Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

7/12/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Kaspersky: Asia the Focus of APT Operations in Q2

In their second quarter report, Kaspersky researchers also noted the return of various well-known bad actors and the threats facing networking hardware devices.

Asia has become a major field of play for a growing number of advanced persistent threat (APT) operations run by a mix of well-known and new bad actors, according to threat researchers with Kaspersky Lab.

The attacks in the region, the continued rise of threats directed at network devices, such as VPNFilter, and the return of high-profile cybercriminals -- particularly in Asia -- were among the key findings in the cybersecurity vendor's recently released second-quarter trends report.

The meeting between the leaders of the US and North Korea and similar high-profile situations and the makeup of various nation-state groups in the region most likely played roles in the APT activity in Asia, according to Vicente Diaz, principal security researcher for Kaspersky's Global Research and Analysis Team.

"It is difficult for us to know, but I believe that most of the activity is related to a high number of relevant geopolitical events that happened in the region, especially related to the new position of North Korea and several bilateral talks between countries," Diaz told Security Now in an email. "This also might be related to how some of these nation-state actors act, having several subgroups coordinated instead of a single one who takes care of all the cyberespionage, which produces several small groups instead of a single larger campaign."

The researchers pointed to such known groups as Lazarus and Scarcruft -- both believed to have links to North Korea -- as being particularly active actors in the region -- and noted a Russian-speaking group called Turla that used an implant called LightNeuron to target victims in Central Asia and the Middle East.

"Lazarus has accumulated a large collection of artefacts over the last few years, in some cases with heavy code reuse, which makes it possible to link many newly found sets of activity to this actor," the Kaspersky researchers wrote on a post on the company's SecureList site. "One such tool is the Manuscrypt malware, used exclusively by Lazarus in many recent attacks. The US-CERT released a warning in June about a new version of Manuscrypt they call TYPEFRAME."

APTs new and old
Among the APTs noted by Kaspersky was an effort by the Lazarus splinter group BlueNoroff to target financial institutions in Turkey -- as part of a larger cyberespionage campaign -- and casinos in Latin America. Researchers also saw Scarcruft using Android malware and using a backdoor called PoorWeb in another operation. There also was the return of the bad actors behind Olympic Destroyer, the malware that hit the opening of the Winter Olympics in South Korea. An operation targeting organizations in Europe involved in protecting against chemical and biological attacks use tools and spear-phishing documents similar to Olympic Destroyer campaign. (See Olympic Destroyer Returns With Attacks in Europe.)

There were other notable returns, such as WhiteWhale, a threat actor that has been relatively low-profile since 2016 that apparently is behind a new campaign discovered in April that include the distribution of Taidoor and Yalink malware families, primarily aiming at Japanese victims.

Diaz noted that there could be numerous reasons why such a group may appear to be relatively inactive for a period of time, only to resurface later. They may have been active but undetected or it may be difficult linking particular groups to certain activities. They also could be spending those downtimes to regroup.

"It is also true that these actors need to evolve from time to time, working with new tools and techniques," he wrote. "Sometimes we observe old artifacts being reworked (like with Kimsuky), but other groups and newcomers just decide to start in this business with a simple approach where only a few customized droppers and generally available tools for lateral movement are required."

It also highlights different approaches by different groups.

Economically speaking, it makes sense for groups to use tools that are freely available rather than more expensive ones. At the same time, Kaspersky sees that more advanced bad actors "have all the zero-days they need in their pocket and are ready to burn them when necessary," Diaz said.


Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

The researchers found the VPNFilter campaign was the most notable operation during the second quarter, which infected more than 500,000 domestic routers around the world. The campaign, which the FBI attributed to the Sofacy and Sandworm APT groups, highlights the threats to networks that Kaspersky analysts said they have been warning about. (See Talos: VPNFilter Malware Still Stands at the Ready.)

"Networking hardware... has always been vulnerable to some degree," Diaz added. "Since Regin, we have seen examples of nation-state actors targeting such devices. The problem is that it is difficult to find the malware inside given that networking devices are traditionally poorly monitored. One of the main problems is the lack of updates and the poor configuration of such devices (many times using default passwords)."

It's been relatively easy to infect networks "with huge IoT botnets in the past and it is natural that several actors start developing their artifacts to target such devices," he said. "I'm confident we will see many more examples in the future."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.