Key Intelligence Signals:
Suspected Threat Actors: Lazarus Group
In a recent development, the Lazarus Group was seen again using DTrack malware. The threat actor has been using DTrack for the last three years and the team has observed the current malware has modifications potentially to dodge various security barriers to break into the system The threat actor is using the malware against various target industries. In past, the threat actor has targeted financial environments attacks on a nuclear power plants, education, chemical manufacturing, governmental research centers, policy institutes, IT, IT service providers, utility providers, and telecommunication, spreading their target across Latin America, Europe, Asia, and the United States
DTrack allows the threat actor read and write data and has a keylogger to capture keystrokes, a screenshot grabber, and a module for gathering victim system information. This malware allows the threat actor to perform lateral movement into the victims’ infrastructure to retrieve more information and leave maximum damage.
Lazarus Group using malware from its arsenal to target organizations, especially those in the financial sector, is in alignment with its government’s objective to raise funds for its weapons program.
The newest modification to the malware reveals malware hiding inside an executable file that looks like a legit program, and there are several levels of decryption before the malware payload gets in the process.
After a presidential executive order last year, the White House established the Cyber Safety Review Board (CSRB), a panel of experts charged with examining hacking incidents that threaten US national security. CSRB’s aim should be to improve US digital defense capabilities, and the organization is designed after the National Transportation Security Board, which probes plane crashes or train derailments.
President Biden tasked the board with focusing on the SolarWinds cyber-espionage campaign, in which hackers working on the behest of the Kremlin attacked networks of a government contractor and then spent months moving laterally inside networks of at least 9 US government agencies and perhaps as many as 100 further organizations. However, in its first report, the board changed the target of its first investigation and instead focused on Log4j, an open-source software library containing flaws that have enabled attackers to completely take over vulnerable computers, a vulnerability Cyfirma warned its clients about in the past. Members of the review board told Bloomberg they changed the target of the investigation to Log4j because it represented a more urgent threat than the SolarWinds hack and that it presented an opportunity to study open-source software, which holds together a huge amount of connected technology.
Thousands of apps on Google’s Playstore and Apple’s online store secretly contain code developed by a Russian technology company Pushwoosh, which however disguises itself behind claims of being based in the US. The US Army removed an app used by soldiers at one of the country’s main combat training bases which contained Pushwoosh earlier this year and the same was recently reported by the Centers for Disease Control and Prevention (CDC), the United States’ main agency for fighting major health threats, citing concerns about cyber security based on the discovered deception on behalf of the company. Pushwoosh enables companies to profile the online activity of their app users to send them tailored push notifications. However, instead of its claimed US location, the company operates out of the Siberian town of Novosibirsk, where it is also registered for tax purposes. While the company claims it does not collect any sensitive data on its users, the ongoing Russian war in Ukraine drives Moscow to an increasingly aggressive posture in the cyber domain, which is troubling no less thanks to Russian laws which mandate the authorities to demand any data stored within its borders be handed over.
Microsoft has attributed a series of previously reported attacks targeting transportation and logistics organizations in Ukraine and Poland with Prestige ransomware since October to a Russian military threat actor known as Sandworm (also known as BlackEnergy or Voodoo Bear). The actor has been active since the early 2000s and is believed to be part of the Russian military intelligence agency GRU.
Researchers have attributed the attacks based on forensic data, victimology, and infrastructure overlapping with the group’s previous activity. The deployed tactics match previous Russian state-sponsored attacks, such as the use of the HermeticWiper malware before the start of the invasion of Ukraine. The same group has been linked to 2015 and 2016 Ukraine blackouts and attacks on Ukrainian banks, authoring the NotPetya ransomware which caused damages in billions of dollars or meddling with French elections.
President of Ukraine Volodymyr Zelensky offered participants of the ongoing G20 summit excluding Russia (dubbed “G19”), to use Ukrainian experience in defense against constant cyber campaigns. During his speech delivered via video bridge, the President stated that the country has repelled more than 1,300 cyberattacks during the 8 months of the war, despite the destruction of key data centers in the first week of the war. His comments to the G20’s Digital Transformation Summit recommended the migration to more resilient cloud services as a tried and functional centerpiece of Ukraine’s defense efforts. Such measures have, he said, enabled Ukraine to continue to deliver essential services even under continuous attack, and he offered Ukraine’s assistance to friendly nations interested in similarly organizing their online services.
A Global High-Tech Leader Thales Impacted by LockBit Ransomware
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed Thales (thalesgroup[.]com) – a French multinational company that designs, develops, and manufactures electrical systems as well as devices and equipment for the aerospace, defense, transportation, and security sectors being impacted by the LockBit ransomware group. The ransomware group leaked Thales’ data on their dedicated leak site on 10 November 2022 at 15:21 UTC. At the time of CTI’s observation, the ransomware group provided a deadline of 10 November 2022 16:21:22 UTC. As per LockBit, leaked data contains Company operation documents, commercial documents, accounting files, customer files, drawings of clients’ structures, and software.
Recently a LockBit public-facing figure announced that the ransomware group is exploring DDoS as a triple extortion tactic on top of encrypting and leaking exfiltrated data. The move comes shortly after the group’s DLS went offline due to a DDoS attack. LockBit accused their latest victim (around that time) – a prominent software company of being responsible for this attack. While this is not something new for ransomware gangs, DDoS as a triple extortion tactic has been used by other ransomware gangs to make victim meet their demand. However, a troublesome factor in play would be the recent hype around a politically motivated DDoS attack that took place a couple of months back and was spearheaded by groups like Killnet. Although tangible outcomes and effects have remained negligible for Killnet, the popularity of DDoS has risen to keep organizations hostage or coerce them to agree by threatening to launch a DDoS attack. LockBit being one of the prominent players in the ransomware ecosystem, would not only provide a new business avenue for DDoS providers within the cybercriminal underground community but also may incite other ransomware gangs to do so.
A breach has occurred in the LockBit ransomware operation, with an allegedly disgruntled developer leaking the builder for the gang’s newest encryptor. Other threat actors are now using the leaked LockBit 3.0 ransomware builder for their ransomware operations, as expected. In an attack on a Ukrainian business, for example, the Bl00Dy Ransomware Gang, which previously used Babuk and Conti encryptors, has now switched to a LockBit 3.0 encryptor.
In a recent underground forum discussion, it was observed that LockBit now has an anonymous Pastebin and anonymous file-sharing platform to avoid authorities tracing it back to its network. Adoption of DDoS solution after recent DDoS attack on its DLS and introduction of the new technique in file sharing during the negotiation phase to avoid authorities’ attention indicating that LockBit is adopting changes to improvise its infrastructure to be more effective in its operations.