SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8608254
Date de publication	2024-11-08 18:01:58 (vue: 2024-11-08 19:07:24)
Titre	Runningrat \\'s Next Move: de l'accès à distance à l'exploitation de cryptographie à but lucratif RunningRAT\\'s Next Move: From Remote Access to Crypto Mining for Profit (Recyclage)
Texte	## Instantané Hunt \ [. \] IO a publié le rapport détaillant comment l'exécution d'un accès à distance (rat), traditionnellement utilisé pour le vol d'informations et pour obtenir un accès à distance a été observé en déploiement des charges utiles de crypto-extraction. ## Description Initialement observé dans les attaques ciblant les Jeux olympiques d'hiver de PyeongChang, RunningRat a traditionnellement permis aux attaquants de surveiller les systèmes, de désactiver les anti-logiciels et d'exfiltrer les données sur les serveurs de commandement et de contrôle (C2).Cependant, des analyses récentes révèlent que RunningRat est désormais également utilisé pour un gain financier grâce à l'extraction de la crypto-monnaie, comme en témoigne la découverte de scripts de crypto-exploitation sur ses serveurs. Cette nouvelle variante des téléchargements RunningRat et installe Monero Mining Software (XMRIG) en utilisant des répertoires et des scripts ouverts pour détourner les ressources système, telles que CPU Power, pour les opérations minières.Il vérifie également les capacités matérielles des systèmes compromis pour déterminer leur aptitude à l'exploitation minière.Le logiciel malveillant atteint la persistance en s'inclinant comme un service Windows légitime, ce qui rend plus difficile pour les utilisateurs. Selon Hunt \ [. \] IO, la présence d'échantillons de runningrat dans des référentiels en ligne accessibles, couplés à ses tactiques en évolution, indique que les logiciels malveillants sont activement adaptés et redéployés à des fins variées.Ce changement illustre comment les logiciels malveillants établis peuvent évoluer en permanence, posant des risques continus pour les utilisateurs et soulignant l'importance de rester vigilant contre les nouvelles capacités dans les menaces familières. ## Recommandations Bien que chaque situation soit unique au client et à son environnement, les recommandations suivantes sont largement applicables pour aider à identifier et à atténuer les attaques de cryptojacking:  - Rôles privilégiés séparés: les comptes d'administration et d'utilisateurs doivent être distincts.Utilisez [Gestion des identités privilégiées] (https://learn.microsoft.com/azure/active-directory/priviled-entity-management/pim-configure) ou des comptes séparés pour les tâches privilégiées, limitant les comptes avec des autorisations excessives.Appliquer l'authentification multi-facteurs (MFA) et [Accès conditionnel] (https://learn.microsoft.com/azure/active-directory/conditional-access/overview), en particulier pour les comptes avec des rôles élevés. - Implémentez le MFA: assurez-vous une utilisation complète de [MFA] (https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa), en particulier pour les comptes avec des privilèges de contributeur de machine virtuel.Décourager la réutilisation du mot de passe.Une liste complète des recommandations de sécurité cloud peut être trouvée dans [Recommandations de sécurité & # 8211;un guide de référence] (https://learn.microsoft.com/azure/defender-for-cloud/recommendations-reference?ocid=Magicti_TA_LearnDoc). - Utiliser les comportements de connexion basés sur les risques et les politiques d'accès conditionnel: surveiller les scores de risque High Azure Active Directory et corréler le comportement des risques avec l'activité ultérieure.Implémentez les politiques d'accès conditionnel pour la réauthentification multifactor, la conformité des périphériques, les mises à jour de mot de passe ou le blocage de l'authentification. - détecter les anomalies de connexion: utilisez des méthodes de détection d'anomalies standard pour identifier les modèles de connexion inhabituels, tels que l'utilisation de proxy, les emplacements anormaux et les agents utilisateur.Utilisez Microsoft 365 Defender pour détecter les activités suspectes effectuées par les utilisateurs risqués. - Surveiller les
Notes	★★★
Envoyé	Oui
Condensat	### © 2024 2024 365 abuse abused access access/overview accessed accessible according accounts achieves across active actively activities activity adapted addresses addresses: admin against agents all allocated also analyses anomalies: anomalous anomaly antimalware antivirus any applicable apply are attackers attacks attacks:  authentication azure based been behavior behaviors being blocking broadly can capabilities challenging checks cli cloud cloud/recommendations com/azure/active com/azure/defender com/cli/azure/vm com/en command commonly compliance components comprehensive compromised conditional configure considered content continuously contributor control copyright core correlate coupled cpu crypto cryptocurrency cryptojacking customer data defender deploying description detailing detect detecting detection detections detections/hunting detects determine device directories directory directory/authentication/tutorial directory/conditional directory/privileged disable discourage discovery distinct distribution downloads egzv elevated embedding emphasizing employ enable enabled encyclopedia ensure environment especially established every evidenced evolve evolving excessive exemplifies exfiltrate external factor familiar financial focusing following found from full gain guide hardware has help high hijack how however https://hunt https://learn https://www hunt identify identifying identity implement importance increase increases increases: indicate indicates information initially installs in  io/blog/runningrat its itself latest#az learndoc legitimate limiting list locations login machine making malware malware: management management/pim may methods mfa mfa: microsoft mining mining#network mitigate monero monitor more move: mtb multi multifactor multiple name=trojan:win32/farfli name=virtool:win32/coinminer new next non now observables observed ocid=magicti of  olympics ongoing online open operations part particularly password patterns payloads performed permission permissions persistence policies policies: posing power presence privileged privileges profit prohibited proxy purposes pyeongchang queries quota rarely rat reauthentication recent recommendations redeployed reference references refined regions released remote report repositories reproduction reserved resource resources reuse reveal rights risk risks risky roles roles: running runningrat samples scores scripts security separate servers service shift should sign site situation snapshot software standard staying stealing subsequent such suitability suspicious system systems tactics targeting tasks tenant thereof threat threats through traditionally trojan trojan:win32/farfli types unexpected unique unusual updates us/wdsi/threats/malware usage use used user users utilize utilizing variant varied view=azure vigilant virtool:win32/coinminer virtual watch windows winter within without written xmrig  command  or
Tags	Malware Threat Cloud
Stories
Move

