One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8604347 |
| Date de publication | 2024-10-31 19:07:37 (vue: 2024-10-31 20:07:25) |
| Titre | Les Poissons Jumpy s'engagent dans des ransomwares de jeu Jumpy Pisces Engages in Play Ransomware |
| Texte | ## Snapshot Unit 42 has identified the North Korean state-sponsored threat group Jumpy Pisces, also known as Andariel and Onyx Sleet, engaging in a recent ransomware incident through a potential collaboration with the Play ransomware group. ## Description Historically known for cyberespionage, financial crime, and ransomware attacks, Jumpy Pisces (Which Microsoft tracks as [Onyx Sleet](https://security.microsoft.com/intel-profiles/03ced82eecb35bdb459c47b7821b9b055d1dfa00b56dc1b06f59583bad8833c0)) gained initial access to a victim\'s network in early September 2024 through a compromised user account. They maintained persistence and moved laterally using the open-source tool Sliver, their custom malware DTrack, and other tools such as a customized version of Mimikatz for credential dumping, a tool for creating privileged user accounts with RDP enabled, and a trojanized binary for stealing browser data. These tools communicated with a command-and-control server until the deployment of [Play Ransomware](https://security.microsoft.com/intel-profiles/5052c3d91b03a0996238bf01061afdd101c04f1afb7aeda1fc385a19b4f1b68e). During the period from May to September 2024, the attackers executed various activities, including credential harvesting and privilege escalation, and notably uninstalled endpoint detection and response (EDR) sensors before deploying the ransomware. The use of additional tools like TokenPlayer for Windows access token abuse and PsExec was also observed. The nature of Jumpy Pisces ([Onyx Sleet](https://security.microsoft.com/intel-profiles/03ced82eecb35bdb459c47b7821b9b055d1dfa00b56dc1b06f59583bad8833c0))\'s involvement with [Play Ransomware](https://security.microsoft.com/intel-profiles/5052c3d91b03a0996238bf01061afdd101c04f1afb7aeda1fc385a19b4f1b68e) is not definitively clear, as they could be acting as an affiliate or as an Initial Access Broker (IAB) by selling network access to Play ransomware actors. This incident marks a significant development in cyber threats, indicating a convergence of state-sponsored and underground ransomware operations and potentially signaling a trend where North Korean threat groups increasingly participate in global ransomware campaigns. ## Microsoft Analysis and Additional OSINT Context The threat actor that Microsoft tracks as Onyx Sleet is a North Korea-affiliated activity group. First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. Onyx Sleet\'s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors. On July 25, 2024, the United States Department of Justice (DOJ) indicted an individual linked to the North Korean threat actor that Microsoft tracks as Onyx Sleet. Microsoft Threat Intelligence collaborated with the Federal Bureau of Investigation (FBI) in tracking activity associated with Onyx Sleet. Onyx Sleet is tracked by other security companies as SILENT CHOLLIMA, Andariel, DarkSeoul, Stonefly, TDrop2, Jumpy Pisces, and APT45. Microsoft tracks campaigns related to Onyx Sleet and directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. Microsoft Defender for Endpoint detects this activity as Onyx Sleet activity group. Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques such as blocking executable files from running unless they meet a prevalence, age, or trusted list criterion, blocking the launch of potentially obfuscated |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 2014 2024 2024** 2147130447 2147130524 2147136108 365/security/defender 496d a&threatid= ability abuse access accessed account accounts acting action activities activity actor actors ad3c add additional advanced advice affiliate affiliated against age aimed alert alerts all allow also alto analysis andariel antivirus any apply apt45 are artifacts associated attack attacker attackers attacks based been before behavior:win32/play behavior:win32/ransomware behind binary block blocking breach breaches broker browser bureau c6a795a33c27/analystreport campaigns can chain chollima clear cloud collaborated collaboration com/defender com/en com/intel com/microsoft com/north com/threatanalytics3/05658b6c command common communicated companies components compromised conducted configure content context control convergence copyright could cover creating credential crime criterion custom customers customized cyber cyberespionage d&threatid= darkseoul data date dc62 defend defender defense definitively delivered department deploying deployment description detect detected detection detections/hunting detects develop developing development directly distribution does doj domains downloaded dtrack dumping during early edr enabled enable encyclopedia endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/enable energy engages engaging engineering environments equivalent escalation espionage evade even evolves evolving executable executed execution expanded extensive f&threatid= fairly fbi federal files financial first following from fullautomated functionality gain gained gathering global goal goals group groups hardening harvesting has have help historically holistic https://learn https://security https://unit42 https://www hygiene iab identified immediate incident include including increasingly indicating indicted individual information initial intelligence interest investigation investigations involvement its javascript javascripts july jumpy justice keep keeping known korea korean laterally launch launching learndoc learndoc#block learndoc#use learning like linked list machine maintained majority makes malicious malware malware: marks may meet microsoft mimikatz mitigations mode more moved name=behavior:win32/play name=behavior:win32/ransomware name=ransom:win32/play nature necessary network new non north not notably notifies numerous obfuscated observed ocid=magicti onyx open operates operations organizations osint other our overview palo paloaltonetworks part participate particularly passive patches pattern period permission persistence persistent pisces play possible post posture potential potentially prevalence prevent privilege privileged product profiles/03ced82eecb35bdb459c47b7821b9b055d1dfa00b56dc1b06f59583bad8833c0 profiles/5052c3d91b03a0996238bf01061afdd101c04f1afb7aeda1fc385a19b4f1b68e prohibited protection protections providing psexec queries ransom:win32/play ransomware ransomware/ rapidly rdp read recent recently recommendations recommends reducing reduction reference references regularly related remediate remediation reproduction reserved resolve response response rights rules run running scenes scripts sectors secure security selling sensors september server set sight signaling significant significantly silent site sleet sleet: sliver snapshot software soon source spectrum sponsored state states stealing stonefly such surface take targeted targets tdrop2 techniques them thereof these threat threat: threats through token tokenplayer tool tools toolset tracked tracking tracks trend tried trojanized true trusted turn underground uniform uninstalled unit united unknown unless until us/wdsi/threats/malware use used user using variants various vbscript vbscripts version victim view=o365 volume when where which who windows without works worldwide written your for in is in so |
| Tags | Ransomware Malware Tool Threat Prediction |
| Stories | APT 45 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.