Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Lazarus Research Highlights Threat from North Korea

A widespread attack against companies and government agencies have been linked to the North Korean Lazarus group, underscoring that the countries hackers are becoming more brazen.

RSA CONFERENCE 2019 — San Francisco — Evidence from a command-and-control server has linked a massive campaign against sensitive industries and government agencies to the Lazarus Group, a North Korean state-sponsored operator, cybersecurity firm McAfee announced at the RSA Conference this week.

After gaining access to code and data from the C&C server, McAfee researchers analyzed the evidence and concluded that the campaign — which they dubbed Operation Sharpshooter —started a year earlier than previously thought and targeted a larger group of organizations. In a previous analysis, published in December 2018, McAfee researchers hesitated to connect the campaign to the activities of the Lazarus Group.

"Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags," the company's researchers stated at the time. "Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community."

With the additional evidence from the server used by the attackers to manage their network of compromised systems, McAfee's researchers found that the Sharpshooter campaign used the same software implants and malicious code as the Lazarus Group.

The report highlighted the increasing sophistication as well as the ubiquity of cyber-operations from North Korea, which uses attacks to steal funds, collect intelligence and punish rivals. North Korean groups are among the most brazen state-sponsored attackers, said Tom Kellerman, chief cybersecurity officer with Carbon Black.

"They finally have an A-team, thanks to the tech transfer from Russia," Kellerman said.

An interesting piece of the puzzle is that early attacks focused on networks in Namibia, leading McAfee researchers to conclude that the Sharpshooter group may have used the African nation as a testing ground for its software implants and attack code.

Financial Services, Government Bear Brunt of Attacks
Getting access to the command-and-control server gave McAfee researchers the evidence needed to connect Operation Sharpshooter to the Lazarus Group, Christiaan Beek, McAfee senior principal engineer and lead scientist, said in a statement.

"Access to the adversary’s command-and-control server code is a rare opportunity," Beek said. "These systems provide insights into the inner workings of cyberattack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers."

The most recent attacks mainly focused on financial services, government agencies, and critical infrastructure, McAfee stated. The attackers primarily targeted Germany, Turkey, the United Kingdom and the United States. Earlier attacks had also focused on telecommunications companies and had included Israel as one of the primary targets.

In a survey of financial services CISOs, Carbon Black found that two-thirds of respondents had faced more cyberattacks in the last 12 months than the same period the prior year. While social engineering attacks remain the most common — with 79% of firms encountering highly targeted phishing attacks — 32% of firms detected attacks coming from third parties, such as suppliers and partners.

In addition, destructive attacks against financial institutions — a hallmark of many North Korean operations — have become more common, with a quarter of all attacks having a component that destroys or encrypts data.

"You see this transition now from bank heists to a hostage situations," Kellerman said. "These attacks are not being leveraged at the beginning of the attack, but at the end … They want to be punitive on their way out, because they know they are being reacted to."

Needed: Subtler Incident Response
Much of this is a reaction to incident responders trying to stop attackers and clean up compromised servers and workstations, Kellerman said. About a third of institutions surveyed experienced some form of counter incident-response reaction from attackers, either destroying data or using a sleep cycle to wake up secondary command-and-control channels. 

"We are being too loud in how we conduct incident response, and we are being a bit too cocky by immediately terminate command and control," he said. "This really highlights our need to become better at how we conduct the ultimate investigation." 

Attackers are also using sophisticated techniques such as steganography — hiding data in images or other file types — as either a secondary command-and-control channel or as a way of delivering additional malware payloads to the targeted server. 

"Embedding multiple content types within a single file … has been a common technique seen in many malware droppers for some time," Carbon Black stated in its report. "This technique is used to evade detection on the network wire and on the endpoint as well has hide content on disk in familiar file types such as images."

Related Links

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I told you we should worry abit more about vendor lock-in.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .