Lazarus Hacker Group Adapts Tactics, Tools, and Targets in DeathNote Campaign

The North Korean cyber threat group known as Lazarus has been observed changing its strategies and rapidly enhancing its tools within its ongoing DeathNote campaign. While historically focused on the cryptocurrency sector, recent attacks have also expanded to include the automotive, academic, and defense sectors in Eastern Europe and beyond. This shift is seen as a major change in approach. Kaspersky researcher Seongsu Park noted that the group has switched its decoy documents to job descriptions for defense contractors and diplomatic services, marking a strategic pivot that began in April 2020. This campaign is also identified by other names such as Operation Dream Job or NukeSped, with Google-owned Mandiant linking certain activities to this evolving threat.

Lazarus Hacker Group Adapts Strategies in Ongoing DeathNote Campaign

April 13, 2023
Cyber Attack / Cyber Threat

The Lazarus Group, a North Korean cyber threat actor, has been observed refining its strategies and expanding its targets in an ongoing campaign known as DeathNote. Traditionally focused on the cryptocurrency sector, this group has now pivoted towards a wider range of industries, including automotive, academia, and defense, particularly within Eastern Europe and beyond. This shift is indicative of a broader tactic evolution that cybersecurity experts are closely monitoring.

A detailed analysis by Kaspersky researcher Seongsu Park highlighted that the group’s recent operations have incorporated decoy documents that now primarily feature job postings related to defense contractors and diplomatic services. This strategic pivot suggests a significant expansion in the nature of information the Lazarus Group seeks to exploit, contrasting with its historical focus on financial targets.

The modification in target selection, along with the deployment of updated attack vectors, has been linked to developments dating back to April 2020. Researchers have noted that this variant of the DeathNote campaign is also referred to in security circles as Operation Dream Job or NukeSped. Mandiant, a subsidiary of Google, has identified a subset of the Lazarus Group’s activities that further underscores the evolving threat landscape.

The adaptation of tactics by the Lazarus Group employs a spectrum of techniques outlined in the MITRE ATT&CK framework. Initial access likely involves phishing schemes or exploitation of vulnerabilities within networked systems, which serves as the first step in breaching defenses. Following successful entry, the group may utilize methods for persistence to maintain access within compromised environments, allowing them to advance their objectives over an extended period.

Privilege escalation techniques may also play a crucial role in their operations, enabling the group to gain elevated access to sensitive information or capabilities that are otherwise restricted. These tactics collectively illustrate the sophisticated methodologies that adversaries like the Lazarus Group now leverage to infiltrate organizations across varied sectors.

Given this evolving threat, business owners and technology professionals must remain vigilant and enact comprehensive cybersecurity measures. This includes not only enhancing protective mechanisms but also fostering an organization-wide culture that prioritizes cybersecurity awareness. The implications of the Lazarus Group’s diversified targeting strategy highlight the urgent need for robust defenses and adaptive responses in today’s complex cyber landscape.

With this ongoing campaign, understanding the tactics employed by such threat actors is essential for organizations to anticipate, prepare for, and effectively mitigate potential attacks. As cyber threats continue to adapt and expand, staying informed is not just prudent; it is imperative for safeguarding organizational assets in an increasingly treacherous digital environment.

Source link

Related Posts

Urgent: Microsoft Releases Security Patches for 97 Vulnerabilities, Including Active Ransomware Threat

April 12, 2023
Patch Tuesday / Software Updates

On the second Tuesday of the month, Microsoft has issued security updates addressing a total of 97 vulnerabilities within its software. Notably, one of these flaws is currently being exploited in active ransomware attacks. Of the 97 issues, seven are classified as Critical and 90 as Important. The updates notably include 45 remote code execution flaws and 20 elevation of privilege vulnerabilities. This release follows previous fixes for 26 vulnerabilities found in the Edge browser over the past month. The actively exploited flaw is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation vulnerability within the Windows Common Log File System (CLFS) Driver. According to Microsoft’s advisory, “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” with credit given to researchers Boris Larin, Genwei Jiang, and Quan Jin for their discovery. CVE-2023-28252 represents the fourth privilege escalation flaw recently identified…

RTM Locker: A Rising Cybercrime Collective Targeting Enterprises with Ransomware

April 13, 2023
Ransomware / Cyber Attack

Cybersecurity experts have revealed insights into the tactics of a burgeoning cybercriminal organization known as “Read The Manual” (RTM) Locker. This group operates as a private ransomware-as-a-service (RaaS) provider, executing opportunistic attacks to illicitly generate profits. According to a report from cybersecurity firm Trellix shared with The Hacker News, “The RTM Locker gang employs affiliates to extort victims, all of whom must adhere to the gang’s stringent rules.” The structured nature of the group, where affiliates are expected to remain active or inform the gang of their departure, highlights its organizational maturity, akin to that seen in other sophisticated groups like Conti. Originally documented by ESET in February 2017, RTM began in 2015 as a banking malware targeting businesses in Russia through methods such as drive-by downloads, spam, and phishing emails. The group’s attack strategies have since evolved to include ransomware deployment.

Critical Vulnerabilities in Android and Novi Survey Under Ongoing Exploitation

April 14, 2023
Mobile Security / Cyber Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation evidence. The vulnerabilities include:

  • CVE-2023-20963 (CVSS score: 7.8) – Android Framework Privilege Escalation Vulnerability
  • CVE-2023-29492 (CVSS score: TBD) – Novi Survey Insecure Deserialization Vulnerability

CISA’s advisory for CVE-2023-20963 notes that the Android Framework contains an unspecified vulnerability that enables privilege escalation when an app is updated to a higher Target SDK without requiring additional execution privileges. Google acknowledged in its March 2023 Android Security Bulletin that there are signs of limited, targeted exploitation of CVE-2023-20963. This revelation follows a report from Ars Technica that Android apps digitally signed by a Chinese e-commerce entity may be affected.