Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/27/2019
02:35 PM
50%
50%

New 'Lyceum' Threat Group Eyes Critical Infrastructure

Researchers report Lyceum, otherwise known as Hexane, has targeted organizations in South Africa and the Middle East.

Newly discovered threat group Lyceum has been spotted attacking critical infrastructure firms in the oil and gas, and possibly telecommunications, industries with the goal of gaining and expanding access inside target networks, Secureworks' Counter Threat Unit researchers report.

Lyceum may have been active as early as April 2018, when domain registrations indicate an attack on South African targets. One year later, after developing and testing its toolkit against a public malware-scanning service, Lyceum launched a May 2019 campaign against oil and gas businesses in the Middle East. It prioritizes organizations in strategically important industries.

Attackers typically use password spraying or brute force to gain credentials they need to break in. They use access to compromised accounts to send spearphishing emails containing malicious Excel attachments, which install DanBot malware to deploy post-intrusion tools. DanBot is one of several attack tools researchers have observed in Lyceum's arsenal, they write in a blog post.

Spear-phishing emails are usually sent from compromised accounts to specific executives, human resources staff, and IT personnel. Targets are more likely to open emails from internal accounts, and each of these groups could further attackers' access to sensitive data: HR personnel may have information that could prove useful for future spearphishing attacks, and IT personnel have access to high-privilege accounts and data specific to the firm's environment.

The group is an emerging threat to energy organizations in the Middle East, researchers say, but organizations should assume Lyceum will branch out to other sectors. Critical infrastructure firms should pay particular attention, they caution. The group doesn't appear to have demonstrated an interest in industrial control systems or OT staff thus far; however, there is a possibility attackers could leverage access to IT environments to spread into the OT environment.

Lyceum's tactics are similar to activities from other groups Cobalt Gypsy and Cobalt Trinity, but none of the malware or infrastructure linked to Lyceum has been directly linked to other groups. Researchers say there isn't enough technical evidence to support attribution.

Read more details here.

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'Culture Eats Policy for Breakfast': Rethinking Security Awareness Training."

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29565
PUBLISHED: 2020-12-04
An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the...
CVE-2020-5675
PUBLISHED: 2020-12-04
Out-of-bounds read issue in GT21 model of GOT2000 series (GT2107-WTBD all versions, GT2107-WTSD all versions, GT2104-RTBD all versions, GT2104-PMBD all versions, and GT2103-PMBD all versions), GS21 model of GOT series (GS2110-WTBD all versions and GS2107-WTBD all versions), and Tension Controller LE...
CVE-2020-29562
PUBLISHED: 2020-12-04
The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2020-28916
PUBLISHED: 2020-12-04
hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
CVE-2020-29561
PUBLISHED: 2020-12-04
An issue was discovered in SonicBOOM riscv-boom 3.0.0. For LR, it does not avoid acquiring a reservation in the case where a load translates successfully but still generates an exception.