{"id":604151,"date":"2023-02-03T07:49:19","date_gmt":"2023-02-03T13:49:19","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/02\/03\/north-koreas-lazarus-gang-exposes-itself-in-opsec-failure\/"},"modified":"2023-02-03T07:49:19","modified_gmt":"2023-02-03T13:49:19","slug":"north-koreas-lazarus-gang-exposes-itself-in-opsec-failure","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/02\/03\/north-koreas-lazarus-gang-exposes-itself-in-opsec-failure\/","title":{"rendered":"North Korea\u2019s Lazarus gang exposes itself in opsec failure"},"content":{"rendered":"<div id=\"content-header\">\n<h2>WithSecure researchers linked a campaign of cyber attacks targeting medical research and energy firms to North Korea\u2019s infamous Lazarus APT after a group member accidentally screwed up<\/h2>\n<\/div>\n<div id=\"content-center\">\n<ul>\n<li><i data-icon=\"1\"><\/i><\/li>\n<li><i data-icon=\"2\"><\/i><\/li>\n<\/ul>\n<div id=\"contributors-block\">\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"Alex Scroxton\">\n\t\t\t\t\t<\/p>\n<p><span>By<\/span><\/p>\n<ul>\n<li>\n\t\t\t\t\t<a href=\"https:\/\/www.techtarget.com\/contributor\/Alex-Scroxton\">Alex Scroxton,<\/a><br \/>\n\t\t\t\t\t\t<span>Security Editor<\/span>\n\t\t\t\t\t\t<\/li>\n<\/ul>\n<p>\n\tPublished: <span>02 Feb 2023 13:00<\/span>\n<\/p>\n<\/div>\n<section id=\"content-body\">\n<p>A campaign of cyber attacks targeting medical research bodies and energy firms has been pinned on the infamous North Korean <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/advanced-persistent-threat-APT\">advanced persistent threat<\/a> (APT) group known as Lazarus \u2013 the group behind <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252448325\/Lazarus-Group-hacker-charged-in-Wannacry-Sony-attacks\">the 2017 WannaCry incident<\/a> \u2013 after an operational security error by gang members exposed its activity.<\/p>\n<p>Researchers at Finland\u2019s WithSecure picked up the story after detecting what appeared to be a run-of-the-mill ransomware attack on a customer that was using its <a href=\"https:\/\/www.withsecure.com\/en\/solutions\/software-and-services\/elements#:~:text=WithSecure%E2%84%A2%20Elements%20is%20the,attacks%20to%20zero%2Dday%20ransomware.\">Elements cloud-native security platform<\/a>. But it soon became apparent that something else was happening.<\/p>\n<p>\u201cWhile this was initially suspected to be an attempted <a href=\"https:\/\/blogs.blackberry.com\/en\/2022\/10\/bianlian-ransomware-encrypts-files-in-the-blink-of-an-eye\">BianLian ransomware<\/a> attack, the evidence we collected quickly pointed in a different direction. As we collected more evidence, we became more confident that the attack was conducted by a group connected to the North Korean government, eventually leading us to confidently conclude it was the Lazarus Group,\u201d said WithSecure senior threat intelligence researcher Sami Ruohonen.<\/p>\n<p>The investigated incident saw the gang gain initial access and privilege escalation through exploiting the <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-27925\">CVE-2022-27295<\/a> and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-37042\">CVE-2022-37042<\/a> vulnerabilities in unpatched internet-facing Zimbra servers in August 2022. They used off-the-shelf webshells and custom binaries and abused legitimate Windows and Unix tools, and installed tools for proxying, tunnelling and relaying connections.<\/p>\n<p>The observed command and control (C2) behaviour suggests a small number of C2 servers connecting via multiple relays and endpoints, with some of the servers apparently belonging to other compromised victims. Finally, between 5 and 11 November 2022, the attacker stole approximately 100GB of data but did not take any destructive action.<\/p>\n<p>The attacker\u2019s error, and a key factor in leading the WIthSecure team to its conclusions, was the brief use of one of less than a thousand IP addresses known to belong to North Korea.<\/p>\n<p>While poring over the victim\u2019s network logs, the team found a single instance of a connection from a North Korean IP address \u2013 175.45.176[.]27 \u2013 at the beginning of the day. This connection was preceded on the previous days, and followed, after a short delay, by connections from a proxy address \u2013 209.95.60[.]92.<\/p>\n<p>\u201cWe suspect that this instance was an <a href=\"https:\/\/www.computerweekly.com\/news\/252495150\/Incompetent-cyber-criminals-leak-data-in-opsec-failure\">operational security failure<\/a> by the threat actor at the start of their workday and, after a small delay, they came back via the intended route,\u201d the team wrote.<\/p>\n<p>\u201cThis is significant as the only North Korean IP addresses are three \/24 networks which are directly controlled and used by the North Korean government, and as such it is extremely likely that this activity was initiated by a North Korean state actor.\u201d<\/p>\n<p>The team was able to firm up the attribution due to observed tooling overlaps with other known Lazarus campaigns, password usage similarities with other campaigns, victim profiling, and timezone analysis.<\/p>\n<p>\u00a0Based on all the evidence, it is now almost a certainty that the attack in question formed part of a wider campaign targeting healthcare researchers, chemical engineers, and technology manufacturers working with the energy, research, defence and healthcare sectors.<\/p>\n<p>Lazarus\u2019 ultimate aim in this was to gather intelligence on behalf of the North Korean government, a frequent goal of North Korean actors, <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252518378\/Axie-Infinity-hack-highlights-DPRK-cryptocurrency-heists\">alongside the cryptocurrency heists frequently seen<\/a>.