One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8603864 |
| Date de publication | 2024-10-30 18:25:16 (vue: 2024-10-30 19:07:14) |
| Titre | Rekoobe Backdoor découverte dans le répertoire ouvert, ciblant éventuellement les utilisateurs de TradingView Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users (Recyclage) |
| Texte | ## Instantané Une enquête récente a découvert la présence de Rekoobe, une porte dérobée initialement utilisée par APT31, suivie parMicrosoft comme [Violet Typhoon] (https://security.microsoft.com/intel-profiles/978d728039ed98462546859f2ac987e77a6c7da15d760e7ac0aaf173AC486), dans les répertoires ouverts. ## Description Rekoobe, basé en partie sur Tiny Shell, a évolué avec un chiffrement avancé et des paramètres de commande et de contrôle uniques, ce qui rend la détection difficile.Les chercheurs ont trouvé deux échantillons de rekoobe sur un répertoire ouvert lié à l'adresse IP 27.124.45 \ [. \] 146, révélant des binaires de logiciels malveillants étiquetés selon l'architecture et la date.Ces binaires ont tenté de se connecter avec le serveur d'hébergement via un port spécifique, suivant les modèles observés dans d'autres logiciels malveillants Rekoobe. Une analyse plus approfondie a identifié plusieurs domaines de sosie imitant le site Web populaire de TradingView, suggérant des efforts de phishing potentiels ciblant la communauté financière.Ces domaines présentent de légères variations typographiques, peut-être pour l'ingénierie sociale ou les attaques de phishing.Bien qu'aucun contenu actif n'ait été observé, le chevauchement de ces domaines avec une activité Rekoobe suggère une campagne coordonnée. L'enquête a également lié d'autres serveurs dans la même infrastructure basée à Hong Kong à l'aide de clés SSH partagées, renforçant la notion d'une configuration malveillante plus large.De plus, un outil de sécurité, Yakit, connu pour son équipe rouge légitime, a été trouvé sur un serveur, soulevant des questions sur son utilisation dans ce contexte.Collectivement, ces résultats révèlent une opération malveillante potentiellement étendue destinée aux plateformes financières, exigeant un examen minutieux. ## Analyse Microsoft et contexte OSINT supplémentaire L'acteur Microsoft suit comme [Violet Typhoon] (https://security.microsoft.com/intel-profiles/978d728039ed98462546859f2ac987e7ec77a6c7da15d760e7ac0aaf173ac486). Phoon est connu principalementcibler l'ancien gouvernement et le personnel militaire, les ONG et les groupes de réflexion aux États-Unis.Violet Typhoon se concentre sur l'espionnage.L'acteur est connu pour effectuer une analyse de vulnérabilité pour identifier l'infrastructure Web exposée à Internet, telles que les serveurs Web, la gestion de contenu ou les portails de gestion, puis exploiter ces vulnérabilités pour installer des shells Web.De plus, Violet Typhoon utilise la technique de reconnaissance des bogues Web. Le typhon Violet a également été observé à l'aide de courriels de phisseur de lance contenant un lien qui redirige vers les pages de connexion de récolte des informations d'identification.Après avoir obtenu un accès initial, le typhon Violet utilise des techniques d'adversaire dans le milieu et des capacités de fenêtres intégrées pour le mouvement latéral et l'escalade des privilèges.Microsoft a également observé le groupe à l'aide d'exploits de jours zéro pour l'escalade des privilèges.Violet Typhoon est suivi par d'autres sociétés de sécurité en tant qu'APT31. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, m |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 124 146 2015 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 about access accessed according action active activity actor additional additionally address advanced adversary af74 against age aimed alert alerts all allow also although analysis antivirus any apt31 architecture are artifacts attack attacker attacks attempted authority automated backdoor backdoor:linux/rekobee based behind binaries block breach breaches broader bug built campaign can capabilities challenging changes china client cloud collectively com/en com/intel com/microsoft com/threatanalytics3/9382203e command common community companies components conduct configure connect connected containing content context control controlled coordinated copyright cover credential criterion customers date day defend defender delivered demanding description detect detected detection detections/hunting detects directories directory discovered distribution does domains edr efforts email emails enable enabled encryption encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent engineering ensure equivalent escalation espionage even evolved evolving executable exploit exploits exposed extensive files financial findings focuses folder folders follow following former found from full further government group hardening harvesting has hong hosting https://hunt https://learn https://security https://www hunt identified identify immediate impact infrastructure initial initially install internet investigation investigations io/blog/rekoobe its keys known kong labeled lateral learndoc learning least legitimate like link linked list local lookalike lsa lsass machine majority making malicious malware malware: manage management meet microsoft middle military mimicking mitigations mode movement name=backdoor:linux/rekobee nation network new ngos non not notion observed obtaining ocid=magicti one open operation osint other out overlap overview pages part partially passive patterns permission personnel phishing platforms popular port portals possibly post potential potentially preferences premises presence prevalence prevent primarily privilege product profiles/978d728039ed98462546859f2ac987e7ec77a6c7da15d760e7ac0aaf173ac486 prohibited protection protection#how protections queries questions raising ransomware rapidly recent recommendations recommends reconnaissance red redirects reduce reducing reduction reference#block references reinforcing rekoobe remediate remediation reproduction researchers reserved resolve reveal revealing rights rule rules run running same samples scanning scenes scrutiny security seen server servers settings setup several shared shell shells show sign significantly since site slight snapshot social spear specific ssh state states stealing subsystem such suggesting suggests surface take tamper tanks target targeting teaming technique techniques theft then thereof these think threat threats through tiny tool tools tracked tracks tradingview trusted turn two typhoon typographical uncovered unique united unknown unless upon us/defender us/wdsi/threats/malware use used users uses using variations view=o365 violet volume vulnerabilities vulnerability web webmail website when windows without works worldwide written xdr yakit your zero |
