Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Delivering a Friction-Free Experience for the Worker from Anywhere in the World
APT actor Lazarus attacks defense industry, develops supply chain attack capabilities

Kaspersky announced that its researchers witnessed Lazarus, a highly prolific advanced threat actor, developing supply chain attack capabilities and using its multi-platform MATA framework for cyber-espionage goals. This and other APT trends from across the world were revealed in Kaspersky's latest quarterly threat intelligence summary.

Lazarus is one of the world's most active threat actors and has been active since at least 2009. This APT group has been behind large-scale cyber-espionage and ransomware campaigns and has been spotted attacking the defense industry and cryptocurrency markets. With a variety of advanced tools at their disposal, they appear to be applying them to new goals.

In June 2021, Kaspersky researchers observed the Lazarus group attacking the defense industry using the MATA malware framework, which can target three operating systems - Windows, Linux and macOS. Historically, Lazarus has used MATA to attack various industries for criminal purposes, such as stealing customer databases and spreading ransomware. However, this time our researchers tracked Lazarus using MATA for cyber-espionage. The actor delivered a Trojanized version of an application known to be used by their victim of choice - a well-known Lazarus characteristic. Notably, this is not the first time the Lazarus group has attacked the defense industry. Their previous ThreatNeedle campaign was carried out in a similar fashion in mid-2020.

Lazarus has also been spotted building supply chain attack capabilities with an updated DeathNote cluster, which consists of a slightly updated variant of BLINDINGCAN, malware previously reported by the US Cybersecurity and Infrastructure Security Agency (CISA). Kaspersky researchers discovered campaigns targeting a South Korean think tank and an IT asset monitoring solution vendor. In the first case discovered by Kaspersky researchers, Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload. In the second case, the target was a company developing asset monitoring solutions in Latvia, an atypical victim for Lazarus. As part of the infection chain, Lazarus used a downloader named "Racket," which they signed using a stolen certificate. The actor compromised vulnerable web servers and uploaded several scripts to filter and control the malicious implants on successfully breached machines.

"These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks," said Ariel Jungheit, senior security researcher, Global Research and Analysis Team, Kaspersky. "This APT group is not the only one seen using supply chain attacks. In the past quarter we have also tracked such attacks carried out by SmudgeX and BountyGlad. When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization - something we saw clearly with the SolarWinds attack last year. With threat actors investing in such capabilities, we need to stay vigilant and focus defense efforts on that front."

The Q3 APT trends report summarizes the findings of Kaspersky's subscriber-only threat intelligence reports, which also include Indicators of Compromise (IoC) data and YARA rules to assist in forensics and malware hunting. For more information, please contact: intelreports@kaspersky.com

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company's TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years. Free access to its curated features that allow users to check files, URLs, and IP addresses, are available here.
  • Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
  • For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
  • As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team - for example, through the Kaspersky Automated Security Awareness Platform.

Read the full Q3 APT trends report on Securelist.com.

Published Tuesday, October 26, 2021 9:21 AM by David Marshall
Filed under:
Get This Featured White Paper: Ovum: Igel's Security Enhancements for Thin Clients
You may also be interested in this white paper: How to Create Secure, Collaborative and Productive Digital Workspaces
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
CTE2023
CC2023
containerday-security
unified-communications
Datacenter-World-2023
OpenCon-2023
kubecon-eu-2023
disrupt2023
vExpert
Calendar
<October 2021>
SuMoTuWeThFrSa
262728293012
3456789
10111213141516
17181920212223
24252627282930
31123456