<\/p>\n<p>Some mystery does remain, however, surrounding the possible link to the BianLian ransomware. This was suspected at first because the Cobalt Strike activity that WithSecure detected was beaconing to a server previously identified as associated with the financially motivated BianLian group. However, subsequent research has not been able to establish any definitive links between BianLian and North Korea\u2019s offensive cyber ops, and it is not possible to say whether one exists.<\/p>\n<section data-menu-title=\"Don\u2019t let down your guard\">\n<h3><i data-icon=\"1\"><\/i>Don\u2019t let down your guard<\/h3>\n<p>In this case, the Lazarus operative\u2019s inadvertent error was a helpful one to researchers, and it is somewhat gratifying to know that threat actors are only human and make mistakes like anybody else.<\/p>\n<p>However, anybody wanting to interpret this as a reason not to worry about Lazarus too much would be making a critical error of their own, said Tim West, WithSecure head of threat intelligence.<\/p>\n<p>\u201cIn spite of the opsec fails, the actor demonstrated good tradecraft and still managed to perform considered actions on carefully selected endpoints,\u201d he said.<\/p>\n<p>\u201cEven with accurate endpoint detection technologies, organisations need to continually consider how they respond to alerts and integrate focused threat intelligence with regular hunts to provide better defence in depth, particularly against capable and adept adversaries,\u201d he said.\u00a0<\/p>\n<p>The full, in-depth research, <a href=\"https:\/\/labs.withsecure.com\/publications\/no-pineapple-dprk-targeting-of-medical-research-and-technology-sector.\">can be read here<\/a>.<\/p>\n<p><em>This article was updated on 3 February 2023 to correct, ironically, an incorrect IP address.<\/em><\/p>\n<\/section>\n<\/section>\n<section id=\"DigDeeperSplash\">\n<h4>\n\t\t\t<i data-icon=\"m\"><\/i>Read more on Hackers and cybercrime prevention<\/h4>\n<ul>\n<li><a id=\"DigDeeperItem-1\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252524728\/Cisco-Talos-traps-new-Lazarus-Group-RAT\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/security_a216006547_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/security_a216006547_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/security_a216006547.jpg 1280w\" alt ><\/p>\n<h5>Cisco Talos traps new Lazarus Group RAT<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/nicholas_shaun.jpg\" alt=\"ShaunNichols\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Shaun\u00a0Nichols<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-2\" href=\"https:\/\/www.computerweekly.com\/news\/252523261\/H0lyGh0st-ransomware-gang-faces-challenges-but-still-a-threat\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/cyber-threats-fotolia_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/cyber-threats-fotolia_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/cyber-threats-fotolia.jpg 1280w\" alt ><\/p>\n<h5>H0lyGh0st ransomware gang faces challenges, but still a threat<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-3\" href=\"https:\/\/www.computerweekly.com\/news\/252523213\/US-doubles-bounty-on-Lazarus-cyber-crime-group-to-10m\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/security-threat-cyber-attack-2-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/security-threat-cyber-attack-2-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/security-threat-cyber-attack-2-adobe.jpeg 1280w\" alt ><\/p>\n<h5>US doubles bounty on Lazarus cyber crime group to $10m<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-4\" href=\"https:\/\/www.computerweekly.com\/news\/252522378\/ESET-Lazarus-APT-hit-aero-defence-sector-with-fake-job-ads\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/threat-intelligence-security-awareness-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/threat-intelligence-security-awareness-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/threat-intelligence-security-awareness-adobe.jpg 1280w\" alt ><\/p>\n<h5>ESET: Lazarus APT hit aero, defence sector with fake job ads<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<\/ul>\n<\/section>\n<\/div>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/365530215\/North-Koreas-Lazarus-gang-exposes-itself-in-opsec-failure\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Christeen Pekar<\/p>\n","protected":false},"excerpt":{"rendered":"<p>WithSecure researchers linked a campaign of cyber attacks targeting medical research and energy firms to North Korea\u2019s infamous Lazarus APT after a group member accidentally screwed up By Alex Scroxton, Security Editor Published: 02 Feb 2023 13:00 A campaign of cyber attacks targeting medical research bodies and energy firms has been pinned on the infamous<\/p>\n","protected":false},"author":1,"featured_media":604152,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27002,1319,46],"tags":[],"class_list":{"0":"post-604151","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-koreas","8":"category-north","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/604151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=604151"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/604151\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/604152"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=604151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=604151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=604151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}