A naukri.com initiative
Securelist
4w
398
Image Credit: Securelist
Operation SyncHole: Lazarus APT goes back to the well
- The Lazarus group conducted the "Operation SyncHole" attack campaign targeting South Korean organizations, combining a watering hole strategy and vulnerability exploitation in South Korean software.
- At least six organizations in South Korea's software, IT, financial, semiconductor, and telecommunications sectors were affected, with a focus on exploiting vulnerabilities in key software.
- Lazarus used variants of malicious tools like ThreatNeedle, Agamemnon downloader, and SIGNBT during the campaign, exploiting a vulnerability in Cross EX software to compromise organizations.
- The campaign involved a combination of watering hole attacks and exploitation of the Innorix Agent for lateral movement, impacting more organizations beyond the initially identified six.
- Multiple malware execution chains were observed, involving ThreatNeedle, wAgent, SIGNBT, and COPPERHEDGE, indicating the group's evolving strategies and advanced capabilities.
- The attackers leveraged vulnerabilities in South Korean software, such as Cross EX and Innorix Agent, for privilege escalation, lateral movement, and delivery of additional malware.
- Detailed analysis revealed the actor's post-exploitation tactics, Windows command execution, infrastructure setup using compromised C2 servers, and their mistake in using the taskkill command.
- The Lazarus group's evolving malware, asymmetric encryption use, and operational structure demonstrate a sophisticated and ongoing threat to South Korean entities, with a focus on supply chain attacks.
- Mitigation efforts involved reporting vulnerabilities to KrCERT, monitoring and analyzing malware behavior, and swift response to minimize damage and prevent further exploitation by the group.
- Kaspersky products detect the exploits and malware used in the attack, providing indicators of compromise to help organizations identify and remediate potential threats.
Read Full Article
23 Likes
For uninterrupted reading, download the app