Les reprises de l'article (1):

Source	RiskIQ
Identifiant	8607769
Date de publication	2024-11-07 21:28:49 (vue: 2024-11-07 22:07:22)
Titre	New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency (Recyclage)
Texte	## Snapshot A new crimeware bundle named "SteelFox" was identified in August 2024, which is distributed through forum posts and malicious torrents disguised as popular software activators for programs like Foxit PDF Editor and AutoCAD. The malware tricks users into downloading what they believe to be legitimate software, which then deploys a multi-stage attack. ## Description The initial dropper requests administrator access and uses AES-128 encryption to drop and decrypt a second-stage payload. This loader, disguised as a Windows service, checks against running services to avoid detection, creates a service for persistence, and loads the final stage. The final payload involves a DLL that exploits vulnerable WinRing0.sys drivers, enabling privilege escalation, and launches a modified XMRig miner and a stealer component that collects a wide range of user data, including browser cookies and credit card information. The SteelFox campaign operates on a mass scale with over 11,000 detections worldwide, particularly in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. The malware uses the StartServiceCtrlDispatcherW function for decryption and injection, and it employs an unusual persistence mechanism by interacting with the AppInfo service. It resolves the IP address of its C2 server using Google Public DNS and DNS over HTTPS to remain undetected and sends collected data to the C2 server in a large JSON file via TLSv1.3 with SSL pinning. The campaign is not targeted at specific individuals or organizations, and attribution remains uncertain, with posts linking to the malware often made by compromised accounts or unaware users. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of Information Stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on[safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refe
Notes	★★
Envoyé	Oui
Condensat	### © 000 128 2024 2024 365 365/security/defender 365/security/office about abuse abused access access/overview accessed accounts acquired across activators active activities activity address addresses addresses: admin administrator advice: aes against age agents algeria all allocated anomalies: anomalous anomaly antivirus any app appinfo applicable apply apps are article attachments attack attacker attacks attacks:  attribution august authentication authenticator auto autocad avoid azure based behavior behaviors believe block blocking blocks brazil broadly browser browsers bullet bundle campaign can card check checks china classes cli click clicking cloud cloud/recommendations code collected collects com/azure/active com/azure/defender com/cli/azure/vm com/en com/microsoft com/steelfox common commonly compliance component components comprehensive compromised conditional configure considered content contributor cookies copyright core correlate cover coverage creates credential credit crimeware criterion cryptocurrency cryptojacking customer customers data decrypt decryption defender delete delivered deploys description detect detecting detection detections detections/hunting detects device devices different directory directory/authentication/concept directory/authentication/how directory/authentication/tutorial directory/conditional directory/identity directory/privileged discourage disguised distinct distributed distribution dll dns downloading drivers drop dropper drops due edge editor egypt elevated email emails employ employs enable enabled enabling encourage encryption encyclopedia endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure entire environment equivalent escalation especially even every evolving example excessive excluded executable execution exploits external factor features fido file files filtering final first focusing following forum found foxit from full function google guidance guide hello help here high host hour https https://learn https://securelist https://www identified identifies identify identifying identity impact implement inbound including increase increases increases: india indicate individuals infections information infostealer infostealers initial injection intelligence interacting intrusions involves in  its json keys lanka large latest#az launches learndoc learndoc#block learning legitimate like limiting linking links list loader loads locations login machine made mail majority malicious malware malware: management management/pim manager many mass match may mechanism meet methods mexico mfa mfa: microsoft mimics miner miner/114414/ mining mitigate mitigation mitigations mode modified monitor more multi multifactor multiple name=pua:linux/coinminer name=pua:win64/xmrig name=puaminer:bat/xmrig name=puaminer:linux/coinminer name=puaminer:win64/xmrig name=trojan:linux/minerxmrig name=trojan:win64/xmrig named new newly non not number obfuscated ocid=magicti offer office often of  operates organizations other over overview part particularly password passwordless passwords patterns payload pdf performed permission permissions persistence phishing phones pinning points policies policies: policy polymorphic popular possible posts potentially prevalence prevent privilege privileged privileges product programs prohibited prompt protection protection/howto protections proxy pua pua:linux/coinminer pua:win64/xmrig puaminer:bat/xmrig puaminer:linux/coinminer puaminer:win32/xmrig public purge queries quota range ransomware rapidly rarely read reauthentication recheck recommendations recommends reduce reduction refer reference references refined regions remain remains remove reproduction requests require requires reserved resolves resource resources response reuse rights risk risky roles roles: rules running russia safe scale scam scores scripts second secure security security/defender security/safe security/zero sends sensitive sent separate server service services settings should sight sign site sites situation smartscreen snapshot software spam s
Tags	Ransomware Spam Malware Tool Threat Cloud
Stories
Move

L'article ne semble pas avoir été repris sur un précédent.