Displaying items by tag: Kaspersky

In 2018 Kaspersky’s Global Research and Analysis Team (GReAT) published findings on AppleJeus – an operation aimed at stealing cryptocurrency carried out by prolific threat actor the Lazarus group.

The new findings show that the operation has continued with more careful steps from the infamous threat actor, improved tactics and procedures and the use of Telegram as one of its new attack vectors.

Victims in the UK, Poland, Russia and China, including several connected to cryptocurrency business entities, were affected during the operation.

The Lazarus group is one of the most active and prolific advanced persistent threat (APT) actors, which carried out a number of campaigns targeting cryptocurrency-related organizations. During its initial 2018 AppleJeus operation, the threat actor created a fake cryptocurrency company in order to deliver their manipulated application and exploit a high level of trust among potential victims.

This operation was marked by Lazarus building, its first macOS malware. The application was downloaded by users from third-party websites and the malicious payload was delivered via what was disguised as a regular application update. The payload enabled the attacker to gain full control of the users’ device and steal cryptocurrency.

Kaspersky researchers identified significant changes to the group’s attack tactics in the ‘sequel’ operation. The attack vector in the 2019 attack mimicked the one from the previous year, but with some improvements. This time, Lazarus has created fake cryptocurrency-related websites, which hosted links to fake organization Telegram channels and delivered malware via the messenger.

Just as in the initial AppleJeus operation, the attack consisted of two phases. Users would first download an application, and the associated downloader would fetch the next payload from a remote server, finally enabling the attacker to fully control the infected device with a permanent backdoor. However, this time the payload was delivered carefully in order to evade detection by behavior-based detection solutions.

In attacks against macOS-based targets an authentication mechanism was added to the macOS downloader and the development framework was changed, in addition, a file-less infection technique was adopted this time. When targeting Windows users, the attackers avoided the use of Fallchill malware (which was employed in the first AppleJeus operation) and created a malware that only ran on specific systems after checking them against a set of given values. These changes demonstrate that the threat actor has become more careful in their attacks, employing new methods to avoid being detected.

Lazarus has also made significant modifications in the macOS malware and expanded the number of versions. Unlike in the previous attack, during which Lazarus used open source QtBitcoinTrader to build a crafted macOS installer, during the AppleJeus Sequel the threat actor started to use their homemade code to build a malicious installer. These developments signify that the threat actor will continue to create modifications of the macOS malware and our most recent detection was an intermediate result of these changes.

“The sequel AppleJeus operation demonstrates that despite significant stagnation in the cryptocurrency markets, Lazarus continues to invest in cryptocurrency-related attacks, making them more sophisticated. Further changes and diversification of their malware demonstrates that there is no reason to believe that these attacks will not grow in numbers and become a more serious threat,” commented Seongsu Park, Kaspersky security researcher.

The Lazarus group, known for its sophisticated operations and links to North Korea, is noted not only for its cyber-espionage and cybersabotage attacks, but also for financially-motivated attacks. A number of researchers, including those at Kaspersky, have previously reported on this group targeting banks and other large financial enterprises.

To protect from this and similar attacks, Kaspersky recommends crypto businesses to introduce basic security awareness training for all employees so that they can better distinguish phishing attempts, conduct an application security assessment to help them showcase their reliability to potential investors and to monitor for emerging vulnerabilities in smart contract execution environments.

As for consumers who are already exploring or plan to explore cyrptocurrencies, Kaspersky recommends they only use reliable and proven cryptocurrency platforms, do not click on links that lure them to an online bank or web wallet and to use a reliable security solution for comprehensive protection form a wide range of threats such as Kaspersky Security Cloud.

Published in Reports

Russia’s interior ministry recently said nine individuals has been detained who are alleged to be part of a cybercrime organization accused of stealing some $17 million from bank accounts.

A nationwide search was implemented to find the 50-strong hacker group in Russia. An operation was launched by the FSB security agency last year, to track down the hackers that pilfered more than one billion rubles ($16.8 million) since 2013, according to a statement.

“Nine individuals suspected of participating in hacking attacks were detained on January 25,” said ministry spokesperson Irina Volk. One of the individuals was reportedly placed under arrest. In total, 27 member and organizers are being investigated, with 19 of them now under arrest, said the ministry.

