Sign up for our weekly newsletter!
REGISTER NOW |
||
|
||
APTs in 2018: A Mix of Old & New![]() The picture of advanced persistent threats (APTs) in 2018 has been one of established threat groups such as Sofacy and Turla continuing their work, an Olympic Destroyer attack that was among the most sophisticated false flags, the re-emergence of some bad actors that had been absent from the scene, the rise of new players, and a growing effort by governments to slow the number of attacks by naming suspected culprits. In their report, "APT Review of the Year," researchers with Kaspersky Lab noted that getting a clear view of all the key developments in this area of security is difficult because "everybody has partial visibility and it's never possible to really understand the motivations of some attacks or the developments behind them." However, it's important to understand what happened in 2018 to get a better idea of what to expect as the calendar turns to 2019, according to Vicente Diaz, security researcher at Kaspersky Lab Global Research and Analysis Team.
![]() (Source: iStock)
"We believe that APT activity is becoming part of the operations of every nation-state," Diaz told Security Now in an email. "Such activity includes different agencies working in parallel, different groups offering their services, and external companies selling their tools. All of this results in a picture where older, well-established actors are thinking about new, more sophisticated ways of achieving their objectives and silently moving away from the noisy wave of newcomers. The rapid increase in the number of new actors also means that there is an increasing number of potential targets. This is reality, and although it is complex, it is necessary for defenders to understand how it is evolving so that we can fight against it." The threat groups behind many of these APTs were a mix of large, known actors, new ones and some that had returned after a period of hibernation. Familiar namesThe first included several known Russian-speaking groups such as Sofacy, Trula and CozyBear. Sofacy appeared to be the most active, being seen by Kaspersky researchers in various operations throughout 2018 and updating their tools. The campaigns included Gamefish, an update of its DealersChoice framework and the malware attack on Computrace's LoJack technology for PCs via a UEFI-type rootkit. In addition, the Zebrocy tool used by Sofacy saw a range of improvements, convincing the researchers that others may have been using and building on it. Sofacy also is suspected of being involved in the OlympicDestroyer false flag operation. (See Olympic Destroyer Returns With Attacks in Europe.) Turla was found using LightNeuron targeting Exchange servers, a backdoor that had been used to infect Germany's Foreign Office in 2017 and a new variant of its Carbon malware. In addition, Cozy Bear -- also known as CozyDuke -- was detected last month targeting diplomatic and governmental entities in Europe. Some groups that had been out of circulation emerged in 2018, including Kimsuky, DarkHotel, LuckyMouse and APT10 (which was suspected to be behind the OceanSalt campaign) in Southeast Asia and Middle East groups like Prince of Persia, OilRig, MuddyWaters and GazaTeam. (See McAfee: Seasalt Malware Raises Its Head Again.)
![]() (Source: Kaspersky Lab)
New groups also sprang up, including an array of bad actors in Southeast Asia like ShaggyPanther, Sidewinder, CardinalLizard and TropicTrooper. "As a rule, these groups are not that technically advanced, using a variety of approaches to achieve their objectives," the researchers wrote in their report. "They are usually interested in regional targets, with their main objectives being governmental and also military." Other new groups include LazyMerkaats, FruityArmor and OpParliament in the Middle East and DustSquad, ParkingBear and Gallmaker in Eastern Europe. New goalsThe researchers also noted a shift in targets of many of the APT groups mentioned, writing that even if some of the activity "doesn't seem that technically advanced, it doesn't mean it isn't effective. Looking back, we can cite a few public cases where it looks like these attacks are returning to the days when attackers were after major strategic research or blueprints that might be of the interest to state-sponsored groups, and not just some random data." To combat the APT campaigns, governments took to publicly identifying suspects in a "naming and shaming" effort. For example, US officials released details of the North Korean citizen they said was part of the Lazarus group behind the attack on Sony and the WannaCry ransomware. In addition, the Justice Department indicted Russian citizens and officers of Russia's GRU as part of the investigation into the country's interference into US elections. However, it's unclear how effective the naming-and-shaming campaigns are, Kaspersky's Diaz said. "We shall see," he said. "Although we cannot know for sure, it seems as if the previous US-China agreement [of 2015] slowed down APT activity. The 'naming and shaming' strategy is much more aggressive, since it makes public details of different attacks. It is not clear how well this might work in reducing attacks, or whether the approach will simply be used just to justify other, even more aggressive actions. Whether the final outcome will be a decline or an escalation in activity is not known." However, what is known is that "in this complex landscape, it is becoming more and more important to have threat intelligence capabilities," Diaz said. "We don't mean just buying a service, but having the capabilities to digest what's going on with a broad perspective." Related posts:
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics. |
Epic Games, the developer of Fortnite, fixed vulnerabilities in its web infrastructure that researchers said exposed the sensitive information of users of the wildly popular online game.
The ServHelper and FlawedGrace malware developed by threat group TA505 exemplify the move away from smash-and-grab ransomware toward more stealthy, longer campaigns, according to a recent analysis by Proofpoint.
Chip makers such as Intel have released patches and fixes to mitigate Spectre and Meltdown issues, but the problem won't be solved until they come out with new architectures, which is two to three years away.
A report by Kaspersky researchers has found that healthcare organizations in the US and Canada are still at heightened risk of ransomware attacks.
For enterprises anxious to avoid being extorted by attackers using ransomware, backing up data to the cloud is an option to consider, though it's not the answer for everyone.
Information Resources
upcoming Webinars
ARCHIVED
Top Tips for Blocking pwned [email protected]$$wOrds in Your Organization
Tuesday, October 29, 2019
12 p.m. New York/ 4:00 p.m. London Podcasts
Podcast: Infrastructure Hunting – Stopping Bad Actors in Their Tracks
Being able to effectively build a threat intelligence ecosystem or threat-hunting identification response requires both user and systems sophistication and capabilities. Security, orchestration, automation and response (SOAR) is a new technology designed to provide organizations a single comprehensive platform they can use to implement an intelligence driven security strategy.
Podcast: Digital Transformation, SD-WAN & Optimal Security
Dan Reis chats to Cybera's Josh Flynn about how to achieve digital transformation without sacrificing security. ![]() like us on facebook
|
|
![]() |
||
![]() |
Security Now
About Us
Contact Us
Help
Register
Events
Supporting Partners
Twitter
Facebook
RSS
Copyright © 2019 Light Reading, part of Informa Tech, a division of Informa PLC. All rights reserved. Privacy Policy | Cookie Policy | Terms of Use in partnership with
|