Weekly Intelligence Report – 7 Oct 2022

Weekly Intelligence Report – 7 Oct 2022

Threat Actor in Focus – Lazarus Group Target Dell Driver Using New FudModule Rootkit

Suspected Threat Actors: Lazarus Group

  • Attack Type: Spearphishing, Malware Implants, Vulnerabilities & Exploits, Bring Your Own Vulnerable Driver (BYOVD), Social Engineering, Impersonations, Espionage
  • Objective: Data Theft, Payload Delivery, Unauthorized Access
  • Target Technology: Dell DBUtil Drivers, Windows, Email, Social Media/ LinkedIn
  • Targeted Industry: Aerospace, Media
  • Target Geography: Netherlands, Belgium
  • Business Impact: Data Loss

Researchers have observed the notorious North Korean threat actor group Lazarus installing a Windows rootkit that abuses a Dell driver in a BYOVD attack. In the autumn of 2021, the spearphishing campaign leveraged malicious Amazon-themed documents to target an employee of an aerospace company based out of the Netherlands and a political journalist in Belgium. While one of the targets was approached with a fake job offer via LinkedIn messaging, the other received a document via email.

Once opening these documents, several malicious tools were installed on the system including droppers, loaders, fully featured HTTP(S) backdoors, HTTP(S) uploaders, and downloaders. Most notably, taking advantage of the CVE-2021-21551 vulnerability in a legitimate Dell driver, the attackers deployed a user-mode module tool that allowed them the ability to read and write kernel memory. Named FudModule.dll internally, disabled various Windows monitoring features by modifying kernel variables and removing kernel callbacks.

Insights:
Based on the malware toolset and infrastructure leveraged in this campaign, researchers attribute these attacks to Lazarus Group, and the intrusion approach was also found similar to other campaigns, namely Operation In(ter)ception, and Operation DreamJob. As observed in this attack, the typical trait of Lazarus Group is to deliver the final payload in two or three stages.

Due to the complexity, researchers believe that Lazarus Group consists of a large team and systematically organized, and well prepared. The way they went about exploiting CVE-2021-21551 indicates the threat actor group has deep research, development, and testing skills.

Major Geopolitical Developments in Cybersecurity – NATO Formally Declares Nord Stream Pipeline Damage as Sabotage

NATO has formally declared the now documented four explosions that damaged the Nord Stream natural gas pipelines in the Baltic Sea to have been acts of sabotage and warned of defensive action in case of future attacks. This marks the first time the alliance has formally warned that it would deter and defend against attacks on its members’ critical infrastructure. In another unprecedented case, Albania, also a NATO member since 2009, has severed diplomatic ties with Iran over a cyberattack in the country, which was the first time a cyberattack has caused this level of diplomatic fallout. Researchers are now speculating about possible offensive cyber retaliation from NATO, should a cyberattack on NATO energy infrastructure reach a kinetic threshold.

While NATO has not attributed the attacks in the Baltic to any specific actor, almost no European capitals have doubts about the role of Moscow in the attack. Multiple European government sources aired news of Russian naval vessels’ observation in the area shortly before the explosions and thinly veiled threats to Russia should Moscow attack European power grids. Russia for its part blamed the attacks traditionally on the US and this time also on the United Kingdom, which is in deep energy and financial crisis at the moment, and the news of the attack that spooked the markets was far from its interest.

Finland’s Security Intelligence Service (SUPO) warned in its National Security Overview, published this week, that it’s “highly likely that Russia will turn to the cyber environment over the winter.” Researchers expect Russia to use cyberattacks on infrastructure companies, government services, and key industries to exert pressure on Europe to abandon its support for Ukraine.

The possibility of reckless behavior increases as Russia’s losses continue to mount and its defensive front in the south of Ukraine near Kherson is on the verge of collapse. The difficult military situation on the ground is likely to lead Russia to lash out against Europe in cyberspace in the coming weeks and months and all the key industries should be in a state of very high alert.

North Korean Threat Group Rigging Open-Source Apps

Microsoft researchers have recently published a warning on North Korean threat actor ZINC, an affiliate of the better-known Lazarus group. The threat actor has been observed targeting IT services, defense, aerospace, or media organizations in India, the United Kingdom, or the US. The group has previously attacked organizations in numerous other geographies and is not likely limiting itself to the countries listed above.

ZINC is using modified versions of open-source applications including PuTTY, KiTTY, TightVNC, or Sumatra PDF Reader into which it has successfully injected malicious code. The campaign seems to be motivated by traditional cyber espionage with the primary aims of data exfiltration and causing damage to infected networks and devices.

While in the past ZINC has mainly relied on spear-phishing as a primary MO, it has also managed to compromise legitimate websites as means of spreading malicious code. Lately, the group has been focusing on social engineering across social media networks like LinkedIn and Twitter, where it is using fake accounts in targeting engineers and IT support staff working in targeted organizations.

Last year, ZINC has engaged in several campaigns, targeting chemical and energy industries and in a widely published case also cybersecurity professionals, trying to steal their penetration methods via ‘Comebacker’ malware.

Vulnerabilities and Exploits

Supply Chain Vulnerability in Packagist PHP Repository

  • Attack Type: Code Injection, Supply Chain Attack
  • Target Technology: Packagist (Main Composer Repository for PHP)
  • Vulnerability: CVE-2022-24828 (CVSS score: 8.8)
  • Vulnerability Type: Improper Control of Generation of Code, Improper Input Validation
  • Impact: Confidentiality (High), Integrity (High), Availability (High)

Summary: Researchers disclosed details on a high-severity security flaw in Packagist – a PHP software package repository – that could have led to software supply chain attacks. It is a command injection vulnerability and is linked to another similar Composer bug (CVE-2021-29472) that was disclosed in April 2022. In the April advisory, Packagist disclosed that “An attacker controlling a Git or Mercurial repository explicitly listed by URL in a project’s composer.json can use specially crafted branch names to execute commands on the machine running composer update.” According to researchers’ successful exploitation of the vulnerability can lead to package updates being hijacked to distribute malicious dependencies.

Insights: The disclosure comes at a time when threat actors are increasingly eyeing planting malware via open-source projects to perform software supply chain attacks. Such projects are widely adopted, even in an enterprise environment and therefore open-source code has become a lucrative and easy target. The open-source software (OSS) dependencies, beyond its advantages, may introduce vulnerabilities and put organizations at risk. As businesses move towards hybrid work and adopt cloud technologies, the open-source ecosystem is expected to come under an increasing number of attacks in the future.