| Tags | Ransomware Malware Tool Vulnerability Threat |
| Stories | APT 31 |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8603028 |
| Date de publication | 2024-10-28 22:05:17 (vue: 2024-10-28 23:07:25) |
| Titre | Amazon a identifié les domaines Internet maltraités par APT29 Amazon identified internet domains abused by APT29 (Recyclage) |
| Texte | ## Snapshot Amazon, building on reporting by the Computer Emergency Response Team of Ukraine (CERT-UA), identifed and disrupted a phishing campaign attributed to [Midnight Blizzard](https://security.microsoft.com/intel-explorer/articles/2c8cb717). ## Description The campaign, active since at least August 2024, has a broad target set and includes entities related to government, enterprise, and military in countries of interest to Russia. The group leveraged Ukrainian language phishing emails to collect its targets\' Windows credentials through Microsoft Remote Desktop. Many of the domains used by Midnight Blizzard spoofed Amazon Web Services (AWS), among other organizations. Amazon has siezed many of the domains to disrupt the campaign. ## Microsoft Analysis and Additional OSINT Context Microsoft attributes this malicious activity to [Midnight Blizzard](https://security.microsoft.com/intel-explorer/articles/2c8cb717) based on the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) reported by Amazon and CERT-UA. The actor Microsoft tracks as Midnight Blizzard is known to primarily target governments, diplomatic entities, NGOs, and IT service providers in primarily the United States and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018 by leveraging the use of identity. Midnight Blizzard is consistent and persistent in their operational targeting and their objectives rarely change. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers\' trust chain to gain access to downstream customers, and the Active Directory Federation Services (ADFS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard is tracked by partner security companies as APT29, UNC2452, and Cozy Bear. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-u |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2018 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 abused access accessed action active activity actor additional adfs af74 against age alert alerts all allow amazon among analysis antivirus any apt29 apt29/ are artifacts attack attacker attacks attributed attributes august authority automated aws backdoor:script/hustlecon based bear behind blizzard blizzard is block breach breaches broad building campaign can cert chain change changes client cloud collect com/blogs/security/amazon com/en com/intel com/microsoft com/threatanalytics3/9382203e common companies components compromise computer configuration configure consistent content context controlled copyright countries cover cozy credential credentials criterion customers dedicated defend defender delivered description desktop detect detected detections/hunting detects dha diplomatic directory disrupt disrupted distribution diverse does domains downstream early edr email emails emergency enable enabled endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure enterprise entities environments equivalent espionage europe even evolving executable exploitation explorer/articles/2c8cb717 federation files focus foggyweb folder folders follow following foreign from full gain gov government governments group hardening has https://aws https://cert https://learn https://security identifed identified identity immediate impact includes indicators initial intelligence interest interests internet investigation investigations iocs its known language laterally learndoc learning least leveraged leveraging like list local longstanding lsa lsass machine magicweb majority malicious malware malware: manage many means meet methods microsoft midnight military mitigations mode move network new ngos non not objectives obtaining ocid=magicti operational organizations osint other overview part partner passive permission persistent phishing post preferences premises prevalence prevent primarily procedures product prohibited protection protection#how protections providers queries ranging ransomware rapidly rarely rdp recommendations recommends reduce reducing reduction reference#block references related remediate remediation remote reported reporting reproduction reserved resolve response rights rogue rule rules run running russia scenes security service services set settings siezed significantly since site snapshot spoofed states stealing stolen subsystem supply surface tactics take tamper target targeting targets team techniques theft thereof threat threats through tools traced tracked tracks trust trusted ttps turn ua/article/6281076 ukraine ukrainian unc2452 united unknown unless us/defender use used utilize view=o365 volume web webmail when windows without works worldwide written xdr your |
| Tags | Ransomware Malware Tool Threat Cloud |
| Stories | APT 29 |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.