At a glance.
- Gelsemium targets East Asia and the Middle East.
- Fancy Lazarus launches DDoS extortion attacks.
- US government agencies struggle to protect consumer accounts.
- Hades ransomware operators described.
Gelsemium targets East Asia and the Middle East.
ESET has been tracking campaigns launched by the Gelsemium threat actor targeting "governments, religious organizations, electronics manufacturers, and universities" located in East Asia and the Middle East. The researchers believe this group is responsible for the supply-chain attack against Android emulator BigNox. The group has a narrow set of victims, which ESET believes suggests the threat actor is engaged in cyberespionage. The researchers note that despite the small number of victims, the attackers use many different tools:
"The Gelsemium biome is very interesting: it shows few victims (according to our telemetry) with a vast number of adaptable components. The plug-in system shows that its developers have deep C++ knowledge. Small similarities with known malware tools shed light on interesting, possible overlaps with other groups and past activities."
US government agencies struggle to protect consumer accounts.
TransUnion has released a study conducted by the Ponemon Institute which concluded that most US government agencies lack the resources to adequately secure consumer-facing services:
"Only 43% of respondents say their agency has the security technologies necessary to provide customers with both a secure and convenient online experience when accessing their accounts. Lacking the necessary tools, agencies are challenged to effectively protect customer accounts and data. While half of respondents believe their agency is effective at reducing customer fraud, only 40% say they’re effective at protecting customer data and 38% are effective at preventing account takeovers."
Fancy Lazarus launches DDoS extortion attacks.
Proofpoint has published a report on "Fancy Lazarus," a cybercriminal gang that carries out distributed denial-of-service (DDoS) extortion attacks. The group uses the names of various nation-state threat actors, such as Russia's Fancy Bear or North Korea's Lazarus Group, though it doesn't seem to have any connection to these actors. Fancy Lazarus sends emails to companies threatening that they'll begin suffering DDoS attacks if they don't send the requested amount of money. Proofpoint concludes that companies shouldn't worry too much about these threats if they have adequate DDoS mitigations in place:
"While Proofpoint does not have visibility into the actual 'Fancy Lazarus' DDoS attacks and whether they are carried out, FBI reporting indicates that many affected companies that pass the threatened deadline either do not see any additional activity or the activity is successfully mitigated. There are, however, several prominent institutions that have either received attack demonstrations or reported an impact to their operations, so it is important for companies and organizations to be prepared by having appropriate mitigations in place such as using a DoS protection service and having disaster recovery plans at the ready. "
Hades ransomware operators described.
Secureworks outlines the activities of "GOLD WINTER," the group that operates the Hades ransomware. The researchers explain that "GOLD WINTER's attacks on large North America-based manufacturers indicates that the group is a 'big game hunter' that specifically seeks high-value targets." Secureworks believes GOLD WINTER is a distinct threat actor:
"The financially motivated threat group operating the Hades ransomware is known as GOLD WINTER. Some third-party reporting attributes Hades to the HAFNIUM threat group, but CTU™ research does not support that attribution. Other reporting attributes Hades to the financially motivated GOLD DRAKE threat group based on similarities to that group’s WastedLocker ransomware. Despite use of similar application programming interface (API) calls, the CryptOne crypter, and some of the same commands, CTU researchers attribute Hades and WastedLocker to two distinct groups as of this publication."
Secureworks also suspects that Hades is operated by a single group rather than using affiliates, and they note that the group uses a previously unobserved method to leak stolen data:
"Hades’ absence on underground forums and marketplaces suggests that it is operated as private ransomware rather than ransomware as a service (RaaS). GOLD WINTER 'names and shames' victims after stealing their data but does not use a centralized leak site to expose the exfiltrated data. Instead, Tor-based Hades websites appear to be customized for each victim. Each website includes a victim-specific Tox chat ID for communications. Using Tox instant messaging for communications is a novel technique that CTU researchers have not observed with other ransomware families."