轉發 國家資安資訊分享與分析中心 資安訊息警訊 NISAC-400-202601-00000012

[內容說明]
資安院近期接獲外部情資，攻擊者以「修正就業安定基金收支保管及運用辦法第5條條文」為由，寄送含惡意下載連結之社交工程釣魚郵件，誘導收件者點擊郵件內釣魚連結並下載惡意檔案。
建議加強防範與通知各單位提高警覺，避免點擊該郵件帳號寄送之信件、釣魚連結與附檔，以免受駭。
已知攻擊相關郵件特徵如下：
1.駭客利用之寄件帳號：「executive_yuan@boitedebijou.com.tw」、「executive-yuan@boitedebijou.com.tw」
2.主旨：「修正「就業安定基金收支保管及運用辦法」第5條條文」
3.相關惡意連結：hxxps://www[.]boitedebijou[.]com[.]tw/Mns/populace/EYG/e_detail[.]do?metaid=162736&accesskey_c=3447
4.惡意檔案名稱：「1140202422A.rar」、「1140202422A.chm」
5.相關惡意中繼站：79[.]108[.]224[.]222
6.惡意檔案SHA1雜湊值：73281aa5a69f2d39aa5f6e08868073a24020d677、 599217201b4db537db681a21d6115d33289eb965
註：相關網域名稱為避免誤點觸發連線，故以「[.]」區隔。

[影響平台]
N/A

[建議措施]
1.網路管理人員請參考受駭偵測指標，確實更新防火牆，阻擋惡意中繼站。
2.建議留意可疑電子郵件，注意郵件來源正確性，勿開啟不明來源之郵件與相關附檔。
3.安裝防毒軟體並更新至最新病毒碼，開啟檔案前使用防毒軟體掃描郵件附檔，並確認附檔檔案類型，若發現檔案名稱中存在異常字元(如lnk, rcs, exe, moc等可執行檔案附檔名的逆排序)，請提高警覺。
4.加強內部宣導，提升人員資安意識，以防範駭客利用電子郵件進行社交工程攻擊。

[參考資料]
附件-社交工程攻擊_IOC：https://cert.tanet.edu.tw/pdf/social_ioc_0128.csv

Forwarded from National Cybersecurity Information Sharing and Analysis Center: Cybersecurity Alert NISAC-400-202601-00000012

[Content Description]
The Cybersecurity Academy recently received external intelligence that attackers are using the pretext of "amending Article 5 of the Regulations Governing the Custody and Use of the Employment Stabilization Fund" to send social engineering phishing emails containing malicious download links, tricking recipients into clicking the phishing links and downloading malicious files.

It is recommended to strengthen prevention and notify all units to be more vigilant and avoid clicking on emails, phishing links, and attachments sent by this email account to avoid being hacked. The known characteristics of the attack-related emails are as follows:
1. Sending accounts used by the hacker: "executive_yuan@boitedebijou.com.tw", "executive-yuan@boitedebijou.com.tw"
2. Subject: "Amendment to Article 5 of the 'Regulations Governing the Custody and Use of the Employment Stabilization Fund'"
3. Related malicious link: hxxps://www[.]boitedebijou[.]com[.]tw/Mns/populace/EYG/e_detail[.]do?metaid=162736&accesskey_c=3447
4. Malicious file names: "1140202422A.rar", "1140202422A.chm"
5. Related malicious relay station: 79[.]108[.]224[.]222
6. Malicious file SHA1 hash values: 73281aa5a69f2d39aa5f6e08868073a24020d677, 599217201b4db537db681a21d6115d33289eb965

Note: Related domain names are separated by "[.]" to avoid accidental triggering of connections.

[Affected Platforms]
N/A

[Recommended Measures]
1. Network administrators should refer to the hacking detection indicators and ensure that firewalls are updated to block malicious relay stations.
2. It is recommended to be vigilant about suspicious emails, verify the authenticity of email sources, and not open emails and attachments from unknown sources.
3. Install antivirus software and update it to the latest virus definitions. Before opening any files, scan email attachments with antivirus software and confirm the file type. If you find any unusual characters in the file name (such as lnk, rcs, exe, moc, etc., which are reverse orders of executable file attachment names), please be vigilant.
4. Strengthen internal communication and improve personnel's cybersecurity awareness to prevent hackers from using email for social engineering attacks.

[Reference]
Attachment - Social Engineering Attacks_IOC: https://cert.tanet.edu.tw/pdf/social_ioc_0128.csv