Kaspersky sheds light on Lazarus group's new campaign
Kaspersky's Global Research and Analysis Team (GReAT) has disclosed a new campaign by the notorious Lazarus group. This malicious campaign is centred on the exploitation of organisations worldwide through legitimate software.
The GReAT unit discovered several cyber incidents where the targets were lured through genuine software designed for the encryption of web communication using digital certificates. Even after vulnerabilities were reported and patches issued, global companies persisted in using the compromised software version. This gave the notorious Lazarus group an opportunity to gain entry.
The adversary showcased a high degree of intricacy, applying advanced evasion techniques and releasing a SIGNBT malware to manipulate the victim. The threat actor also employed the familiar LPEClient tool—which has been previously witnessed targeting defence contractors, nuclear engineers, and the cryptocurrency sector. This malware serves as the initial access point for infection; it plays a crucial role in profiling the victim and delivering the payload. The role of LPEClient in this campaign aligns with the tactics adopted by the Lazarus group, as seen in previous attacks such as the 3CX supply chain attack.
The team's analysis further highlighted that the Lazarus malware had targeted the initial victim, a software vendor, multiple times in the past. This recurrence suggests a focused and persistent adversary, potentially interested in acquiring pivotal source code or causing disruption to the software supply chain. The threat actors consistently exploited vulnerabilities in the vendor's software, broadening their reach by also targeting other organisations relying on the unpatched version.
Lead Security Researcher at Kasperskys Global Research and Analysis Team, Seongsu Park, spoke of the Lazarus group's unwavering tenacity, noting their operation on a global scale. He said they targeted a wide range of industries through diverse means, indicating an evolving and persisting threat.
To prevent future targeted attacks by known or unknown threat actors, Kaspersky recommends several measures, including constant updates of the operating system, applications, and antivirus software to cover any known vulnerabilities. Persons should be wary of emails, messages, or calls asking for sensitive information, always verifying the sender's identity before sharing personal details or clicking suspicious links.
Kaspersky recommends providing access to the latest threat intelligence (TI) to your SOC team. The Kaspersky Threat Intelligence Portal serves as a single point of access for the company's TI, offering cyberattack data and insights collected over two decades. The cybersecurity team should be up-skilled to tackle current targeted threats. Implementing EDR solutions such as Kaspersky Endpoint Detection and Response is beneficial for endpoint level detection, detailed investigation, and timely remediation of incidents.