31 July 2020 | Asia Cyber Summary


The New Normal: Working From Home

Blackpanda DFIR specialist Mika Devonshire shares her insights on securing your work from home environment. With working from home now the new normal, it is important to take proactive measures to improve your security posture and prevent an attack. Read the full story here.


In the spotlight this week:

• North Korean APT Group Observed Using Its Advanced Techniques To Deploy Ransomware On Targets

US-CERT Reports Active Exploitation Attempts Targeting F5 BIG IP Devices

NSA And US-CERT Warn of Attacks Targeting OT Environments

JUL 29, 2020 | North Korean APT Group Observed Using its Advanced Techniques to Deploy Ransomware on Targets

Kaspersky has released an article about the VHD ransomware component of the MATA framework used by the Lazarus group. The kill chain starts out with an attack against the VPN gateway, then it all looks standard, until the sudden escalation to the Active Directory server then, the entire network via a targeted script.

These days, some APT groups have criminal objectives and some criminal groups have APT techniques; the only thing an organization can control is the battlespace in which they counter the threat. It is unlikely that you will never have an incident. However, you can control the impact that the incident has by preparing the environment and exercising your incident response capabilities.

Source: https://www.kaspersky.co.uk/blog/mata-framework/21077/

JUL 29, 2020 | Encryption Algorithms to Resist Cracking by Quantum Computers Shortlisted

After over three years of research into techniques to counter encryption cracking by quantum computers, 15 algorithms have been shortlisted for further development. These will be critical in future years to protect users’ data and privacy and will no doubt be quickly adopted by the financial industry.

Source: https://threatpost.com/oilrig-apt-unique-backdoor/157646/

JUL, 27 2020 | NSA and US-CERT Warn of Attacks Targeting OT Environments

A joint public statement by the NSA and US-CERT indicates active targeting of OT systems by APT and criminal elements. The CERT simultaneously released an article detailing high impact with low sophistication vulnerabilities affecting Schneider Electric Triconex components, in particular, TriStation and Tricon Communication Module.

In our experience, OT environments are static in nature and patching is rare as it may affect operations. Recommended minimum mitigations include immediately disconnecting systems from the internet that do not need internet connectivity for safe and reliable operations, and to ensure that compensating controls are implemented for systems that require an internet connection.

Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-will-disable-insecure-tls-in-office-365-on-oct-15/

JUL, 27 2020 | US-CERT Reports Active Exploitation Attempts Targeting F5 BIG IP Devices

A patch for F5 BIG IP devices to address CVE-2020-5902 was released on the 30th of June to counter a critical remote code execution flaw. Recent reporting from the US-CERT indicates that there is a high probability that any unpatched devices have now been compromised. The CERT goes on to provide detection and remediation advice.

These kinds of events highlight the importance of having a robust emergency patch process. As we have seen in the last few weeks a series of critical vulnerabilities have been patched that require immediate action by companies operating those technologies.

Source: https://www.bleepingcomputer.com/news/security/office-365-adds-new-security-configuration-analysis-feature/

JUL, 27 2020 | FBI Warns of Malware in Chinese Tax Software

First reported via Blackpanda's internal sources on the 14th of July, the FBI has now issued a warning regarding malware found in a tax software that is required when doing business in China. 

Following the discovery of the "GoldenSpy" family of malware being installed in the required Chinese tax software, a new family of the malware appears to have been developed and deployed. 

This new malware is called "GoldenHelper" and much like the previous iteration, it is sometimes installed on government-required software. Given the persistent nature of the malware in this software, our recommendation is to host the required software on a platform completely separate and isolated from the corporate network.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.