Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

7/12/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Kaspersky: Asia the Focus of APT Operations in Q2

In their second quarter report, Kaspersky researchers also noted the return of various well-known bad actors and the threats facing networking hardware devices.

Asia has become a major field of play for a growing number of advanced persistent threat (APT) operations run by a mix of well-known and new bad actors, according to threat researchers with Kaspersky Lab.

The attacks in the region, the continued rise of threats directed at network devices, such as VPNFilter, and the return of high-profile cybercriminals -- particularly in Asia -- were among the key findings in the cybersecurity vendor's recently released second-quarter trends report.

The meeting between the leaders of the US and North Korea and similar high-profile situations and the makeup of various nation-state groups in the region most likely played roles in the APT activity in Asia, according to Vicente Diaz, principal security researcher for Kaspersky's Global Research and Analysis Team.

(Source: Pixabay)\r\n
(Source: Pixabay)\r\n

"It is difficult for us to know, but I believe that most of the activity is related to a high number of relevant geopolitical events that happened in the region, especially related to the new position of North Korea and several bilateral talks between countries," Diaz told Security Now in an email. "This also might be related to how some of these nation-state actors act, having several subgroups coordinated instead of a single one who takes care of all the cyberespionage, which produces several small groups instead of a single larger campaign."

The researchers pointed to such known groups as Lazarus and Scarcruft -- both believed to have links to North Korea -- as being particularly active actors in the region -- and noted a Russian-speaking group called Turla that used an implant called LightNeuron to target victims in Central Asia and the Middle East.

"Lazarus has accumulated a large collection of artefacts over the last few years, in some cases with heavy code reuse, which makes it possible to link many newly found sets of activity to this actor," the Kaspersky researchers wrote on a post on the company's SecureList site. "One such tool is the Manuscrypt malware, used exclusively by Lazarus in many recent attacks. The US-CERT released a warning in June about a new version of Manuscrypt they call TYPEFRAME."

APTs new and old
Among the APTs noted by Kaspersky was an effort by the Lazarus splinter group BlueNoroff to target financial institutions in Turkey -- as part of a larger cyberespionage campaign -- and casinos in Latin America. Researchers also saw Scarcruft using Android malware and using a backdoor called PoorWeb in another operation. There also was the return of the bad actors behind Olympic Destroyer, the malware that hit the opening of the Winter Olympics in South Korea. An operation targeting organizations in Europe involved in protecting against chemical and biological attacks use tools and spear-phishing documents similar to Olympic Destroyer campaign. (See Olympic Destroyer Returns With Attacks in Europe.)

There were other notable returns, such as WhiteWhale, a threat actor that has been relatively low-profile since 2016 that apparently is behind a new campaign discovered in April that include the distribution of Taidoor and Yalink malware families, primarily aiming at Japanese victims.

Diaz noted that there could be numerous reasons why such a group may appear to be relatively inactive for a period of time, only to resurface later. They may have been active but undetected or it may be difficult linking particular groups to certain activities. They also could be spending those downtimes to regroup.

"It is also true that these actors need to evolve from time to time, working with new tools and techniques," he wrote. "Sometimes we observe old artifacts being reworked (like with Kimsuky), but other groups and newcomers just decide to start in this business with a simple approach where only a few customized droppers and generally available tools for lateral movement are required."

It also highlights different approaches by different groups.

Economically speaking, it makes sense for groups to use tools that are freely available rather than more expensive ones. At the same time, Kaspersky sees that more advanced bad actors "have all the zero-days they need in their pocket and are ready to burn them when necessary," Diaz said.


Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

The researchers found the VPNFilter campaign was the most notable operation during the second quarter, which infected more than 500,000 domestic routers around the world. The campaign, which the FBI attributed to the Sofacy and Sandworm APT groups, highlights the threats to networks that Kaspersky analysts said they have been warning about. (See Talos: VPNFilter Malware Still Stands at the Ready.)

"Networking hardware... has always been vulnerable to some degree," Diaz added. "Since Regin, we have seen examples of nation-state actors targeting such devices. The problem is that it is difficult to find the malware inside given that networking devices are traditionally poorly monitored. One of the main problems is the lack of updates and the poor configuration of such devices (many times using default passwords)."

It's been relatively easy to infect networks "with huge IoT botnets in the past and it is natural that several actors start developing their artifacts to target such devices," he said. "I'm confident we will see many more examples in the future."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41154
PUBLISHED: 2021-10-18
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions an attacker with read access to a "SVN core" repository could execute arbitrary SQL queries. The following versions contain the fix: Tuleap Community Edition 11.1...
CVE-2021-41155
PUBLISHED: 2021-10-18
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not sanitize properly user inputs when constructing the SQL query to browse and search revisions in the CVS repositories. The following versions contain the fix...
CVE-2021-41152
PUBLISHED: 2021-10-18
OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. In affected versions by manipulating the HTTP request an attacker can modify the path of a requested file download in the folder component to point to anywhere on t...
CVE-2021-41153
PUBLISHED: 2021-10-18
The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. Thi...
CVE-2021-41156
PUBLISHED: 2021-10-18
anuko/timetracker is an, open source time tracking system. In affected versions Time Tracker uses browser_today hidden control on a few pages to collect the today's date from user browsers. Because of not checking this parameter for sanity in versions prior to 1.19.30.5601, it was possible to craft ...