout: Evasive Panda scouting cloud services (lien direct) | #### Targeted Geolocations - Taiwan #### Targeted Industries - Government Agencies & Services - Non-Government Organization - Religious Organization ## Snapshot Researchers from ESET detailed CloudScout, a .NET post-compromise toolset used by the China-aligned advanced persistent threat (APT) group, Evasive Panda to target a government organization and a religious organization in Taiwan. ## Description CloudScout, integrated with Evasive Panda\'s custom MgBot malware framework, leverages stolen cookies to access cloud services, such as Google Drive, Gmail, and Outlook. This approach bypasses traditional login protections by using existing authenticated sessions, making it highly effective for data exfiltration. The toolset comprises modules tailored to each targeted service, enabling specific functions like email retrieval and file access. Built in C#, these modules are deployed through MgBot plugins written in C++. Analysis shows that the framework likely includes additional modules, potentially targeting other cloud platforms, though only three modules (targeting Google Drive, Gmail, and Outlook) have been identified so far. According to ESET, the attack group\'s operations are strategic, aligning with China\'s political interests, particularly against entities in Taiwan and those opposing Chinese governance. This group has previously leveraged techniques such as supply-chain attacks and DNS hijacking, demonstrating advanced capabilities. ## Microsoft Analysis and Additional OSINT Context Evasive Panda, also known as Bronze Highland and DaggerFly, has been active since at least 2012. The group is known to conduct cyberespionage against individuals and organizations of interest to China, including government entities. According to [previous ESET reporting](https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/), the group has been observed targeting individuals in mainland China, Hong Kong, Macao, and Nigeria. The group builds custom malware frameworks with modular architecture in order to deploy MgBot. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatan | Ransomware Malware Tool Threat Cloud | ★★★ |