Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

4/13/2018
07:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

APTs Are Rising in the East, Kaspersky Finds

A growing number of Advanced Persistent Threats, or APTs, increased in Asia, as well as the Middle East, over the past three months. This includes a cyber attack that targeted the 2018 Winter Olympics in South Korea, a new Kaspersky report found.

The number of Advanced Persistent Threats, or APTs, targeting groups and organizations in Asia and the Middle East dramatically increased during the first three months of the year. This pattern includes an attack targeting the 2018 Winter Olympics in South Korea, according to a new report from Kaspersky Labs.

Of the 27 different reports Kaspersky tracked during the first quarter of this year, about 27% of APTs happened in Asia, including the Olympic Destroyer attack that targeted the Pyeongchang games in February. (See Kaspersky: Olympic Destroyer Creator Left 'False Flag' Clues .)

APTs are typically associated with governments and nation-states and these attacks are usually associated with either ongoing espionage schemes or long-term attempts to steal sensitive data.

In an email to Security Now, Vicente Diaz, principal security researcher for Kaspersky Lab Global Research & Analysis, wrote that APTs and the groups behind them try to cover their tracks through a host of different techniques. These include using generic tools, or the nation-states themselves hiring tools from external companies. In addition, APTs are asking third parties to participate in information gathering operations or having small external groups dedicated to certain campaigns.

Combined, these make APTs hard to track.

"Attributing attacks is becoming increasingly difficult -- sometimes we are only able to get a few language traces, and sometimes the artifacts and TTPs [Tactics, Techniques and Procedures] used by attackers might provide additional clues," Diaz wrote. "Generally speaking, victims are a good method for us to understand the purpose of a given campaign and what the attacker's interest might be, which sometimes might align with nation-states."

In many cases, Kaspersky found the groups behind these attacks favored targeting routers. In one case, the firm found attackers targeting routers made by Mikrotik and using the hardware as an infection vector as a way to get to the ultimate victim of the attack.

By examining these APTs, Kaspersky found that the threats are growing in sophistication and scope. At the same time, different tools and capabilities are making cyberespionage easier.

In its April 12 blog, Kasperksy noted:

We have the impression that some well-known actors are rethinking their strategies and reorganizing their teams for future attacks. In addition, a whole new wave of attackers are becoming much more active. For all these new attackers we observe different levels of sophistication, but let's admit that the entry barrier for cyberespionage is much lower than it used to be in terms of the availability of different tools that can be used for malicious activities.

For example, Kaspersky found that many APTs now take advantage of Microsoft PowerShell and have used that as a resource to spread malware. (See Nasties Abound: Symantec's Q3 Threat Report.)

While APTs have boomed in Asia, the Middle East has seen a significant increase as well. The report points to one group, dubbed StrongPity APT, which launched several Man-in-the-Middle (MiM) attacks targeting IPS networks in that region.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

Overall, Kaspersky researchers identified three new APTs groups during the first quarter of 2018. These included:

  • A Chinese-speaking group dubbed Shaggypanther, which appears to have been targeting government entities in Taiwan and Malaysia since at least 2008. This APT typically uses encrypted payloads in the registry keys.
  • The second group is called Sidewinder and has mainly focused on Pakistan military targets since 2012. This APT has exploited known vulnerabilities in Microsoft Office -- specifically CVE-2017-11882 -- as well as using PowerShell payloads.
  • Finally, Kaspersky found a Chinese-speaking group called CardinalLizard. Since 2014, this APT has focused on Philippines, Russia, Mongolia and Malaysia and uses customized malware that features anti-detection and anti-emulation technology.

Finally, Kaspersky also looked at the side-channel vulnerabilities found earlier this year in x86 microprocessors called Spectre and Meltdown. The company noted that although the big chipmakers, Intel especially, have been issuing patches, there's no real way to fix these issues. (See Intel Will Leave Some Chips Without Spectre Patch.)

However, the report noted that no attacks targeting the Spectre and Meltdown vulnerabilities have not been found in the wild, although Kaspersky did find some proof-of-concept designs.

Editor's note: This article was updated with additional information from Kaspersky.

Related posts:

— Scott Ferguson, is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16271
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection.
CVE-2020-16272
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection.
CVE-2020-8574
PUBLISHED: 2020-08-03
Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users.
CVE-2020-8575
PUBLISHED: 2020-08-03
Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS).
CVE-2020-12739
PUBLISHED: 2020-08-03
A vulnerability in the Fanuc i Series CNC (0i-MD and 0i Mate-MD) could allow an unauthenticated, remote attacker to cause an affected CNC to become inaccessible to other devices. The vulnerability is due to improper design or implementation of the Ethernet communication modules of the CNC. An attack...