Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Lazarus Research Highlights Threat from North Korea

A widespread attack against companies and government agencies have been linked to the North Korean Lazarus group, underscoring that the countries hackers are becoming more brazen.

RSA CONFERENCE 2019 — San Francisco — Evidence from a command-and-control server has linked a massive campaign against sensitive industries and government agencies to the Lazarus Group, a North Korean state-sponsored operator, cybersecurity firm McAfee announced at the RSA Conference this week.

After gaining access to code and data from the C&C server, McAfee researchers analyzed the evidence and concluded that the campaign — which they dubbed Operation Sharpshooter —started a year earlier than previously thought and targeted a larger group of organizations. In a previous analysis, published in December 2018, McAfee researchers hesitated to connect the campaign to the activities of the Lazarus Group.

"Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags," the company's researchers stated at the time. "Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community."

With the additional evidence from the server used by the attackers to manage their network of compromised systems, McAfee's researchers found that the Sharpshooter campaign used the same software implants and malicious code as the Lazarus Group.

The report highlighted the increasing sophistication as well as the ubiquity of cyber-operations from North Korea, which uses attacks to steal funds, collect intelligence and punish rivals. North Korean groups are among the most brazen state-sponsored attackers, said Tom Kellerman, chief cybersecurity officer with Carbon Black.

"They finally have an A-team, thanks to the tech transfer from Russia," Kellerman said.

An interesting piece of the puzzle is that early attacks focused on networks in Namibia, leading McAfee researchers to conclude that the Sharpshooter group may have used the African nation as a testing ground for its software implants and attack code.

Financial Services, Government Bear Brunt of Attacks
Getting access to the command-and-control server gave McAfee researchers the evidence needed to connect Operation Sharpshooter to the Lazarus Group, Christiaan Beek, McAfee senior principal engineer and lead scientist, said in a statement.

"Access to the adversary’s command-and-control server code is a rare opportunity," Beek said. "These systems provide insights into the inner workings of cyberattack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers."

The most recent attacks mainly focused on financial services, government agencies, and critical infrastructure, McAfee stated. The attackers primarily targeted Germany, Turkey, the United Kingdom and the United States. Earlier attacks had also focused on telecommunications companies and had included Israel as one of the primary targets.

In a survey of financial services CISOs, Carbon Black found that two-thirds of respondents had faced more cyberattacks in the last 12 months than the same period the prior year. While social engineering attacks remain the most common — with 79% of firms encountering highly targeted phishing attacks — 32% of firms detected attacks coming from third parties, such as suppliers and partners.

In addition, destructive attacks against financial institutions — a hallmark of many North Korean operations — have become more common, with a quarter of all attacks having a component that destroys or encrypts data.

"You see this transition now from bank heists to a hostage situations," Kellerman said. "These attacks are not being leveraged at the beginning of the attack, but at the end … They want to be punitive on their way out, because they know they are being reacted to."

Needed: Subtler Incident Response
Much of this is a reaction to incident responders trying to stop attackers and clean up compromised servers and workstations, Kellerman said. About a third of institutions surveyed experienced some form of counter incident-response reaction from attackers, either destroying data or using a sleep cycle to wake up secondary command-and-control channels. 

"We are being too loud in how we conduct incident response, and we are being a bit too cocky by immediately terminate command and control," he said. "This really highlights our need to become better at how we conduct the ultimate investigation." 

Attackers are also using sophisticated techniques such as steganography — hiding data in images or other file types — as either a secondary command-and-control channel or as a way of delivering additional malware payloads to the targeted server. 

"Embedding multiple content types within a single file … has been a common technique seen in many malware droppers for some time," Carbon Black stated in its report. "This technique is used to evade detection on the network wire and on the endpoint as well has hide content on disk in familiar file types such as images."

Related Links

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
TPM-Fail: What It Means & What to Do About It
Ari Singer, CTO at TrustPhi,  11/19/2019
Americans Fed Up with Lack of Data Privacy
Robert Lemos, Contributing Writer,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19227
PUBLISHED: 2019-11-22
In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.
CVE-2019-10203
PUBLISHED: 2019-11-22
PowerDNS Authoritative daemon , all versions pdns 4.1.x before pdns 4.1.10, exiting when encountering a serial between 2^31 and 2^32-1 while trying to notify a slave leads to DoS.
CVE-2019-10206
PUBLISHED: 2019-11-22
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.
CVE-2018-10854
PUBLISHED: 2019-11-22
cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field.
CVE-2019-13157
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.