One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8623712 |
| Date de publication | 2024-12-11 22:38:07 (vue: 2024-12-11 23:08:33) |
| Titre | Likely China-based Attackers Target High-profile Organizations in Southeast Asia |
| Texte | #### Targeted Geolocations - Southeast Asia #### Targeted Industries - Government Agencies & Services - Transportation Systems - Aviation - Communications Infrastructure ## Snapshot Researchers at Symantec detailed an espionage campaign, active since at least October 2023, likely conducted by China-based threat actors. The campaign targeted organizations in a number of industries, including government, telecommunications, and aviation. ## Description The attackers employed a mix of open-source (e.g., Dismap, [Impacket](https://security.microsoft.com/intel-profiles/19a4861eb55c4c074ab0a8c6f58738d8f50dda8badf96695758399e3d826dda6), and FastReverseProxy) and living-off-the-land (e.g., PowerShell, Reg.exe, and Windows Management Instrumentation) tools in their attacks. Many of these tools have been previously observed in attacks attributed to Chinese actors including Rakshasa, a tool previously used by Earth Baku and SharpNBTScan, a .NET application previously used by Mustang Panda (tracked by Microsoft as [Twill Typhoon](https://security.microsoft.com/intel-profiles/01aef6bb1a4cd12178aca7fceb848002164b83bf375fa33699ed4c5523b4fd3c)). The operations focused on exfiltrating data of interest, including credentials, from targeted organizations. The threat actors maintaining prolonged access to target environments, allowing them to map the network and identify systems of interest. According to Symantec, data was exfiltrated using WinRAR to gather and compress files of interest into password-protected archives. These archives were then uploaded to cloud storage platforms like File.io, allowing the attackers to discreetly transfer the data. ## Microsoft Analysis and Additional OSINT Context Most Chinese threat activity is for intelligence collection purposes and, as represented in Microsoft Threat Intelligencce nation-state notification (NSN) data, especially prevalent in Association of Southeast Asian Nations countries around the South China Sea. To learn more about Chinese cyber threat activity in and around the South China Sea, read [Microsoft\'s most recent Digial Defense Report](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Microsoft%20Digital%20Defense%20Report%202024%20%281%29.pdf). ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Turn on [tamper protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) features to prevent attackers from stopping security services. - Run [endpoint detection and response (EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode) so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach. - Enable [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations) in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. ## Detections/Hunting Queries ### Microsoft Defender Antivirus Microsoft Defender Antivirus detects threat components as the following malware: - [Trojan:Win32/LotusBlossom](https://www.microsoft.com/en-us/wdsi/threats/mal |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 202024 2023 2024 2024** 20defense 20digital 20report 281 365/security/defender about access accessed according action active activity actors additional agencies alert alerts all allow allowing analysis antivirus any application archives around artifacts asia asian association attacker attackers attacks attributed automated aviation baku based been behind block blogs brand/documents/microsoft breach breaches campaign can changes china chinese cloud collection com/en com/intel com/is/content/microsoftcorp/microsoft/final/en com/microsoft com/threat communications components compress conducted content context copyright countries cover credentials cyber data defender defense delivered description detailed detect detected detection detections/hunting detects digial discreetly dismap distribution does dynmedia earth edr employed enable encyclopedia endpoint endpoint/automated endpoint/configure endpoint/edr endpoint/prevent enterprise environments equivalent especially espionage even evolving exe exfiltrated exfiltrating fastreverseproxy file files first focused following from full gather geolocations government have high https://cdn https://learn https://security https://symantec https://www identify immediate impacket impact including industries infrastructure instrumentation intelligencce intelligence intelligence/china interest investigation investigations land learn learning least like likely living machine maintaining majority malicious malware: management many map microsoft mitigations mix mode more most mtb mustang name=trojan:win32/lotusblossom nation nations net network new non not notification nsn number observed october off on open operations organizations osint panda part passive password pdf permission platforms post powershell prevalent prevent previously product profile profiles/01aef6bb1a4cd12178aca7fceb848002164b83bf375fa33699ed4c5523b4fd3c profiles/19a4861eb55c4c074ab0a8c6f58738d8f50dda8badf96695758399e3d826dda6 prohibited prolonged protected protection protections purposes queries rakshasa rapidly read recent recommendations recommends reduce reducing references reg remediate remediation report represented reproduction researchers reserved resolve response rights running run scenes sea security services settings sharpnbtscan sight significantly since site snapshot source south southeast state stopping storage symantec systems take tamper target targeted techniques telecommunications them then thereof these threat tool tools tracked transfer transportation trojan:win32/alevaul trojan:win32/lotusblossom turn twill typhoon unknown uploaded us/microsoft us/wdsi/threats/malware used using variants volume when windows winrar without works written your features in |
| Tags | Malware Tool Threat Cloud |
| Stories | APT 41 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.