19 June 2020 | Asia Cyber Summary

In the spotlight this week:

  • Lines between Advance Persistent Threat (APT) and cyber-crime gangs are becoming even more blurred. After robbing banks and cryptocurrency exchanges, state-sponsored hackers have been recently spotted trying BEC scams. ESET researchers found a new actor called Operation Interception.

  • ESET researchers uncover cyberattacks against aerospace and military companies, with hints suggesting the Lazarus APT group may be behind the attacks in Operation Interception.

  • MAZE and Netwalker ransomware gangs still actively publishing leaks from compromised networks. The leaks of one Hong Kong company was removed from the Netwalker Blog, but another Hong Kong company’s leaks, is currently undergoing a General Offer, still found on the MAZE blog on the Dark Web.

Jun 17, 2020 | Aerospace and Military Companies in The Crosshairs of Cyber Spies

To compromise their targets, attackers’ part of "Operation In(ter)ception" used social engineering via LinkedIn, hiding behind the ruse of attractive, but fake, job offers. Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools. Besides malware, the adversaries made use of “living off the land tactics”, abusing legitimate tools and OS functions. Several techniques were used to avoid detection including code signing, regular malware recompilation and impersonating legitimate software and companies. The primary goal of the operation was espionage. While no strong evidence was found connecting the attacks to a known threat actor, several hints suggesting a possible link to the Lazarus group were identified—including similarities in targeting, development environment, and anti-analysis techniques used.

Source: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf

and https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/

Jun 17, 2020 | North Korea's State Hackers Caught Engaging in BEC Scams

ESET researchers claim they spotted North Korean state-sponsored hackers attempting to steal money from targets they initially breached for cyber-espionage purposes. Codenamed "Operation In(ter)ception," this campaign targeted victims for both cyber-espionage and financial theft. ESET security researcher Jean-Ian Boutin said the attacks were carried out by members of the Lazarus Group, the codename given by security firms to North Korea's biggest hacking unit that is part of the country's intelligence service. Boutin described how Lazarus members used LinkedIn job-recruiter profiles and private messages to approach their targets. Under the guise of conducting a job interview, victims were given archives to open and view files stored inside that allegedly contained salary and other information about their future jobs.

Source: https://www.zdnet.com/article/north-koreas-state-hackers-caught-engaging-in-bec-scams/#ftag=RSSbaffb68

Jun 17, 2020 | AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations

News broke in 2014 about a new sophisticated threat actor dubbed the Turla Group, believed by the Estonian foreign intelligence service to have Russian origins and operating on behalf of the FSB. Its kernelmode malware also became the first publicly described case that abused a third-party device driver to disable Driver Signature Enforcement (DSE). This security mechanism was introduced in Windows Vista to prevent unsigned drivers from loading into the kernel space. Turla exploited the signed VirtualBox driver, VBoxDrv.sys v1.6.2, to deactivate DSE and load its unsigned payload drivers afterward. In February 2019, Unit 42 found that a yet-to-be-known threat actor (unbeknownst to the infosec community) discovered that the second unpatched vulnerability can not only exploit VirtualBox VBoxDrv.sys driver v1.6.2, but also all other versions up to v3.0.0.

Source: https://unit42.paloaltonetworks.com/acidbox-rare-malware/

Jun 16, 2020 | The Unbearable Frequency of PewPew Maps

A blogger recently joked online about a major security company advertising its revised “Cyberthreat Real-Time Map.” As members of the security community are aware, “threat maps” (referred to derisively as “pewpew” maps) are heavy on eye-candy but very light on usage or value. Yet pewpew maps, such as that featured by now-defunct security company Norse, remain prominent in security operations centers (SOCs), watchfloors, and sales demos to this day. Oddly enough, roughly the same time as this discussion, a mini-controversy erupted over an alleged (and since debunked) distributed denial of service (DDoS) activity against US cellular providers based on a pewpew map. Source: https://pylos.co/2020/06/16/the-unbearable-frequency-of-pewpew-maps/

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.