Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

7/12/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Kaspersky: Asia the Focus of APT Operations in Q2

In their second quarter report, Kaspersky researchers also noted the return of various well-known bad actors and the threats facing networking hardware devices.

Asia has become a major field of play for a growing number of advanced persistent threat (APT) operations run by a mix of well-known and new bad actors, according to threat researchers with Kaspersky Lab.

The attacks in the region, the continued rise of threats directed at network devices, such as VPNFilter, and the return of high-profile cybercriminals -- particularly in Asia -- were among the key findings in the cybersecurity vendor's recently released second-quarter trends report.

The meeting between the leaders of the US and North Korea and similar high-profile situations and the makeup of various nation-state groups in the region most likely played roles in the APT activity in Asia, according to Vicente Diaz, principal security researcher for Kaspersky's Global Research and Analysis Team.

"It is difficult for us to know, but I believe that most of the activity is related to a high number of relevant geopolitical events that happened in the region, especially related to the new position of North Korea and several bilateral talks between countries," Diaz told Security Now in an email. "This also might be related to how some of these nation-state actors act, having several subgroups coordinated instead of a single one who takes care of all the cyberespionage, which produces several small groups instead of a single larger campaign."

The researchers pointed to such known groups as Lazarus and Scarcruft -- both believed to have links to North Korea -- as being particularly active actors in the region -- and noted a Russian-speaking group called Turla that used an implant called LightNeuron to target victims in Central Asia and the Middle East.

"Lazarus has accumulated a large collection of artefacts over the last few years, in some cases with heavy code reuse, which makes it possible to link many newly found sets of activity to this actor," the Kaspersky researchers wrote on a post on the company's SecureList site. "One such tool is the Manuscrypt malware, used exclusively by Lazarus in many recent attacks. The US-CERT released a warning in June about a new version of Manuscrypt they call TYPEFRAME."

APTs new and old
Among the APTs noted by Kaspersky was an effort by the Lazarus splinter group BlueNoroff to target financial institutions in Turkey -- as part of a larger cyberespionage campaign -- and casinos in Latin America. Researchers also saw Scarcruft using Android malware and using a backdoor called PoorWeb in another operation. There also was the return of the bad actors behind Olympic Destroyer, the malware that hit the opening of the Winter Olympics in South Korea. An operation targeting organizations in Europe involved in protecting against chemical and biological attacks use tools and spear-phishing documents similar to Olympic Destroyer campaign. (See Olympic Destroyer Returns With Attacks in Europe.)

There were other notable returns, such as WhiteWhale, a threat actor that has been relatively low-profile since 2016 that apparently is behind a new campaign discovered in April that include the distribution of Taidoor and Yalink malware families, primarily aiming at Japanese victims.

Diaz noted that there could be numerous reasons why such a group may appear to be relatively inactive for a period of time, only to resurface later. They may have been active but undetected or it may be difficult linking particular groups to certain activities. They also could be spending those downtimes to regroup.

"It is also true that these actors need to evolve from time to time, working with new tools and techniques," he wrote. "Sometimes we observe old artifacts being reworked (like with Kimsuky), but other groups and newcomers just decide to start in this business with a simple approach where only a few customized droppers and generally available tools for lateral movement are required."

It also highlights different approaches by different groups.

Economically speaking, it makes sense for groups to use tools that are freely available rather than more expensive ones. At the same time, Kaspersky sees that more advanced bad actors "have all the zero-days they need in their pocket and are ready to burn them when necessary," Diaz said.


Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

The researchers found the VPNFilter campaign was the most notable operation during the second quarter, which infected more than 500,000 domestic routers around the world. The campaign, which the FBI attributed to the Sofacy and Sandworm APT groups, highlights the threats to networks that Kaspersky analysts said they have been warning about. (See Talos: VPNFilter Malware Still Stands at the Ready.)

"Networking hardware... has always been vulnerable to some degree," Diaz added. "Since Regin, we have seen examples of nation-state actors targeting such devices. The problem is that it is difficult to find the malware inside given that networking devices are traditionally poorly monitored. One of the main problems is the lack of updates and the poor configuration of such devices (many times using default passwords)."

It's been relatively easy to infect networks "with huge IoT botnets in the past and it is natural that several actors start developing their artifacts to target such devices," he said. "I'm confident we will see many more examples in the future."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...