One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8627220 |
| Date de publication | 2024-12-18 19:29:52 (vue: 2024-12-18 20:08:34) |
| Titre | Glutton: A New Zero-Detection PHP Backdoor from Winnti Targets Cybercriminals (Recyclage) |
| Texte | #### Targeted Geolocations - China - United States ## Snapshot According to research from the Chinese cybersecurity company Qianxin, the Winnti hacking group (tracked by Microsoft as Leopard Typhoon) has been utilizing a new PHP backdoor dubbed "Glutton" to infiltrate organizations in China and the United States, as well as to target other cybercriminals. ## Description Qianxin first discovered Glutton in April 2024, but has observed evidence of its deployment dating back to at least December 2023. Glutton is an ELF-based modular backdoor with components such as \'task\_loader,\' \'init\_task,\' \'client\_loader,\' and \'client\_task,\' which together form a comprehensive attack framework that can be executed individually or sequentially. The backdoor operates by masquerading as a \'php-fpm\' process, enabling fileless execution and injecting malicious code into PHP files on various frameworks like ThinkPHP, Yii, Laravel, and Dedecms. Glutton can modify system files to establish persistence and steal credentials and configurations, particularly targeting the Baota web panel. It supports 22 commands from the C2 server, enabling actions like file manipulation, shell command execution, PHP code evaluation, and system information retrieval. Winnti has been using Glutton to attack IT services, social security agencies, and web app developers, as well as to embed the backdoor in software packages sold on cybercrime forums, which are then used to extract sensitive information from the browsers of other cybercriminals. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. - Microsoft Defender XDR customers can turn on the following [attack surface reduction rule](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction) to prevent common attack techniques used for ransomware. - - [ |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2023 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed according action actions actors af74 against age agencies alert alerts all allow antivirus any app april are artifacts attack attacker authority automated back backdoor backdoor/ baota based been behind bleeping bleepingcomputer block breach breaches browsers but can changes china chinese client cloud code com/en com/glutton com/microsoft com/news/security/winnti com/threatanalytics3/9382203e command commands common company components comprehensive computer configurations configure content controlled copyright cover credential credentials criterion customers cybercrime cybercriminals cybersecurity dating december dedecms defend defender delivered deployment description detect detected detection detections/hunting detects developers discovered distribution does dubbed edr elf email embed en/#indicators enable enabled enabling encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure equivalent establish evaluation even evidence evolving executable executed execution extract file fileless files first folder folders follow following form forums fpm framework frameworks from full geolocations glutton glutton: group hackers hacking hardening has https://blog https://learn https://security https://www immediate impact individually infection infiltrate information init injecting investigation investigations its laravel learndoc learning least leopard like list loader local lsa lsass machine mainstream majority malicious malware: manage manipulation masquerading meet microsoft mitigations mode modify modular mtb name=trojan:linux/winnti network new non not observed ocid=magicti operates organizations other overview packages panel part particularly passive permission persistence php post preferences premises prevalence prevent process product prohibited protection protection#how protections qianxin queries ransomware rapidly recommendations recommends reduce reducing reduction reference#block references remediate remediation reproduction research reserved resolve retrieval rights rule rules run running scenes security sensitive sequentially server services settings shell significantly site snapshot social software sold states steal stealing stealthily subsystem such supports surface system take tamper target targeted targeting targets task techniques theft then thereof thinkphp threat threats together tools tracked trojan:linux/winnti trusted turn typhoon united unknown unless us/defender us/wdsi/threats/malware used using utilizing various view=o365 volume web webmail well when which windows winnti without works worldwide written xdr xlab yii your zero |
| Tags | Ransomware Malware Tool Threat |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8626791 |
| Date de publication | 2024-12-17 22:39:16 (vue: 2024-12-17 23:08:46) |
| Titre | Analysis on the Case of TIDRONE Threat Actor\\'s Attacks on Korean Companies |
| Texte | #### Targeted Geolocations - Korea ## Snapshot The AhnLab Security Intelligence Center (ASEC) has identified recent attacks by TIDRONE, a Chinese-speaking threat group that has been [previously observed attacking Taiwanese defense and drone manufacturing companies](https://security.microsoft.com/intel-explorer/articles/14a1a551). ## Description In these attacks, ASEC has observed TIDRONE targeting organizations through the exploitation of Enterprise Resource Planning (ERP) software to distribute a backdoor called CLNTEND. The group uses DLL side-loading techniques to install backdoor malware, including CXCLNT and CLNTEND by exploiting ERP software and remote monitoring and management (RMM) tools like UltraVNC. ASEC discovered that since the first half of 2024, Korean companies have been targeted with CLNTEND. The attacks often leverage small-scale, customized ERP solutions that lack official websites and have limited user bases. TIDRONE either replaces legitimate ERP versions with malware or combines ERP software with malicious droppers. Key executable files exploited include winword.exe, VsGraphicsDesktopEngine.exe, and rc.exe, which load the malicious DLL and execute the encrypted backdoor malware. CLNTEND is a Remote Access Trojan (RAT) that supports multiple communication protocols, including TCP, TLS, HTTP, HTTPS, and SMB, making it versatile for covert operations. TIDRONE\'s loaders are highly obfuscated and use techniques like FlsCallback and Fiber structure overwriting to evade analysis. According to ASEC, the continued targeting of Korean companies underscores TIDRONE\'s expanded focus beyond Taiwan. By exploiting ERP vulnerabilities, particularly those developed by small firms, the group maintains a foothold for delivering its malware. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. ## Detections/Hu |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2024 2024** 21562b1004d5/analystreport 365/security/defender 4b5e 5155 access accessed according action actor af74 against ahnlab alert alerts all allow analysis antivirus any are artifacts asec attacker attacking attacks authority automated backdoor based bases been behind beyond block breach breaches called can case center changes chinese clntend cloud com/en com/en/85119/ com/intel com/microsoft com/threatanalytics3/9382203e combines common communication companies components configure content continued controlled copyright cover covert credential customized cxclnt defend defender defense delivered delivering description detect detected detections/hunting detects developed discovered distribute distribution dll does drone droppers edr either enable enabled encrypted encyclopedia endpoint endpoint/attack endpoint/automated endpoint/edr endpoint/enable endpoint/linux endpoint/prevent ensure enterprise equivalent erp evade even evolving exe executable execute expanded exploitation exploited exploiting explorer/articles/14a1a551 fiber files firms first flscallback focus folder folders follow following foothold from full geolocations group half hardening has have highly http https https://asec https://learn https://security https://www identified immediate impact include including install intelligence investigation investigations its key korea korean lack learndoc learning legitimate leverage like limited load loaders loading local lsa lsass machine maintains majority making malicious malware malware: manage management manufacturing microsoft mitigations mode monitoring multiple name=trojan:win32/casdet network new non not obfuscated observed ocid=magicti official often operations organizations overview overwriting part particularly passive permission planning post preferences premises previously product prohibited protection protection#how protections protocols queries rapidly rat recent recommendations recommends reduce reducing reduction reference#block references remediate remediation remote replaces reproduction reserved resolve resource rfn rights rmm rules run running scale scenes security settings side significantly since site small smb snapshot software solutions speaking stealing structure subsystem supports surface taiwan taiwanese take tamper targeted targeting tcp techniques theft thereof these those threat threats through tidrone tls tools trojan trojan:win32/casdet turn ultravnc underscores unknown us/defender us/wdsi/threats/malware use user uses versatile versions view=o365 volume vsgraphicsdesktopengine vulnerabilities websites when which windows winword without works worldwide written your |
| Tags | Malware Tool Vulnerability Threat |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.