Tag Archive for: contractors’

ESET Research: Lazarus attacks aerospace and defense contractors worldwide while misusing LinkedIn and WhatsApp

/in


DUBAI, UNITED ARAB EMIRATES, June 1, 2022 /EINPresswire.com/ — During the annual ESET World conference, ESET researchers have been presenting about a new investigation into the infamous Lazarus APT group. Director of ESET Threat Research Jean-Ian Boutin went over various new campaigns perpetrated by the Lazarus group against defense contractors around the world between late 2021 and March 2022.

In the relevant 2021-2022 attacks and according to ESET telemetry, Lazarus has been targeting companies in Europe (France, Italy, Germany, the Netherlands, Poland, and Ukraine) and Latin America (Brazil).

Despite the primary aim of this Lazarus operation being cyber-espionage, the group has also worked to exfiltrate money (unsuccessfully). “The Lazarus threat group showed ingenuity by deploying an interesting toolset, including for example a user mode component able to exploit a vulnerable Dell driver in order to write to kernel memory. This advanced trick was used in an attempt to bypass security solutions monitoring.,” says Jean-Ian Boutin.

As early as 2020, ESET researchers had already documented a campaign pursued by a sub-group of Lazarus against European aerospace and defense contractors ESET called operation In(ter)ception. This campaign was noteworthy as it used social media, especially LinkedIn, to build trust between the attacker and an unsuspecting employee before sending them malicious components masquerading as job descriptions or applications. At that time, companies in Brazil, Czech Republic, Qatar, Turkey and Ukraine had already been targeted.

ESET researchers believed that the action was mostly geared towards attacking European companies, but through tracking a number of Lazarus sub-groups performing similar campaigns against defense contractors, they soon realized that the campaign extended much wider. While the malware used in the various campaigns were different, the initial modus operandi (M.O.) always remained the same: a fake recruiter contacted an employee through LinkedIn and eventually sent malicious components.

In this regard, they’ve continued with the same M.O. as in the past. However, ESET researchers have also…

Source…

North Korean hacking group targets defense contractors

/in


A North Korean hacking group appears to be targeting U.S. defense contractors in a new malware campaign using infected documents containing fake job listings.

The Lazarus Group, a sophisticated hacking group tied to North Korea’s principal intelligence agency, has been sending malicious documents with fake job opportunities to aerospace and defense contractor Lockheed Martin, according to Malwarebytes Labs, a cybersecurity research firm.

The Lazarus Group, active since 2009, is blamed for the 2014 attack on Sony Pictures, the 2017 WannaCry ransomware campaign, and a handful of other high-profile cyberattacks.

Lazarus is an advanced and sophisticated hacking team “known to target the defense industry,” Malwarebytes researchers wrote. “The group keeps updating its toolset to evade security mechanisms.”

The Lazarus campaign, identified by Malwarebytes in mid-January, appears to be targeting specific companies using an attack method called spear-phishing, the cybersecurity firm said. The attack compromises the Windows Update process to evade antivirus protection, and it used an account on the GitHub software development platform to control the malware, the cybersecurity firm said.

It’s unclear what the hackers were looking for in the targeted systems. Some cybersecurity experts suggest the motive could be espionage, while others believe the goal could be to steal credit card numbers and other personal information.

The group may be gathering information about people working at defense contractors, said Allan Buxton, director of forensics at Secure Data Recovery Services.

“Lazarus has its hands in a lot of different attacks, either attempting to profit from information gained or stealing funds directly,” he told the Washington Examiner. “Targeting Lockheed reads more as an attempt either to gain information about an adversary or to discredit them and remove them from the opposition’s use.”

The attacks were likely looking for targets who had security clearances from Western governments, added Greg Otto, a researcher at cybercrime intelligence provider Intel 471. “From…

Source…

Defense Contractors Highly Susceptible to Ransomware

/in


Even as cybercriminals take aim at critical infrastructure, many of the United States’ top 100 federal contractors are inadequately prepared to repel ransomware attacks.

These were among the findings of a report from Black Kite, which assessed the cybersecurity risk posture of U.S. defense contractors and found 20% of the country’s largest 100 contractors were highly susceptible to a ransomware attack.

The study found 42% of defense contractors have had at least one compromised credential within the past 90 days, and 40 contractors received an “F” grade in credential management.

Overall, the top 100 federal contractors averaged a “ransomware susceptibility index” score of 0.39, but 20% scored above the critical threshold of 0.6, according to the report.

Crossing the Threshold

By comparison, earlier Black Kite reports showed that 10% of pharmaceutical manufacturers and 49% of automobile manufacturers were above what Black Kite considered a critical threshold, indicating they were highly susceptible to ransomware attacks.

“We’re continuing to see the exact same issues pop up through industries—issues that should be addressed by basic cybersecurity hygiene,” said Bob Maley, chief security officer at Black Kite. “These are defense contractors that should be taking advice from the Department of Homeland Security. The attack vectors for ransomware aren’t new.”

He pointed out that Homeland Security has been issuing alerts on what people should be doing to protect themselves in these particular areas over the past decade.

“So, it’s not that bad actors are finding new things to exploit to make ransomware effective,” he said. “They’re exploiting issues that have been around for a long time that people just aren’t paying attention to.”

Maley explained there is no single category of malicious actor perpetuating threats against federal contractors: Generally speaking, the types of actors that are a threat here are the people that may not necessarily target defense contractors specifically because they may not even know that they are doing so.

“They’re bad actors that will target a company that is vulnerable and that looks like they have enough financials to…

Source…

What contractors should take from T-Mobile’s ‘100million people’ cybersecurity breach

/in


Do you use T-Mobile as part of your contracting operations?

If so, you may be impacted by a huge T-Mobile security breach.

In fact, even though the US brand is synonymous with mobile phones, it’s not just handheld customers who are affected– if you use the company’s other services like cloud storage or as a tool for providing services to your clients as a contractor, you’re still likely to be impacted – that’s how big this breach is, writes Leila Saidi and Alix Balsan of Gerrish Legal.

What happened at T-Mobile?

On Monday August 16th, the Bellevue-based telecom company confirmed reports which first surfaced on Motherboard that it had been hit by a cybersecurity breach – presumably some time during the first two weeks of August 2021.

In its cybersecurity update dated August 16th, T-Mobile admitted that an unauthorised access to some of its data had occurred – but, frustratingly for customers, that it was unable to confirm if any personal data was involved.

In an update published the next day, T-Mobile admitted that a preliminary analysis had revealed that as many as 7.8 million current T-Mobile customers were impacted, as well as just over 40 million records of former or prospective customers. And as part of its most recent update (August 19th), T-Mobile explained that although the exact nature of the personal data that had been compromised could vary by individual, information included individuals’ names, drivers’ licences, government identification numbers, Social Security numbers, dates of birth, and T-Mobile account PINs.

That amounts to a massive cybersecurity breach. The company added that approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed. That compares to the claims of hackers who reportedly put the total number of T-Mobile customers affected by the breach at 100 million. The company has not agreed to that figure, indicating instead that it’s more like half that number of customers who have been exposed.

The T-Mobile data breach: possible implications for contractors

What could all this mean for you as an IT, data or telecoms contractor – especially in relation to your security and…

Source…