Tag Archive for: Lazarus

North Korean cyberespionage actor Lazarus targets energy providers with new malware

/in


Detecting of a malware. Virus, system hack, cyber attack, malware concept. 3d rendering.
Image: Adobe Stock

Lazarus, also known as Hidden Cobra or Zinc, is a known nation-state cyberespionage threat actor originating from North Korea, according to the U.S. government. The threat actor has been active since 2009 and has often switched targets through time, probably according to nation-state interests.

Between 2020 and 2021, Lazarus compromised defense companies in more than a dozen countries including the U.S. It also targeted selected entities to assist strategic sectors such as aerospace and military equipment.

The threat actor is now aiming at energy providers, according to a new report from Cisco Talos.

SEE: Mobile device security policy (TechRepublic Premium)

Attack modus operandi

Lazarus often uses very similar techniques from one attack to the other, as exposed by Talos (Figure A).

Figure A

lazarus cyber kill chain list according to cisco talos
Image: Cisco Talos. Full attack scheme from the current Lazarus operation.

In the campaign reported by Talos, the initial vector of infection is the exploitation of the Log4j vulnerability on internet-facing VMware Horizon servers.

Once the targeted system is compromised, Lazarus downloads its toolkit from a web server it controls.

Talos has witnessed three variants of the attack. Each variant consists of another malware deployment. Lazarus could use only VSingle, VSingle and MagicRAT, or a new malware dubbed YamaBot.

Variations in the attack also imply using other tools such as mimikatz for credential harvesting, proxy tools to set up SOCKs proxies, or reverse tunneling tools such as Plink.

Lazarus also checks for installed antivirus on endpoints and disables Windows Defender antivirus.

The attackers also copy parts of Windows Registry Hives, for offline analysis and possible exploitation of credentials and policy information, and gather information from the Active Directory before creating their own high-privileged users. These users would be removed once the attack is fully in place, in addition to removing temporary tools and cleaning Windows Event logs.

At this point, the attackers then take their time to explore the systems, listing multiple folders and putting those of particular interest, mostly proprietary intellectual property, into a RAR archive file for…

Source…

North Korea’s Lazarus hackers are exploiting Log4j flaw to hack US energy companies

/in


Security researchers have linked a new cyber espionage campaign targeting U.S., Canadian and Japanese energy providers to the North Korean state-sponsored Lazarus hacking group.

Threat intelligence company Cisco Talos said Thursday that it has observed Lazarus — also known as APT38 — targeting unnamed energy providers in the United States, Canada and Japan between February and July this year. According to Cisco’s research, the hackers used a year-old vulnerability in Log4j, known as Log4Shell, to compromise internet-exposed VMware Horizon servers to establish an initial foothold onto a victim’s enterprise network, before deploying bespoke malware known as “VSingle” and “YamaBot” to establish long-term persistent access. YamaBot was recently attributed to the Lazarus APT by Japan’s national cyber emergency response team, known as CERT.

Details of this espionage campaign were first revealed by Symantec in April this year, which attributed the operation to “Stonefly,” another North Korean hacking group that has some overlaps with Lazarus.

However, Cisco Talos also observed a previously unknown remote access trojan — or RAT — named “MagicRAT,” attributed to Lazarus Group, which the hackers use for reconnaissance and stealing credentials.

“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” wrote Talos researchers Jung soo An, Asheer Malhotra and Vitor Ventura. “This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

The Lazarus Group is a financially motivated hacking group backed by the North Korean state that is best known for the high-profile Sony hack in 2016 and the WannaCry ransomware attack in 2017. Lazarus is also driven by efforts to support North Korea’s state objectives, including military research and development and evasion of international sanctions.

However, the group has in recent months turned its attention to blockchain and cryptocurrency organizations. It has been linked to…

Source…

“The Lazarus Heist” explains North Korea’s wild hacking spree

/in


The Lazarus Heist. By Geoff White. Penguin Business; 304 pages; $29.95 and £20

The “hermit kingdom” of North Korea is so technologically backward that it is visible—or rather invisible—from space. Photographs taken at night show a country covered in darkness, with only a few pinpricks of light around Pyongyang, the capital. China, Japan and South Korea, by contrast, glow with artificial illumination.

But as Geoff White, a bbc journalist, explains in his rollicking new book, that backwardness has helped make a handful of North Koreans very technologically savvy indeed. He tells the story of the Lazarus Group, the name given by security analysts to a collection of North Korean state-sponsored hackers. In a country where access to the internet is a luxury afforded to only a tiny few, they have, over the past decade, become some of the world’s most prolific cybercriminals.

The Lazarus Group is thought to have been responsible for a $100m raid on Bangladesh’s central bank in 2016; the WannaCry malware attack that in 2017 hit organisations around the world, from Maersk, a shipping giant, to Britain’s National Health Service; and a string of more recent hacks and cryptocurrency frauds. The group’s various schemes are thought to have netted billions of dollars of precious foreign currency for the North Korean regime.

“The Lazarus Heist”, which is based on a bbc podcast of the same name, provides both a pacey insight into the cutting edge of modern crime and an equally fascinating portrait of life inside North Korea (gleaned from a mix of official sources and interviews with defectors). In theory, the regime preaches Juche, usually translated as “self-reliance”, deliberately isolating itself from the decadent capitalism that contaminates the rest of the world.

But self-imposed isolation has left North Korea impoverished and underdeveloped. Its pursuit of nuclear weapons has brought sanctions, compounding the problem. With the economy strangled and citizens poor and sometimes starving, Mr White describes a state trying its hand at a variety of criminal schemes, from counterfeiting to smuggling and cooking crystal meth, in an effort to earn foreign currency. Eventually it…

Source…

ESET Research: Lazarus attacks aerospace and defense contractors worldwide while misusing LinkedIn and WhatsApp

/in


DUBAI, UNITED ARAB EMIRATES, June 1, 2022 /EINPresswire.com/ — During the annual ESET World conference, ESET researchers have been presenting about a new investigation into the infamous Lazarus APT group. Director of ESET Threat Research Jean-Ian Boutin went over various new campaigns perpetrated by the Lazarus group against defense contractors around the world between late 2021 and March 2022.

In the relevant 2021-2022 attacks and according to ESET telemetry, Lazarus has been targeting companies in Europe (France, Italy, Germany, the Netherlands, Poland, and Ukraine) and Latin America (Brazil).

Despite the primary aim of this Lazarus operation being cyber-espionage, the group has also worked to exfiltrate money (unsuccessfully). “The Lazarus threat group showed ingenuity by deploying an interesting toolset, including for example a user mode component able to exploit a vulnerable Dell driver in order to write to kernel memory. This advanced trick was used in an attempt to bypass security solutions monitoring.,” says Jean-Ian Boutin.

As early as 2020, ESET researchers had already documented a campaign pursued by a sub-group of Lazarus against European aerospace and defense contractors ESET called operation In(ter)ception. This campaign was noteworthy as it used social media, especially LinkedIn, to build trust between the attacker and an unsuspecting employee before sending them malicious components masquerading as job descriptions or applications. At that time, companies in Brazil, Czech Republic, Qatar, Turkey and Ukraine had already been targeted.

ESET researchers believed that the action was mostly geared towards attacking European companies, but through tracking a number of Lazarus sub-groups performing similar campaigns against defense contractors, they soon realized that the campaign extended much wider. While the malware used in the various campaigns were different, the initial modus operandi (M.O.) always remained the same: a fake recruiter contacted an employee through LinkedIn and eventually sent malicious components.

In this regard, they’ve continued with the same M.O. as in the past. However, ESET researchers have also…

Source…