31 July 2020 | Asia Cyber Summary



The New Normal: Working From Home


Blackpanda DFIR specialist Mika Devonshire shares her insights on securing your work from home environment. With working from home now the new normal, it is important to take proactive measures to improve your security posture and prevent an attack. Read the full story here.



In the spotlight this week:


• North Korean APT Group Observed Using Its Advanced Techniques To Deploy Ransomware On Targets

US-CERT Reports Active Exploitation Attempts Targeting F5 BIG IP Devices

NSA And US-CERT Warn of Attacks Targeting OT Environments




JUL 29, 2020 | North Korean APT Group Observed Using its Advanced Techniques to Deploy Ransomware on Targets


Kaspersky has released an article about the VHD ransomware component of the MATA framework used by the Lazarus group. The kill chain starts out with an attack against the VPN gateway, then it all looks standard, until the sudden escalation to the Active Directory server then, the entire network via a targeted script.


These days, some APT groups have criminal objectives and some criminal groups have APT techniques; the only thing an organization can control is the battlespace in which they counter the threat. It is unlikely that you will never have an incident. However, you can control the impact that the incident has by preparing the environment and exercising your incident response capabilities.


Source: https://www.kaspersky.co.uk/blog/mata-framework/21077/




JUL 29, 2020 | Encryption Algorithms to Resist Cracking by Quantum Computers Shortlisted


After over three years of research into techniques to counter encryption cracking by quantum computers, 15 algorithms have been shortlisted for further development. These will be critical in future years to protect users’ data and privacy and will no doubt be quickly adopted by the financial industry.


Source: https://threatpost.com/oilrig-apt-unique-backdoor/157646/




JUL, 27 2020 | NSA and US-CERT Warn of Attacks Targeting OT Environments


A joint public statement by the NSA and US-CERT indicates active targeting of OT systems by APT and criminal elements. The CERT simultaneously released an article detailing high impact with low sophistication vulnerabilities affecting Schneider Electric Triconex components, in particular, TriStation and Tricon Communication Module.


In our experience, OT environments are static in nature and patching is rare as it may affect operations. Recommended minimum mitigations include immediately disconnecting systems from the internet that do not need internet connectivity for safe and reliable operations, and to ensure that compensating controls are implemented for systems that require an internet connection.


Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-will-disable-insecure-tls-in-office-365-on-oct-15/




JUL, 27 2020 | US-CERT Reports Active Exploitation Attempts Targeting F5 BIG IP Devices


A patch for F5 BIG IP devices to address CVE-2020-5902 was released on the 30th of June to counter a critical remote code execution flaw. Recent reporting from the US-CERT indicates that there is a high probability that any unpatched devices have now been compromised. The CERT goes on to provide detection and remediation advice.


These kinds of events highlight the importance of having a robust emergency patch process. As we have seen in the last few weeks a series of critical vulnerabilities have been patched that require immediate action by companies operating those technologies.


Source: https://www.bleepingcomputer.com/news/security/office-365-adds-new-security-configuration-analysis-feature/




JUL, 27 2020 | FBI Warns of Malware in Chinese Tax Software


First reported via Blackpanda's internal sources on the 14th of July, the FBI has now issued a warning regarding malware found in a tax software that is required when doing business in China. 


Following the discovery of the "GoldenSpy" family of malware being installed in the required Chinese tax software, a new family of the malware appears to have been developed and deployed. 


This new malware is called "GoldenHelper" and much like the previous iteration, it is sometimes installed on government-required software. Given the persistent nature of the malware in this software, our recommendation is to host the required software on a platform completely separate and isolated from the corporate network.



Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.

Copyright © 2020 Blackpanda.
All Rights Reserved.

HONG KONG

Room 37, Level 5, Core F

Cyberport 3

100 Cyberport Rd

Hong Kong

+852 6975 1099

SINGAPORE

6 Raffles Quay
#11-07
Singapore (048580)

+65 6692 9110

JAPAN

301, 2-7-18

Nishiazabu Minato-ku

Tokyo 106-0031

+81 80 2077 9824

MALAYSIA

D1-U3A-6 Solaris Dutamas

Jalan Dutamas 1

50480 Kuala Lumpur

+60 3 6206 2582

PHILIPPINES

Penthouse, World Plaza Bldg.

5th Ave., Bonifacio Global City

Taguig City 1634

+63 2 8250 6110

  • LinkedIn
  • Facebook
  • Twitter