Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

4/13/2018
07:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

APTs Are Rising in the East, Kaspersky Finds

A growing number of Advanced Persistent Threats, or APTs, increased in Asia, as well as the Middle East, over the past three months. This includes a cyber attack that targeted the 2018 Winter Olympics in South Korea, a new Kaspersky report found.

The number of Advanced Persistent Threats, or APTs, targeting groups and organizations in Asia and the Middle East dramatically increased during the first three months of the year. This pattern includes an attack targeting the 2018 Winter Olympics in South Korea, according to a new report from Kaspersky Labs.

Of the 27 different reports Kaspersky tracked during the first quarter of this year, about 27% of APTs happened in Asia, including the Olympic Destroyer attack that targeted the Pyeongchang games in February. (See Kaspersky: Olympic Destroyer Creator Left 'False Flag' Clues .)

APTs are typically associated with governments and nation-states and these attacks are usually associated with either ongoing espionage schemes or long-term attempts to steal sensitive data.

In an email to Security Now, Vicente Diaz, principal security researcher for Kaspersky Lab Global Research & Analysis, wrote that APTs and the groups behind them try to cover their tracks through a host of different techniques. These include using generic tools, or the nation-states themselves hiring tools from external companies. In addition, APTs are asking third parties to participate in information gathering operations or having small external groups dedicated to certain campaigns.

(Source: GDJ via Pixabay)
(Source: GDJ via Pixabay)

Combined, these make APTs hard to track.

"Attributing attacks is becoming increasingly difficult -- sometimes we are only able to get a few language traces, and sometimes the artifacts and TTPs [Tactics, Techniques and Procedures] used by attackers might provide additional clues," Diaz wrote. "Generally speaking, victims are a good method for us to understand the purpose of a given campaign and what the attacker's interest might be, which sometimes might align with nation-states."

In many cases, Kaspersky found the groups behind these attacks favored targeting routers. In one case, the firm found attackers targeting routers made by Mikrotik and using the hardware as an infection vector as a way to get to the ultimate victim of the attack.

By examining these APTs, Kaspersky found that the threats are growing in sophistication and scope. At the same time, different tools and capabilities are making cyberespionage easier.

In its April 12 blog, Kasperksy noted:

We have the impression that some well-known actors are rethinking their strategies and reorganizing their teams for future attacks. In addition, a whole new wave of attackers are becoming much more active. For all these new attackers we observe different levels of sophistication, but let's admit that the entry barrier for cyberespionage is much lower than it used to be in terms of the availability of different tools that can be used for malicious activities.

For example, Kaspersky found that many APTs now take advantage of Microsoft PowerShell and have used that as a resource to spread malware. (See Nasties Abound: Symantec's Q3 Threat Report.)

While APTs have boomed in Asia, the Middle East has seen a significant increase as well. The report points to one group, dubbed StrongPity APT, which launched several Man-in-the-Middle (MiM) attacks targeting IPS networks in that region.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

Overall, Kaspersky researchers identified three new APTs groups during the first quarter of 2018. These included:

  • A Chinese-speaking group dubbed Shaggypanther, which appears to have been targeting government entities in Taiwan and Malaysia since at least 2008. This APT typically uses encrypted payloads in the registry keys.
  • The second group is called Sidewinder and has mainly focused on Pakistan military targets since 2012. This APT has exploited known vulnerabilities in Microsoft Office -- specifically CVE-2017-11882 -- as well as using PowerShell payloads.
  • Finally, Kaspersky found a Chinese-speaking group called CardinalLizard. Since 2014, this APT has focused on Philippines, Russia, Mongolia and Malaysia and uses customized malware that features anti-detection and anti-emulation technology.

Finally, Kaspersky also looked at the side-channel vulnerabilities found earlier this year in x86 microprocessors called Spectre and Meltdown. The company noted that although the big chipmakers, Intel especially, have been issuing patches, there's no real way to fix these issues. (See Intel Will Leave Some Chips Without Spectre Patch.)

However, the report noted that no attacks targeting the Spectre and Meltdown vulnerabilities have not been found in the wild, although Kaspersky did find some proof-of-concept designs.

Editor's note: This article was updated with additional information from Kaspersky.

Related posts:

— Scott Ferguson, is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33988
PUBLISHED: 2021-10-19
Cross Site Scripting (XSS). vulnerability exists in Microweber CMS 1.2.7 via the Login form, which could let a malicious user execute Javascript by Inserting code in the request form.
CVE-2020-12141
PUBLISHED: 2021-10-19
An out-of-bounds read in the SNMP stack in Contiki-NG 4.4 and earlier allows an attacker to cause a denial of service and potentially disclose information via crafted SNMP packets to snmp_ber_decode_string_len_buffer in os/net/app-layer/snmp/snmp-ber.c.
CVE-2021-29912
PUBLISHED: 2021-10-19
IBM Security Risk Manager on CP4S 1.7.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 207828.
CVE-2021-38911
PUBLISHED: 2021-10-19
IBM Security Risk Manager on CP4S 1.7.0.0 stores user credentials in plain clear text which can be read by a an authenticatedl privileged user. IBM X-Force ID: 209940.
CVE-2021-3746
PUBLISHED: 2021-10-19
A flaw was found in the libtpms code that may cause access beyond the boundary of internal buffers. The vulnerability is triggered by specially-crafted TPM2 command packets that then trigger the issue when the state of the TPM2's volatile state is written. The highest threat from this vulnerability ...