According to reports, the latest arrests are connected to a case against legendary hacking collective ‘Lurk’ that was targeted by law enforcement agencies last year. Russian cybersecurity firm Kaspersky said the group was reportedly suspected of stealing some three billion rubles from commercial organizations including banks.

Russian hacking is in the global spotlight following the country’s alleged involvement in cyber-attacks targeting the US presidential election campaign. However, experts say the vast majority of cybercrime is not politically motivated but financial.

What’s more, the FSB itself is currently involved in a scandal that has seen at least two of its cybersecurity experts arrested for treason linked to the United States, according to a lawyer involved in the case. The treason case saw the arrest of Ruslan Stoyanov – the head of Kaspersky’s cybersecurity unit that probed ‘Lurk’.

Published in Government

Russia’s FSB security service announced in a statement on Friday, December 2, that it had received intelligence about “plans by foreign secret services to carry out large-scale cyber-attacks from December 5.” The plans, it said, were aimed at “destabilizing Russia’s financial system including the activities of a number of major banks.” FSB is reportedly working to neutralize the threat.

In November, Moscow-based security giant Kaspersky announced that a massive cyber-attack had penetrated at least five of Russia’s largest banks. Those attacks, according to Kaspersky, were carried out using devices located in 30 countries including the United States. One of the banks that were attacked, Sberbank, acknowledged that it had been attacked, but also said that none of its main operations has been affected.

But Russia is not just the victim of large-scale cyber-attacks – in fact; the country has been accused in the past for several major hacking operations in the U.S. In October, Washington formally accused Russia of attempting to “interfere” in the 2016 presidential election. What’s more, German Chancellor Angela Merkel recently said that cyber-attacks by Russia have become so common that they are now a “part of daily life”.

Russia now faces skepticism, such as MI5, the British intelligence agency, warning that Russia is becoming more aggressive and using cyber-attacks to promote its foreign policy abroad. At this stage, Russia’s FSB has not disclosed which countries’ secret services were involved in the recent cyber-attacks aimed at the country’s financial institutions, but has alleged that the attacks would use servers and “command centers” located in the Netherlands belonging to Ukrainian hosting company BlazingFast.

Anton Onopriychuk, director of the Kiev-based company, told AFP it provides "services for protection against cyber-attacks, not for attacks.” He continued, “As yet no one has contacted us about this, neither the FSB or clients,” adding that the company would investigate. The FSB said that "provocative publications" about a crisis in the Russian banking system were planned to appear on social media networks, blogs and mobile phone text messages.

Published in Government

Russian internet security giant Kaspersky recently announced that massive DDoS attacks had hit at least five of Russia’s largest banks. One of Russia’s largest state-owned banks, Sberbank, said it had been hacked into on Tuesday, November 8, but it managed to neutralize the attack automatically without disturbing its operations.

In a media statement, Kaspersky said that the distributed denial of service (DDoS) attacks began at 1300 GMT which targeted “the websites of at least five well-known financial institutions in the top 10” in Russia. The attacks reportedly continued for an extended period of time. Most of the attacks lasted for about an hour, while the others lasted almost 12 hours.

DDoS attacks involve flooding websites with more traffic than they can handle, making them difficult to access or taking them offline entirely. According to an AFP report, the attacks in Russia saw as many as 660,000 requests being sent per second using a network of more than 24,000 hijacked devices located in 30 countries. More than half the devices were in the United States, India, Taiwan and Israel, Kaspersky said.

Russia’s central bank reached out to AFP and confirmed that it had identified “attacks on a number of large banks,” and described the attacks’ intensity as “medium” adding that they did not necessarily disrupt access to banking services for customers. The bank also confirmed that the attacks used botnets made up of devices linked via the Internet of Thing (IoT) – this includes connected devices such as CCTV cameras of video recorders connected to offices and homes worldwide.

Speaking to Interfax news agency, Stanislav Kuznetsov, a senior executive at Sberbank, said the bank had suffered 68 DDoS attacks this year and that the latest was among the largest. Kaspersky says DDoS attacks “have long been one of the most popular instruments used by criminals to attack businesses.”


Published in Government