One of the most prolific advanced threat actors, Lazarus, a North Korean APT group, has been recently tracked and identified to be developing supply chain attack skills, and not only that even for cyber espionage they are using its multi-platform MATA framework.
This North Korean APT group is active since at least 2009, and right now in the current era, this APT group is one of the most active globally. As it has a huge track record of cyber-espionage and ransomware campaigns.
But, through their malicious campaigns and wide range of custom tools, they mostly target the cryptocurrency markets and defense industry to accomplish their goals.
Using the MATA malware framework the operators of the Lazarus group has attacked several industries to steal the customer databases and spread ransomware, but, they mainly target the defense industry, and in the MATA malware framework, they can target three major players:-
According to the Kaspersky report, While Lazarus APT group has attacked the defense industry several times, as last year in mid-2020 the ThreatNeedle campaign was launched by them to target the defense industry.
Moreover, the US Cybersecurity and Infrastructure Security Agency (CISA) reported that Lazarus was building supply chain attack capabilities with an updated DeathNote cluster using a variant of BLINDINGCAN.
The senior security researcher, Global Research and Analysis Team, Kaspersky, Ariel Jungheit stated:-
“These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks.”
Several malicious campaigns have been identified in which an IT asset monitoring solution vendor, as well as a think tank in South Korea, were targeted. In these campaigns two types of cases were discovered:-
First case: In an infection chain that is developed by Lazarus, a malicious payload was delivered via legitimate South Korean security software.
Second case: A Latvian asset monitoring company was the target of Lazarus, an atypical victim for the organization.
In its infection chain, the threat actor uses a downloader called Racket, which was signed by using a stolen certificate, to install malware.
To filter and control the malicious implants on successfully breached machines several scripts were uploaded by the actor to the compromised web servers.
Here’s the list of recommendations:-
To stay safe the security analysts of Kaspersky have strongly recommended users to follow and implement all the above-mentioned recommendations immediately.
Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…
Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…
An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…
One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…
In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…
BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 - A severe design flaw in…