SOC News: Article

One Article Review

Accueil - L'article:

Source	RiskIQ
Identifiant	8624759
Date de publication	2024-12-13 20:57:31 (vue: 2024-12-13 21:08:32)
Titre	Bizfum Stealer
Texte	## Snapshot Researchers at CYFIRMA discovered a new information stealer malware, dubbed "Bizfum Stealer," on GitHub. ## Description This advanced malware is designed to collect browser credentials, cookies, saved passwords, Discord tokens, clipboard content, and sensitive files from infected systems. It operates stealthily by compressing and encrypting stolen data using RSA encryption before exfiltrating it to a remote GoFile server. The download link for the stolen data is then sent to an attacker-controlled Telegram bot. Written primarily in C, the malware effectively interacts with Windows system components, enabling it to perform tasks like file manipulation, credential harvesting, and detection evasion. Bizfum specifically targets popular browsers such as Chrome, Edge, Firefox, and Brave to extract sensitive information, while also capturing desktop screenshots and clipboard text. It stores collected files in temporary directories for later encryption and transmission. The malware uses sophisticated techniques, including exploiting anonymous file-sharing platforms like GoFile to evade detection and conceal its communication with attackers. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for the different authentication methods and features. - For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled still succeeded due to users clicking “Yes” on the prompt on their phones even when they were not at their [devices](https://learn.microsoft.com/azure/active-directory/authentication
Notes	★★★
Envoyé	Oui
Condensat	### © 2024 2024 365 365/security/defender 365/security/office about accessed accounts acquired activity advanced advice: against age alerts all also anonymous antivirus any app apps are article attachments attack attacker attackers authentication authenticator auto based before bizfum block blocks bot brave browser browsers bullet can capturing center check chrome classes click clicking clipboard cloud code collect collected com/azure/active com/deployedge/microsoft com/microsoft com/research/bizfum common communication components compressing conceal configure content controlled cookies copyright cover coverage credential credentials criterion customers cyfirma data defender delete delivered description designed desktop detection detections/hunting devices different directories directory/authentication/concept directory/authentication/how directory/identity discord discovered distribution download dubbed due edge effectively email emails employees enable enabled enabling encourage encrypting encryption endpoint endpoint/attack endpoint/configure endpoint/detect endpoint/web enforce enhanced ensure enterprise entire equivalent evade evasion even evolving example excluded executable execution exfiltrating exploiting extract features fido file files filtering firefox first following from github gofile group guidance harvesting hello host hour https://learn https://www identifies identity impact inbound including indicate infected infections information infostealer infostealers intelligence interacts intrusions its keys later learndoc learndoc#block learning like link links list locations machine mail majority malicious malware managed manipulation many match meet methods mfa microsoft mitigation mitigations mode more network: new newly not number obfuscated ocid=magicti off offer office operates organizations other overview part password passwordless passwords perform permission personal phishing phones platforms points policies policy polymorphic popular possible potentially prevalence prevent primarily product prohibited prompt protection protection/howto protections pua purge queries ransomware rapidly recheck recommendations recommends reduce reduction refer reference references remind remote remove reproduction require requires researchers reserved response rights rsa rules running safe saved scam screenshots scripts secured security security/defender security/safe security/zero sensitive sent server settings sharing should sight site sites smartscreen snapshot sophisticated spam specific specifically spoofed stealer stealer/ stealing stealthily stolen stop stored stores strictly succeeded such support surface sweeping sync#sync syncing system systems targets tasks techniques telegram temporary text theft then thereof threat threats times titles tokens tools transmission trusted turn typed unknown unless unwanted use used users uses using variants vaults web websites when where which windows without workplace written your the “yes”
Tags	Ransomware Spam Malware Tool Threat
Stories
Move

L'article ne semble pas avoir été repris aprés sa publication.

L'article ressemble à 1 autre(s) article(s):

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-12-13 23:31:38	(Déjà vu) “Million OK !!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure (lien direct)	## Snapshot Researchers observed new infrastructure tied to the North Korean threat group Kimsuky, featuring a distinctive "Million OK !!!!" HTTP response and malicious domains impersonating South Korea\'s Naver platform. ## Description A security researcher on Twitter first observed a series of IP addresses delivering an unusual "Million OK !!!!" HTTP response in March 2024. Hunt researchers later identified additional infrastructure using the same response and linked it to the North Korean APT group Kimsuky (tracked by Microsoft as [Emerald Sleet](https://security.microsoft.com/intel-profiles/f1e214422dcaf4fb337dc703ee4ed596d8ae16f942f442b895752ad9f41dd58e)). The threat actors use domains that mimic Naver\'s login pages, employing Naver branding, to include favicons. In addition to these observations, the newly observed activity involves registration under top-level domains such as p-e\[.\]kr, o-r\[.\]kr, and n-e\[.\]kr, previously associated with Kimsuky\'s malicious operations. Hunt also found a webpage that shared the same ASN, Sectigo-issued TLS certificate, and a similar Apache server configuration. The server to this page responded with a simple \'Hello\' message. Further analysis revealed connections to a registrant\'s email tied to domains used by malware families KLogEXE and FPSpy, previously [reported by Unit42](https://security.microsoft.com/intel-explorer/articles/47182999). Hunt researchers note that Kimsuky has historically targeted South Korean platforms like Naver with phishing campaigns designed to steal user credentials. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled still succeeded due to users clicking “Yes” on the prompt on their phones even when they were not at their [devices](https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match?ocid=magicti_ta_learndoc). Refer to [this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for an example. - Remind employees that enterprise or workplace credentials should not be stored in browsers or password vaults secured with personal credentials. Organizations can turn off password syncing in browser on managed devices using [Group Policy](https://learn.microsoft.com/deployedge/microsoft-edge-enterprise-sync#sync-group-policies?ocid=magicti_ta_learndoc). - Educate end users about [preventing malware infections](https://learn.microsoft.com/en-us/defender-endpoint/malware/prevent-malware-infection). - Activate conditional access policies. [Conditional access](https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview?ocid=magicti_ta_learndoc) policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can p	Ransomware Malware Tool Threat		★★