At a glance.
- Suspected Chinese actors target India's critical infrastructure.
- Lazarus Group goes after defense companies.
- LazyScripter targets airlines and job seekers.
- Accellion data theft extortion.
Suspected Chinese actors target India's critical infrastructure.
Recorded Future's Insikt Group describes an increase in suspected Chinese hacking activity directed against targets in India. The activity bears similarities to known Chinese threat actors, but it's distinct enough that the researchers are tracking it under the new moniker "RedEcho." Notably, this activity is targeted at Indian critical infrastructure, which Recorded Future believes may be a sign of potential preparation for cybersabotage. The researchers write:
"Since early 2020, Recorded Future’s Insikt Group observed a large increase in suspected targeted intrusion activity against Indian organizations from Chinese state-sponsored groups. From mid-2020 onwards, Recorded Future’s midpoint collection revealed a steep rise in the use of infrastructure tracked as AXIOMATICASYMPTOTE, which encompasses ShadowPad command and control (C2) servers, to target a large swathe of India’s power sector. 10 distinct Indian power sector organizations, including 4 of the 5 Regional Load Despatch Centres (RLDC) responsible for operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India’s critical infrastructure. Other targets identified included 2 Indian seaports."
Recorded Future adds, "The targeting of Indian critical infrastructure offers limited economic espionage opportunities; however, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives...Pre-positioning on energy assets may support several potential outcomes, including geo-strategic signaling during heightened bilateral tensions, supporting influence operations, or as a precursor to kinetic escalation."
Lazarus Group goes after defense companies.
Kaspersky researchers say North Korea's Lazarus Group is using custom malware dubbed "ThreatNeedle" to target organizations in the defense industry. The researchers say the Lazarus Group has used this malware in the past for financially motivated attacks:
"The malware used in this campaign belongs to a known malware cluster we named ThreatNeedle. We attribute this malware family to the advanced version of Manuscrypt (a.k.a. NukeSped), a family belonging to the Lazarus group. We previously observed the Lazarus group utilizing this cluster when attacking cryptocurrency businesses and a mobile game company. Although the malware involved and the entire infection process is known and has not changed dramatically compared to previous findings, the Lazarus group continued using ThreatNeedle malware aggressively in this campaign."
The threat actor is using Russian-language spearphishing emails based on public information about the targeted organization. The phishing templates are COVID-19-themed and "were carefully crafted and written on behalf of a medical center that is part of the organization under attack." The emails contain malicious documents or download links that install the malware. The goal of the operation appears to be cyberespionage, with a custom-made tunneling tool used to exfiltrate data.
LazyScripter targets airlines and job seekers.
Researchers at Malwarebytes are tracking a new threat actor dubbed “LazyScripter” that’s targeting airlines and job seekers with malware-laden phishing documents. The threat actor is using the open-source remote access Trojans Octopus and Koadic, as well as LuminosityLink, RMS, Quasar, njRat, and Remcos. In every recent instance, the actor has used its own loader, which the researchers have named "KOCTOPUS." In the past, LazyScripter delivered PowerShell Empire via a loader dubbed "Empoder" before shifting to Octopus and Koadic. The actor uses GitHub to host its malware. Rather than using malicious macros in Office documents, the actor embeds executables, batch files, or VBScript files within the documents under the guise of PDF, Excel, or Word icons.
Beginning in August 2018, LazyScripter targeted people seeking immigration to Canada through job-seeking programs. The actor continued using job-related lures through January of 2020, then shifted to COVID-19-themed lures. The most recent activity, beginning in November 2020, targeted the International Air Transport Association (IATA) and airlines that use BSPLink, a software interface for accessing IATA's Billing and Settlement Plan. Notably, some recent phishing lures are related to IATA's new document-free passenger processing tool, IATA One ID, which the researchers say "indicates that this actor is constantly updating its toolsets to target new systems developed by IATA."
Malwarebytes notes that the only two threat actors known to have used the Koadic Trojan are Russia’s APT28 and the Iran-associated MuddyWater. The researchers say there are no other links to APT28, but there are some additional ties to MuddyWater. Specifically, LazyScripter and MuddyWater have both used Koadic and PowerShell Empire, both rely on scripting languages like PowerShell and JavaScript, and both have hosted their tools on GitHub.
Still, the researchers believe the differences between the two groups are significant enough to warrant LazyScripter being tracked as a new threat actor, and they don’t attribute the activity to any particular nation-state. In particular, they point to the fact that LazyScripter primarily relies on open-source tools that haven't been used by MuddyWater, while MuddyWater tends to use custom-made malware.
For more, see "LazyScripter targets airlines and job seekers."
Accellion data theft extortion.
Cloud solutions provider Accellion has sustained a data breach that's affected dozens of the company's clients, including Kroger, Singtel, Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), the Office of the Washington State Auditor, and the University of Colorado. BleepingComputer reports that the breach was carried out by the Clop ransomware gang and the FIN11 threat actor, but the attackers didn't deploy their ransomware and instead simply threatened to release the stolen data. The attackers exploited zero-day vulnerabilities in Accellion's legacy File Transfer Appliance (FTA) product, which have since been patched. The vulnerabilities involved are tracked as CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104. Accellion stated, "Out of approximately 300 total FTA clients, fewer than 100 were victims of the attack. Within this group, fewer than 25 appear to have suffered significant data theft."
FireEye's Mandiant unit investigated the attack and says the attackers installed a web shell dubbed "DEWMODE" to exfiltrate the data. FireEye states, "Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the “CL0P^_- LEAKS" .onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell."