One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8603464 |
| Date de publication | 2024-10-29 21:50:28 (vue: 2024-10-29 22:07:22) |
| Titre | CloudScout: Evasive Panda scouting cloud services (Recyclage) |
| Texte | #### Targeted Geolocations - Taiwan #### Targeted Industries - Government Agencies & Services - Non-Government Organization - Religious Organization ## Snapshot Researchers from ESET detailed CloudScout, a .NET post-compromise toolset used by the China-aligned advanced persistent threat (APT) group, Evasive Panda to target a government organization and a religious organization in Taiwan. ## Description CloudScout, integrated with Evasive Panda\'s custom MgBot malware framework, leverages stolen cookies to access cloud services, such as Google Drive, Gmail, and Outlook. This approach bypasses traditional login protections by using existing authenticated sessions, making it highly effective for data exfiltration. The toolset comprises modules tailored to each targeted service, enabling specific functions like email retrieval and file access. Built in C#, these modules are deployed through MgBot plugins written in C++. Analysis shows that the framework likely includes additional modules, potentially targeting other cloud platforms, though only three modules (targeting Google Drive, Gmail, and Outlook) have been identified so far. According to ESET, the attack group\'s operations are strategic, aligning with China\'s political interests, particularly against entities in Taiwan and those opposing Chinese governance. This group has previously leveraged techniques such as supply-chain attacks and DNS hijacking, demonstrating advanced capabilities. ## Microsoft Analysis and Additional OSINT Context Evasive Panda, also known as Bronze Highland and DaggerFly, has been active since at least 2012. The group is known to conduct cyberespionage against individuals and organizations of interest to China, including government entities. According to [previous ESET reporting](https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/), the group has been observed targeting individuals in mainland China, Hong Kong, Macao, and Nigeria. The group builds custom malware frameworks with modular architecture in order to deploy MgBot. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatan |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2012 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed according action active additional advanced af74 against age agencies alert alerts aligned aligning all allow also analysis antivirus any approach apt architecture are artifacts attack attacker attacks authenticated authority automated based been behind block breach breaches bronze builds built bypasses c++ can capabilities chain changes china chinese client cloud cloudscout cloudscout: com/2023/04/26/evasive com/en com/en/eset com/microsoft com/threatanalytics3/9382203e common components comprises compromise conduct configure content context controlled cookies copyright cover credential criterion custom customers cyberespionage daggerfly data defend defender delivered demonstrating deploy deployed description detailed detect detected detections/hunting detects distribution dns does drive each edr effective email enable enabled enabling encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure entities equivalent eset evasive even evolving executable exfiltration existing far file files folder folders follow following framework frameworks from full functions geolocations gmail google governance government group hardening has have highland highly hijacking hong https://learn https://security https://www identified immediate impact includes including individuals industries integrated interest interests investigation investigations known kong learndoc learning least leveraged leverages like likely list local login lsa lsass macao machine mainland majority making malicious malware malware: manage meet mgbot microsoft mitigations mode modular modules name=program:win32/wacapew net network new nigeria non not observed ocid=magicti only operations opposing order organization organizations osint other outlook overview panda part particularly passive permission persistent platforms plugins political popular post potentially preferences premises prevalence prevent previous previously product program:win32/wacapew prohibited protection protection#how protections queries ransomware rapidly recommendations recommends reduce reducing reduction reference#block references religious remediate remediation reporting reproduction research/cloudscout researchers reserved resolve retrieval rights rule rules run running scenes scouting security service services services/ sessions settings shows significantly since site snapshot software/ specific stealing stolen strategic subsystem such supply surface tailored taiwan take tamper target targeted targeting techniques theft thereof these those though threat threats three through tools toolset traditional trusted turn unknown unless updates us/defender us/wdsi/threats/malware used using view=o365 volume webmail welivesecurity when windows without works worldwide written xdr your |
| Tags | Ransomware Malware Tool Threat Cloud |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8603045 |
| Date de publication | 2024-10-28 23:31:21 (vue: 2024-10-29 00:07:22) |
| Titre | Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives (Recyclage) |
