Reader Advisory

Some articles posted in The SlickMaster's Files may contain themes, languages, and content which may neither appropriate nor appealing to certain readers. READER DISCRETION is advised.

Wednesday, January 13, 2021

Kaspersky says two vaccine-related firms were attacked by APT

01/06/2021 10:18:51 PM


As the world gears for hopes of recovery against COVID-19, Kaspersky has identified two APT incidents related to the research about the said disease.

In the autumn of 2020, the researchers of this cybersecurity company has cited a Minister of Health body and a pharmaceutical company as victims of cyberattacks inflicted by the suspected infamous Lazarus group. 

The first attack took place on 27 October 2020. A malware named 'wAgent' was aimed against a Ministry of Health body, resulting into having two Windows servers being compromised in such same scheme as how Lazarus group would infect cryptocurrency businesses.

Meanwhile, the second breaching incident was dated 27 September 2020, and it involved a pharmaceutical company that was developing a COVID-19 vaccine and is also authorized to produce and distribute it. Kasperksy said the attacker deployed the Bookcode malware, previously reported by a security vendor to be connected to Lazarus, in a supply chain attack through a South Korean software company. Its researchers also witnessed Lazarus group carry out spear-phishing or strategically compromise websites in order to deliver Bookcode malware in the past.

Both wAgent and Bookcode malware, used in both attacks, have similar functionalities, such as a full-featured backdoor. After deploying the final payload, the malware operator can control a victim’s machine in nearly any manner they wish.

Relationship of recent Lazarus group attack

Given the noted overlaps, Kaspersky researchers confirm with high confidence that both incidents are connected to the Lazarus group. The research is still ongoing as of press time.
“These two incidents reveal Lazarus group’s interest in intelligence related to COVID-19. While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well. We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyberattacks,” said Seongsu Park, security expert at Kaspersky.
Kaspersky products detect the wAgent malware as HEUR:Trojan.Win32.Manuscrypt.gen and Trojan.Win64.Manuscrypt.bx. Meanwhile, The Bookcode malware is detected as Trojan.Win64.Manuscrypt.ce.

To stay safe from sophisticated threats, Kaspersky recommends taking the following security measures:

  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal [https://www.kaspersky.com/enterprise-security/threat-intelligence-subscription] grants access to the company’s TI, providing cyberattack data and insights gathered by Kaspersky for more than 20 years. Free access to its curated features that allow users to check files, URLs and IP addresses is available here
  • Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques. 
  • Organizations that would like to conduct their own investigations will benefit from the Kaspersky Threat Attribution Engine. It matches a discovered malicious code against malware databases, and, based on the code similarities, attributes it to previously revealed APT campaigns.
  • For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
Log in to Securelist.com to see the full details and updates regarding this report. 

Author: slickmaster | © 2021 The SlickMaster's Files

No comments:

Post a Comment

Feel free to make a comment as long as it is within the bounds of the issue, and as long as you do it with decency. Thanks!