sb-as logo
Story image

Korean-speaking threat groups strike close to home

05 Nov 2019

Korean-speaking cyber threat groups seem to be ‘waging war’ on the Korean peninsula and across Southeast Asia, according to a new report from cybersecurity firm Kaspersky.

Kaspersky’s APT Trends Report Q3 2019  indicates that there are plenty of threats targeting the region.

One of those threats includes an Android malware disguised as a mobile messenger or cryptocurrency apps. The Korea Computer Emergency Response Team (CERT) and Kaspersky investigated the malware and linked it to a Windows malware strain called KONNI.

“KONNI is a Windows malware strain that has been used in the past to target a human rights organisation and personalities with an interest in Korean Peninsula affairs,” Kaspersky explains.

“It is also known for targeting cryptocurrencies by implementing full-featured functionalities to control an infected Android device and steal personal cryptocurrency using these features.”

One of the most notorious APT threat groups, Lazarus, and its financial arm BlueNoroff, is being watched by Kaspersky. According to the company, researchers have been able to access information about how the threat group moves laterally to access high-value hosts and banks.

Kaspersky says that BlueNoroff uses a sophisticated malicious software that can run as a passive or active backdoor, or even a tunnelling tool, depending on the command line parameters. BlueNoroff is also evading detection by constantly changing its Powershell script.

"Targeted attacks against financial institutions combine sophisticated techniques - that were previously seen only in APT attacks - with typical criminal infrastructures used to launder the stolen goods,” comments Kaspersky global research & analysis team director Costin Raiu.

“In Q3, we've seen advanced threat actors such as Andariel and Lazarus' BlueNoroff arm attempting to breach not only banks, but investment companies and cryptocurrency exchanges, among others. We advise all companies in APAC to be vigilant and take precautions to guard against such attacks.”

Another Lazarus group called Andariel APT Group has also attempted to build a new command and control infrastructure that exploits Weblogic servers through vulnerability CVE-2017-10271.

According to Kaspersky, the group was successful in similar trials. In one case, it used a legitimate signature from a South Korean security software vendor to implant malware. The case was quickly dealt with through the quick actions of the South Korean CERT.

The Q3 APT Trends report summarises the findings of Kaspersky Lab’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware hunting.

Story image
UiPath and eSentire bring hyperautomation to Microsoft Security
UiPath and eSentire have announced a strategic partnership to deliver end-to-end security policy automation across multiple Microsoft Security services.More
Story image
Experiencing ransomware significantly impacts cybersecurity approach
"The survey findings illustrate clearly the impact of these near-impossible demands. Among other things, those hit by ransomware were found to have severely undermined confidence in their own cyber threat awareness."More
Story image
CrowdStrike targets Zero Trust blind spot with new offering
CrowdStrike has officially launched CrowdStrike Falcon Zero Trust Assessment (ZTA), designed to aid in overall security posture by delivering continuous real-time assessments across all endpoints in an organisation regardless of the location, network or user. More
Story image
Gartner names ThreatQuotient a representative vendor for SOAR
The company is listed in Gartner’s 2020 Market Guide for Security Orchestration, Automation and Response Solutions.More
Story image
BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings
“Combining Managed Sentinel’s Azure Sentinel deployment expertise with BlueVoyant’s MDR capabilities will help customers operationalise and maximise Microsoft security technologies."More
Story image
Zoom to begin rolling out end-to-end encryption
Available starting from next week, it represents the first phase out of four of the company’s greater E2EE offering, which was announced in May following backlash that the company was lax on its security and privacy.More