[ad_1]
Latest exercise by North Korea’s notorious Lazarus Group gives contemporary proof of the rising menace actor curiosity in utilizing trusted IT provide chain distributors as entry factors to enterprise networks.
Safety researchers from Kaspersky just lately found two separate campaigns the place the Lazarus Group infiltrated the community of an IT firm — possible as a part of a broader technique to compromise its downstream prospects.
In one of many incidents, Lazarus Group gained entry to a South Korean safety software program vendor’s community and abused the corporate’s software program to deploy two distant entry Trojans (RATs) known as Blindingcan and Copperhedge on a South Korean assume tank’s community. The US Cybersecurity & Infrastructure Safety Company (CISA) final yr had issued separate alerts — one in August and the opposite in Might — warning of the Lazarus Group utilizing the 2 RATs to keep up a presence on compromised networks.
The second Lazarus provide chain assault just lately noticed by Kaspersky researchers concerned an IT asset-monitoring product vendor primarily based in Latvia. On this assault, the Lazarus Group as soon as once more deployed the Copperhedge backdoor on the expertise supplier’s community.
“This was performed in a cautious multistage course of utilizing two layers of a number of [command and control] servers,” says Ariel Jungheit, senior safety researcher at Kaspersky. The assault resulted within the menace actors loading and executing the Copperhedge malware in-memory solely.
However Jungheit says Kaspersky has been unable to verify if Lazarus managed to compromise the asset administration expertise vendor’s software program merchandise itself. Equally, Kaspersky has not been capable of decide if the Lazarus Group leveraged its entry on the asset administration software program vendor’s community to compromise any additional victims.
“We didn’t have visibility into how Lazarus compromised the South Korean safety software program firm nor the asset monitoring expertise supplier in Latvia,” Jungheit says. “We take our findings at face worth as an indicator of Lazarus’ curiosity in growing provide chain capabilities.”
The Lazarus Group — answerable for the WannaCry ransomware assault and quite a few different malicious campaigns — is amongst a rising variety of menace actors which have begun growing capabilities for exploiting vulnerabilities within the IT provide chain to focus on enterprises.
Simply this week, as an illustration, Microsoft warned about Nobelium — the menace actor behind the SolarWinds breach — focusing on trusted cloud and IT service suppliers in a harmful new marketing campaign to realize a foothold on their buyer networks. Microsoft described the menace actor as having attacked greater than 140 service gives since Might and breaching 14 of them.
The group has been recognized by the federal authorities as Russia’s SVR spy company.
Rising Attacker InterestOver the final quarter, Kaspersky noticed not less than two different menace actors — HoneyMyte and BountyGlad — adopting the identical tack. HoneyMyte principally injected a backdoor into an installer bundle of a fingerprint scanner product that central authorities workers of a South Asian nation are required to make use of to document attendance.
Kurt Baumgartner, principal safety researcher at Kaspersky, says that it is rather possible the menace actor didn’t instantly goal a selected vendor on this assault. “As an alternative, the attackers compromised the distribution server for the software program itself, which was not run by the seller” to distribute the Trojanized installer, he says.
Within the case of BountyGlad, the attackers changed the installer for a digital certificates administration software program shopper on the seller’s distribution server with a malicious downloader. When executed on a sufferer system, the downloader executed the respectable installer in addition to extra malicious code, Baumgartner says.
Historical past of Provide Chain HacksSupply chain assaults akin to these are definitely not new. In 2019, a menace actor known as Barium broke into an automatic software program up to date system at {hardware} maker Asus and used the entry to distribute malware to prospects of Asus programs. The malware — distributed as a part of an operation known as ShadowHammer — ended up being executed on over 400,000 programs. In 2017, attackers compromised a software program construct system at Avast and used the corporate’s CCleaner software program to distribute malware.
Whereas these assaults garnered appreciable consideration, it was the breach that SolarWinds disclosed final December that basically targeted consideration on provide chain safety as a difficulty of essential concern.
“When you think about the impression of provide chain assaults we’ve seen lately, it’s not laborious to see why an APT menace actor may discover it a pretty strategy,” says David Emm, principal safety researcher at Kaspersky. “Provide chain assaults represent a breach in belief relationship between a provider and corporations downstream.”
An assault that leverages a compromised provider is successfully an insider assault, he says.
Emm says provide chain assaults are throughout the vary of most menace actors as a result of pulling off one entails the identical modus operandi utilized in different assaults — together with using social engineering or exploiting vulnerabilities in software program.
“The important thing distinction, in fact,” he provides, “is that the goal firm then turns into a stepping stone into their prospects’ networks.”
[ad_2]