Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Lazarus Research Highlights Threat from North Korea

A widespread attack against companies and government agencies have been linked to the North Korean Lazarus group, underscoring that the countries hackers are becoming more brazen.

RSA CONFERENCE 2019 — San Francisco — Evidence from a command-and-control server has linked a massive campaign against sensitive industries and government agencies to the Lazarus Group, a North Korean state-sponsored operator, cybersecurity firm McAfee announced at the RSA Conference this week.

After gaining access to code and data from the C&C server, McAfee researchers analyzed the evidence and concluded that the campaign — which they dubbed Operation Sharpshooter —started a year earlier than previously thought and targeted a larger group of organizations. In a previous analysis, published in December 2018, McAfee researchers hesitated to connect the campaign to the activities of the Lazarus Group.

"Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags," the company's researchers stated at the time. "Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community."

With the additional evidence from the server used by the attackers to manage their network of compromised systems, McAfee's researchers found that the Sharpshooter campaign used the same software implants and malicious code as the Lazarus Group.

The report highlighted the increasing sophistication as well as the ubiquity of cyber-operations from North Korea, which uses attacks to steal funds, collect intelligence and punish rivals. North Korean groups are among the most brazen state-sponsored attackers, said Tom Kellerman, chief cybersecurity officer with Carbon Black.

"They finally have an A-team, thanks to the tech transfer from Russia," Kellerman said.

An interesting piece of the puzzle is that early attacks focused on networks in Namibia, leading McAfee researchers to conclude that the Sharpshooter group may have used the African nation as a testing ground for its software implants and attack code.

Financial Services, Government Bear Brunt of Attacks
Getting access to the command-and-control server gave McAfee researchers the evidence needed to connect Operation Sharpshooter to the Lazarus Group, Christiaan Beek, McAfee senior principal engineer and lead scientist, said in a statement.

"Access to the adversary’s command-and-control server code is a rare opportunity," Beek said. "These systems provide insights into the inner workings of cyberattack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers."

The most recent attacks mainly focused on financial services, government agencies, and critical infrastructure, McAfee stated. The attackers primarily targeted Germany, Turkey, the United Kingdom and the United States. Earlier attacks had also focused on telecommunications companies and had included Israel as one of the primary targets.

In a survey of financial services CISOs, Carbon Black found that two-thirds of respondents had faced more cyberattacks in the last 12 months than the same period the prior year. While social engineering attacks remain the most common — with 79% of firms encountering highly targeted phishing attacks — 32% of firms detected attacks coming from third parties, such as suppliers and partners.

In addition, destructive attacks against financial institutions — a hallmark of many North Korean operations — have become more common, with a quarter of all attacks having a component that destroys or encrypts data.

"You see this transition now from bank heists to a hostage situations," Kellerman said. "These attacks are not being leveraged at the beginning of the attack, but at the end … They want to be punitive on their way out, because they know they are being reacted to."

Needed: Subtler Incident Response
Much of this is a reaction to incident responders trying to stop attackers and clean up compromised servers and workstations, Kellerman said. About a third of institutions surveyed experienced some form of counter incident-response reaction from attackers, either destroying data or using a sleep cycle to wake up secondary command-and-control channels. 

"We are being too loud in how we conduct incident response, and we are being a bit too cocky by immediately terminate command and control," he said. "This really highlights our need to become better at how we conduct the ultimate investigation." 

Attackers are also using sophisticated techniques such as steganography — hiding data in images or other file types — as either a secondary command-and-control channel or as a way of delivering additional malware payloads to the targeted server. 

"Embedding multiple content types within a single file … has been a common technique seen in many malware droppers for some time," Carbon Black stated in its report. "This technique is used to evade detection on the network wire and on the endpoint as well has hide content on disk in familiar file types such as images."

Related Links

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.