Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

7/12/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Kaspersky: Asia the Focus of APT Operations in Q2

In their second quarter report, Kaspersky researchers also noted the return of various well-known bad actors and the threats facing networking hardware devices.

Asia has become a major field of play for a growing number of advanced persistent threat (APT) operations run by a mix of well-known and new bad actors, according to threat researchers with Kaspersky Lab.

The attacks in the region, the continued rise of threats directed at network devices, such as VPNFilter, and the return of high-profile cybercriminals -- particularly in Asia -- were among the key findings in the cybersecurity vendor's recently released second-quarter trends report.

The meeting between the leaders of the US and North Korea and similar high-profile situations and the makeup of various nation-state groups in the region most likely played roles in the APT activity in Asia, according to Vicente Diaz, principal security researcher for Kaspersky's Global Research and Analysis Team.

"It is difficult for us to know, but I believe that most of the activity is related to a high number of relevant geopolitical events that happened in the region, especially related to the new position of North Korea and several bilateral talks between countries," Diaz told Security Now in an email. "This also might be related to how some of these nation-state actors act, having several subgroups coordinated instead of a single one who takes care of all the cyberespionage, which produces several small groups instead of a single larger campaign."

The researchers pointed to such known groups as Lazarus and Scarcruft -- both believed to have links to North Korea -- as being particularly active actors in the region -- and noted a Russian-speaking group called Turla that used an implant called LightNeuron to target victims in Central Asia and the Middle East.

"Lazarus has accumulated a large collection of artefacts over the last few years, in some cases with heavy code reuse, which makes it possible to link many newly found sets of activity to this actor," the Kaspersky researchers wrote on a post on the company's SecureList site. "One such tool is the Manuscrypt malware, used exclusively by Lazarus in many recent attacks. The US-CERT released a warning in June about a new version of Manuscrypt they call TYPEFRAME."

APTs new and old
Among the APTs noted by Kaspersky was an effort by the Lazarus splinter group BlueNoroff to target financial institutions in Turkey -- as part of a larger cyberespionage campaign -- and casinos in Latin America. Researchers also saw Scarcruft using Android malware and using a backdoor called PoorWeb in another operation. There also was the return of the bad actors behind Olympic Destroyer, the malware that hit the opening of the Winter Olympics in South Korea. An operation targeting organizations in Europe involved in protecting against chemical and biological attacks use tools and spear-phishing documents similar to Olympic Destroyer campaign. (See Olympic Destroyer Returns With Attacks in Europe.)

There were other notable returns, such as WhiteWhale, a threat actor that has been relatively low-profile since 2016 that apparently is behind a new campaign discovered in April that include the distribution of Taidoor and Yalink malware families, primarily aiming at Japanese victims.

Diaz noted that there could be numerous reasons why such a group may appear to be relatively inactive for a period of time, only to resurface later. They may have been active but undetected or it may be difficult linking particular groups to certain activities. They also could be spending those downtimes to regroup.

"It is also true that these actors need to evolve from time to time, working with new tools and techniques," he wrote. "Sometimes we observe old artifacts being reworked (like with Kimsuky), but other groups and newcomers just decide to start in this business with a simple approach where only a few customized droppers and generally available tools for lateral movement are required."

It also highlights different approaches by different groups.

Economically speaking, it makes sense for groups to use tools that are freely available rather than more expensive ones. At the same time, Kaspersky sees that more advanced bad actors "have all the zero-days they need in their pocket and are ready to burn them when necessary," Diaz said.


Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

The researchers found the VPNFilter campaign was the most notable operation during the second quarter, which infected more than 500,000 domestic routers around the world. The campaign, which the FBI attributed to the Sofacy and Sandworm APT groups, highlights the threats to networks that Kaspersky analysts said they have been warning about. (See Talos: VPNFilter Malware Still Stands at the Ready.)

"Networking hardware... has always been vulnerable to some degree," Diaz added. "Since Regin, we have seen examples of nation-state actors targeting such devices. The problem is that it is difficult to find the malware inside given that networking devices are traditionally poorly monitored. One of the main problems is the lack of updates and the poor configuration of such devices (many times using default passwords)."

It's been relatively easy to infect networks "with huge IoT botnets in the past and it is natural that several actors start developing their artifacts to target such devices," he said. "I'm confident we will see many more examples in the future."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
CVE-2020-16170
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.