| Texte | #### Géolocations ciblées - Ukraine ## Instantané En septembre 2024, le groupe de renseignement sur les menaces de Google a identifié une opération russe, UNC5812, en utilisant des logiciels malveillants pour compromettre les recrues militaires ukrainiennes sous le couvert d'un personnage télégramme nommé «Défense civile».Grâce à ce personnage, UNC5812 livre des logiciels malveillants Android et Windows, promeut les récits d'influence anti-ukrainienne et encourage les recrues à partager des informations sensibles sur les pratiques présumées de recrutement militaire. ## Description Les logiciels malveillants de UNC5812 \\ sont livrés via une chaîne télégramme et un site Web créé par le groupe, où la «défense civile» annonce des programmes gratuits pour surveiller les recruteurs militaires ukrainiens.Pour atteindre un public plus large, UNC5812 serait payé pour la promotion dans les canaux télégrammes légitimes de langue ukrainienne, conduisant des victimes potentielles vers le site Web chargé de logiciels malveillants.Les charges utiles de logiciels malveillants, y compris le chargeur de prévision pour Windows (qui déploie le voleur d'informations PueSesEaler) et le Craxsrat de la porte dérobée Android, compromettent les données sensibles en volant des informations d'identification et d'autres informations aux victimes. Cette opération exploite les tactiques psychologiques aux côtés de celles techniques, demandant aux utilisateurs d'Android de désactiver Google Play Protect pour éviter la détection.En plus de ses logiciels malveillants, UNC5812 engage des opérations d'influence, affichant un contenu anti-mobilisation pour favoriser la méfiance dans les pratiques de recrutement de l'Ukraine.Cette stratégie hybride souligne la poursuite de l'accent mis par la Russie sur l'impact cognitif dans le conflit ukrainien, avec des applications de messagerie comme Telegram servant de vecteurs critiques pour les campagnes de livraison de logiciels malveillants et d'influencer. ## Analyse Microsoft et contexte OSINT supplémentaire La Russie s'est avérée apte à tirer parti du télégramme dans les campagnes de logiciels malveillants et à influencer les opérations pour atteindre ses objectifs politiques.For example, in October 2024, the [Computer Emergency Response Team of Ukraine (CERT-UA) reported](https://sip.security.microsoft.com/intel-explorer/articles/ac988484) on the distribution of malicious messages throughUn compte télégramme exhortant les destinataires à installer des "logiciels spéciaux" qui ont finalement livré le malware du voleur de Meduza.Également en octobre, [Vérifier les recherches sur les points rapportés] (https://sip.security.microsoft.com/intel-explorer/articles/05cff118) sur une opération d'influence russe qui a utilisé des bottes télégrammes contrôlées par des attaquants pour amplifier le contenu têtueux autour de Moldova \Les élections présidentielles de \ sont susceptibles de collecter des données dans un environnement de victime et de mener des attaques de logiciels malveillants ciblés. Le Centre d'analyse des menaces de Microsoft (MTAC) suit de près les efforts d'influence russe contre les États-Unis et à l'étranger.Lire le dernier rapport électoral de [MTAC \\] (https://sip.security.microsoft.com/intel-explorer/articles/0d9fec7e) pour avoir un aperçu de la façon dont les acteurs de la menace russe utilisent des canaux télégrammes et d'autres tactiques dans les campagnes d'influence ciblantL'élection américaine. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'ap |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 abroad access accessed accomplish account action actors addition additional adept advertises af74 against age aims alert alerts all alleged allow allow alongside also always amplify analysis android anti antivirus any applicable applications apps apps disabled are around artifacts as attack attacker attackers attacks audience authority automated avoid backdoor based behind being block both bots breach breaches broader campaign campaigns can center cert changes channel channels check client closely cloud cognitive collect com/blog/topics/threat com/en com/intel com/microsoft com/threatanalytics3/9382203e common components compromise computer conduct configure conflict consider content context continued controlled copyright cover craxsrat created credential credentials criterion critical customers data defend defender defense defense” deliver delivered delivers delivery deploys description detect detected detection detections/hunting detects device disable distribution distrust does driving edr efforts election elections email emergency emphasis enable enabled enable encourages endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/microsoft endpoint/prevent engages ensure environment equivalent espionage evaluate even evolving example executable explorer/articles/05cff118 explorer/articles/0d9fec7e explorer/articles/ac988484 files folder folders follow following following foster free from full geolocations goals google group guise hardening has how https://cloud https://learn https://security https://sip hybrid identified immediate impact including influence information insights install installed instructing intelligence intelligence/russian internet investigation investigations iot iot/organizations/overview its keep install laden language latest learndoc learning legitimate leverages leveraging like likely list loader local longer lsass machine majority malicious malware malware: manage meduza meet messages messaging microsoft military misleading mitigations mobile mobilization mode moldova monitor mtac named narratives narratives/ network new non not ocid=magicti october official ones only on operation operations osint other overview part passive payloads pays permission persona play point policy post posting potential practices preferences premises presidential prevalence prevent product programs prohibited promotes promotion pronsis protect protection protection#how protections proved psychological purestealer queries ransomware rapidly reach read receiving recipients recommendations recommends recruiters recruiting recruitment recruits reduce reducing reduction reference#block references remediate remediation replacing report reported reportedly reproduction research reserved resolve response rights rule rules running run russia russian scenes security sensitive september serving settings share significantly site snapshot software solutions sources special states stealer stealing stores strategy strongly subsystem such surface tactics take tamper targeted targeting team technical techniques telegram that theft thereof the things threat threats through tools tracking trojan:androidos/spynote trojan:msil/stealer trojan:win32/stealer trusted turn ukraine ukrainian ultimately unc5812 under underscores united unknown unless updates urging us/azure/defender us/defender use used users using vectors victim victims view=o365 volume webmail website well when where whether which windows without works worldwide written xdr your controlled executable google in is lsa services so to “civil |
| Tags | Ransomware Malware Tool Threat Mobile Cloud Technical |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.