Tag Archive for: Leverages

North Korean Lazarus Hacking Group Leverages Supply Chain Attacks To Distribute Malware for Cyber Espionage

North Korean threat actor Lazarus group has resorted to supply chain attacks similar to SolarWinds and Kaseya to compromise the regime’s targets, according to cybersecurity firm Kaspersky.

Kaspersky’s Q3 2021 APT Trends report says that “Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload.”

The APT group compromised a South Korean think tank using two remote access trojan (RAT) variants BLINDINGCAN and COPPERHEDGE. The DHS Cybersecurity & Infrastructure Security Agency (CISA) had issued security alerts AR20-232A and AR20-133A over these trojans.

According to the researchers, Lazarus’ recent activity is part of a broader international campaign leveraging supply chain attacks.

Identified by US-CERT and the FBI as HIDDEN COBRA, the group was suspected to be responsible for the WannaCry ransomware and the Sony Picture Entertainment hacking that escalated tensions between the US and North Korea.

Lazarus’ supply chain attacks target atypical victims

Experts believe that Lazarus is expanding its victim base beyond that of Asian government agencies and policy think tanks.

Kaspersky researchers discovered that the hacking group had targeted a Latvian tech firm developing asset monitoring solutions, an atypical victim for Lazarus.

During the attack, the North Korean APT deployed a compromised downloader “Racket” signed with a stolen digital certificate. The hacking group had stolen the digital certificate from a US-based South Korean security company.

According to Kaspersky, the APT compromised multiple servers and uploaded several malicious scripts in the process. The group used the malicious scripts to control the trojans installed on downstream victims.

“North Korea once again figures prominently in an attack, although it doesn’t appear to be the government this time, at least not directly,” said Saryu Nayyar, CEO at Gurucul.

“Government-sponsored attacks continue to be a major issue for other governments and enterprises. Both types of organizations need to be cognizant of the potential for high-powered attacks and respond appropriately. Early…


NEW TECH: DigiCert Document Signing Manager leverages PKI to advance electronic signatures

Most of us, by now, take electronic signatures for granted.

Related: Why PKI will endure as the Internet’s secure core

Popular services, like DocuSign and Adobe Sign, have established themselves as convenient, familiar tools to conduct daily commerce, exclusively online. Yet electronic signatures do have their security limitations. That’s why “wet” signatures, i.e. signing in the presence of a notary, remains a requirement for some transactions involving high dollars or very sensitive records.

Clearly, a more robust approach to verifying identities in the current and future digital landscape would be useful. After all, conducting business transactions strictly online was already on the rise before Covid 19, a trend that only accelerated due to the global pandemic.

And this is why DigiCert recently introduced DigiCert® Document Signing Manager (DSM) – an advanced hosted service designed to increase the level of assurance of the identities of persons signing documents digitally.

I had the chance to learn more about this new tool from Brian Trzupek, DigiCert’s senior vice president of product DigiCert is best known as a Certificate Authority (CA) and a supplier of services to manage Public Key Infrastructure. And PKI, of course, is the behind-the-scenes authentication and encryption framework on which the Internet is built.

Trzupek outlined how DSM allows for legally-binding documents with auditability and management of signers. “It adds trust and security into each signature, with the ability to easily work with third-party signing workflows such as Adobe, DocuSign, or other signing workflow platforms,” he says.

As digital transformation has quickened, it has become clear that electronic signatures are destined to become even more pervasively used to conduct business remotely. DigiCert is bringing PKI to bear to help make that happen.  Here are the main takeaways from our discussion:

Leveraging PKI

The experience on many signing platforms goes something like this: you receive a document via email, you select a signature font, and then you click to insert that signature on highlighted areas of the document. You conclude by clicking submit and when the document…


Ursnif Leverages Cerberus Android Malware to Automate Fraudulent Bank Transfers in Italy

Contributed to this research: Segev Fogel, Amir Gendler and Nethanella Messer.


IBM Trusteer researchers continually monitor the evolution and attack tactics in the banking sector. In a recent analysis, our team found that an Ursnif (aka Gozi) banking Trojan variant is being used in the wild to target online banking users in Italy with mobile malware. Aside from the Ursnif infection on the victim’s desktop, the malware tricks victims into fetching a mobile app from a fake Google Play page and infects their mobile device with the Cerberus Android malware.


The Cerberus malware component of the attack is used by Ursnif’s operators to receive two-factor authentication codes sent by banks to their users when account updates and money transfer transactions are being confirmed in real-time. Cerberus also possesses other features and can enable the attacker to obtain the lock-screen code and remotely control the device.


Cerberus is an overlay-type mobile malware that emerged in mid-2019 but initially lacked advanced capabilities. It has evolved over time to eventually feature the ability to hijack SMS content and control devices remotely, alongside other sophisticated data theft features. Cerberus was peddled in the underground as commodity malware until the summer of 2020, taking over the market share of Anubis, a previous pay-per-use malware.


In September 2020, Cerberus’ development team decided to disband, spurring an auction attempt that aimed to sell off the source code to the highest bidder, starting at $100,000. The code did not sell but was instead shared with the malware’s customer base, which meant it was publicly leaked. That intentional release of the source code gave rise to numerous malware campaigns involving Cerberus and likely also led to this combined attack with the Ursnif banking Trojan.

A Combination Attack From Desktop to Smartphone

Ursnif is a very long-standing staple in the cybercrime arena, possibly the oldest banking Trojan that’s still active today. Recent campaigns featuring this malware have been most notable in Italy, where it is typically delivered to business email recipients in attachments that…


Southwest Leverages the Lanham Act Against Alleged Scraper of Website Fares | Rothwell, Figg, Ernst & Manbeck, P.C.

Website operators can consider a host of potential legal claims against entities that scrape their sites’ content without authorization, such as breach of a well-crafted terms of service agreement, copyright infringement, trespass, conversion, common law misappropriation, unfair competition, violations of the Computer Fraud and Abuse Act, misappropriation of trade secrets, and trademark infringement, among others.  Each type of claim has its limits, and multiple claims may intersect or overlap in significant ways, particularly when it comes to preemption or remedies.  Accordingly, the nature and context of both the unauthorized web scraping activities and the scraped content should be carefully evaluated to determine an appropriate response.

For example, a recent complaint filed by Southwest against Kiwi illustrates how a data scrape may lead to potential violations of the Lanham Act where the material scraped includes or is used with protected logos and branding.  In its complaint, Southwest alleges that Kiwi scraped its airline fares, and displays Southwest’s protected “Heart” mark in conjunction with promoting and re-selling Southwest’s fares on Kiwi’s online travel agency site.  Southwest alleges that Kiwi is using its Heart mark in a manner that is likely to cause confusion, or to cause mistake, or to deceive as to the affiliation, connection or association of Kiwi with Southwest, or as to the origin, sponsorship or approval of Kiwi’s goods and services by Southwest in violation of Section 32 of the Lanham Act, 15 U.S.C. § 1114.  Southwest has also alleged claims of false designation of origin and trademark dilution under the Lanham Act.

Southwest has also asserted claims of breach of its website Terms & Conditions, violation of the Computer Fraud and Abuse Act, violation of Texas Penal Code § 33.02 (Breach of Computer Security), and common law unjust enrichment.  The case is Southwest Airlines Co. v. Kiwi.com, Inc. et al., 3:21-cv-00098, pending in the Northern District of Texas.