Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

4/13/2018
07:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

APTs Are Rising in the East, Kaspersky Finds

A growing number of Advanced Persistent Threats, or APTs, increased in Asia, as well as the Middle East, over the past three months. This includes a cyber attack that targeted the 2018 Winter Olympics in South Korea, a new Kaspersky report found.

The number of Advanced Persistent Threats, or APTs, targeting groups and organizations in Asia and the Middle East dramatically increased during the first three months of the year. This pattern includes an attack targeting the 2018 Winter Olympics in South Korea, according to a new report from Kaspersky Labs.

Of the 27 different reports Kaspersky tracked during the first quarter of this year, about 27% of APTs happened in Asia, including the Olympic Destroyer attack that targeted the Pyeongchang games in February. (See Kaspersky: Olympic Destroyer Creator Left 'False Flag' Clues .)

APTs are typically associated with governments and nation-states and these attacks are usually associated with either ongoing espionage schemes or long-term attempts to steal sensitive data.

In an email to Security Now, Vicente Diaz, principal security researcher for Kaspersky Lab Global Research & Analysis, wrote that APTs and the groups behind them try to cover their tracks through a host of different techniques. These include using generic tools, or the nation-states themselves hiring tools from external companies. In addition, APTs are asking third parties to participate in information gathering operations or having small external groups dedicated to certain campaigns.

(Source: GDJ via Pixabay)
(Source: GDJ via Pixabay)

Combined, these make APTs hard to track.

"Attributing attacks is becoming increasingly difficult -- sometimes we are only able to get a few language traces, and sometimes the artifacts and TTPs [Tactics, Techniques and Procedures] used by attackers might provide additional clues," Diaz wrote. "Generally speaking, victims are a good method for us to understand the purpose of a given campaign and what the attacker's interest might be, which sometimes might align with nation-states."

In many cases, Kaspersky found the groups behind these attacks favored targeting routers. In one case, the firm found attackers targeting routers made by Mikrotik and using the hardware as an infection vector as a way to get to the ultimate victim of the attack.

By examining these APTs, Kaspersky found that the threats are growing in sophistication and scope. At the same time, different tools and capabilities are making cyberespionage easier.

In its April 12 blog, Kasperksy noted:

We have the impression that some well-known actors are rethinking their strategies and reorganizing their teams for future attacks. In addition, a whole new wave of attackers are becoming much more active. For all these new attackers we observe different levels of sophistication, but let's admit that the entry barrier for cyberespionage is much lower than it used to be in terms of the availability of different tools that can be used for malicious activities.

For example, Kaspersky found that many APTs now take advantage of Microsoft PowerShell and have used that as a resource to spread malware. (See Nasties Abound: Symantec's Q3 Threat Report.)

While APTs have boomed in Asia, the Middle East has seen a significant increase as well. The report points to one group, dubbed StrongPity APT, which launched several Man-in-the-Middle (MiM) attacks targeting IPS networks in that region.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

Overall, Kaspersky researchers identified three new APTs groups during the first quarter of 2018. These included:

  • A Chinese-speaking group dubbed Shaggypanther, which appears to have been targeting government entities in Taiwan and Malaysia since at least 2008. This APT typically uses encrypted payloads in the registry keys.
  • The second group is called Sidewinder and has mainly focused on Pakistan military targets since 2012. This APT has exploited known vulnerabilities in Microsoft Office -- specifically CVE-2017-11882 -- as well as using PowerShell payloads.
  • Finally, Kaspersky found a Chinese-speaking group called CardinalLizard. Since 2014, this APT has focused on Philippines, Russia, Mongolia and Malaysia and uses customized malware that features anti-detection and anti-emulation technology.

Finally, Kaspersky also looked at the side-channel vulnerabilities found earlier this year in x86 microprocessors called Spectre and Meltdown. The company noted that although the big chipmakers, Intel especially, have been issuing patches, there's no real way to fix these issues. (See Intel Will Leave Some Chips Without Spectre Patch.)

However, the report noted that no attacks targeting the Spectre and Meltdown vulnerabilities have not been found in the wild, although Kaspersky did find some proof-of-concept designs.

Editor's note: This article was updated with additional information from Kaspersky.

Related posts:

— Scott Ferguson, is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36239
PUBLISHED: 2021-07-29
Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 e...
CVE-2021-37578
PUBLISHED: 2021-07-29
Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malic...
CVE-2021-23416
PUBLISHED: 2021-07-28
This affects all versions of package curly-bracket-parser. When used as a template library, it does not properly sanitize the user input.
CVE-2021-23417
PUBLISHED: 2021-07-28
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.
CVE-2021-23415
PUBLISHED: 2021-07-28
This affects the package elFinder.AspNet before 1.1.1. The user-controlled file name is not properly sanitized before it is used to create a file system path.