One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8626198 |
| Date de publication | 2024-12-16 18:46:53 (vue: 2024-12-16 19:08:40) |
| Titre | "Notice of Violation" by UAC-0099 |
| Texte | #### Targeted Geolocations - Ukraine ## Snapshot The Government Computer Emergency Response Team of Ukraine (CERT-UA) has identified a series of cyberattacks by UAC-0099 targeting Ukrainian government organizations, including forestry, forensic institutions, and factories, during November-December 2024. CERT-UA attributes these attacks to espionage efforts, noting the attackers\' evolving tactics and techniques. ## Description UAC-0099 employs phishing emails containing double-archived LNK or HTA files to deliver malicious tools, sometimes exploiting the WinRAR vulnerability [CVE-2023-38831](https://sip.security.microsoft.com/intel-explorer/cves/CVE-2023-38831/). Once systems are compromised, the LONEPAGE program executes commands, with recent attacks showcasing a shift from a single VBS file to a dual-file method involving an encrypted 3DES file and a .NET program that decrypts and executes PowerShell code in memory. To obscure and ensure the fault tolerance of their operations, the attackers rely on Cloudflare for infrastructure. CERT-UA emphasizes that insufficient organizational and technical cyber defenses in affected entities have facilitated these compromises, jeopardizing the confidentiality of state information resources. ## Microsoft Analysis and Additional OSINT Context The cyber espionage group "UAC-0099" has been targeting Ukrainian organizations and individuals since at least mid-2022. [CERT-UA has previously observed](https://cert.gov.ua/article/4818341) the group targeting state organizations and media representatives in Ukraine with phishing campaigns leveraging malicious file types, including HTA, EXE, RAR, and LNK, to deploy malware such as LONEPAGE, THUMBCHOP, and CLOGFLAG. These tools facilitate credential theft, unauthorized remote access, and lateral movement within networks. [Deep Instinct reports](https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine) that UAC-0099\'s campaigns often involve phishing emails impersonating Ukrainian legal authorities, such as the Lviv city court, and distributing fabricated court summons to trick victims into executing malicious payloads. In recent attacks targeting Ukrainian employees working for companies outside Ukraine, [UAC-0099 exploited CVE-2023-38831](https://therecord.media/ukraine-remote-workers-targeted-espionage-winrar-vulnerability), a critical vulnerability in the Windows file archiver tool WinRAR, to deploy malware. The group\'s tactics, though seemingly simple, are effective due to sophisticated social engineering and exploitation methods. CERT-UA and Deep Instinct both emphasize the need for strict controls on running legitimate tools such as PowerShell, mshta.exe, and wscript.exe, which the group frequently abuses for malicious purposes. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Pilot and deploy [phishing-resistant authentication methods](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for users. - Implement [Conditional Access authentication strength](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-strengths?ocid=magicti_ta_learndoc) to require phishing-resistant authentication for employees and external users for critical apps. - [Specify trusted Microsoft 365 organizations](https://learn.microsoft.com/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings&ocid=magicti_ta_learndoc#specify-trusted-microsoft-365-organizations) to define which external domains are allowed or blocked to chat and meet. - Keep [Microsoft 365 auditing](https://learn.microsoft.com/purview/audit-solutions-overview?ocid=magicti_ta_learndoc) enabled so that audit records can be investigated if required. - Understand and select the [best access settings for external collaboration](https://learn.microsoft.com/microsoftteams/communicate-with-user |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | #### **© 0099 2022 2023 2024 2024** 365 365/security/defender 365/security/office 38831 38831/ 3des 42aa 8e3f 9e7d108c aad about abuses ac3a access access/howto accessed account accounts activity actor addition additional adhere administrative administrator advanced affected against age all allow allowed analysis anti any app application applications apps apps/proxy archived archiver are attack attackers attacks attempts attributes audit auditing authentication authorities authorize avoid baselines bca892898972 been best billing/view block blocked both campaigns can cautious cert chat child city click clogflag cloud cloudflare code codes collaboration com/account com/azure/active com/blog/threat com/defender com/intel com/mem/intune/protect/security com/microsoft com/microsoftteams/communicate com/microsoftteams/trusted com/purview/audit commands common communication companies compliant compromised compromises computer conditional confidentiality configure connecting containing content context continues control controls copyright court creating credential criterion critical customers cve cyber cyberattacks december decrypts deep deepinstinct defender defenses define deliver deploy deploy description device devices directory/authentication/concept directory/conditional distributing distribution domain domains double downloaded dual due during educate effective efforts email emails emergency emphasize emphasizes employees employs encrypted endpoint/attack enforce engineering ensure entering entities eop espionage evolving exchange excluded exe executable executes executing exploitation exploited exploiting explorer/cves/cve external fabricated facilitate facilitated factories fault file files flow following forensic forestry form frequently from geolocations gov government group has have help hta https://cert https://learn https://sip https://support https://therecord https://www hygiene identified impact impersonating implement inbound including individuals information infrastructure injecting ins installation instinct institutions insufficient intro investigated involve involving javascript jeopardizing keep known lateral launching learndoc learndoc#block learndoc#specify learndoc#use least legal legitimate level leveraging limit links list lnk local locations lonepage lviv mail maintain malicious malware mark media media/ukraine meet meetings memory messages method methods me” mfa microsoft mid mitigations movement mshta need net networks never notice noting november obscure observed occurs ocid=magicti office often once online only on operations organization organizational organizations osint other outside over overview part payloads permission phishing pilot policy powershell practice prevalence prevent previously principle privilege privileges processes program prohibited protect protection provides purposes ransomware rar rats recent recheck recommendations recommended recommends records reduce reduction reference references refraining regular rely remote remove reports representatives reproduction requests require required reserved resistant resources response restricting review rewriting rights rules running safe scanning school security security/anti security/attack security/safe seemingly select sent series service settings settings&ocid=magicti share sharepoint shift showcasing sign simple simulation simulations since single site snapshot social solutions sometimes sophisticated spam specify state strength strengths strict strictly such summons support surface suspicious systems tabs=organization tactics tagging target targeted targeting team teams technical techniques techniques: theft thereof these the though threat thumbchop time times tolerance tool tools to training trick trusted turn types ua/article/4818341 ua/article/6281681 uac ukraine ukrainian unauthorized understand unless unmanaged unsolicited unwanted url urls use used users vbs vbscript verification verify victims violation vulnerability wasn what which wide windows winrar within without work workers working written wsc |
| Tags | Malware Tool Vulnerability Threat Cloud Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.