Unlike toolsets used by some other cybercriminal groups, none of the source code of any Lazarus tools has ever been disclosed in a public leak. Note that the Lazarus toolset (i.e., the collection of all files that are considered by the security industry as fingerprints of the group’s activity) is extremely broad, and we believe there are numerous subgroups. – and provides grounds for the attribution of these attacks to the Lazarus group. Some of the past attacks attributed to the Lazarus group attracted the interest of security researchers who relied on Novetta et al.’s white papers with hundreds of pages describing the tools used in the attacks – the Polish and Mexican banks, the WannaCryptor outbreak, phishing campaigns against US defense contractors, Lazarus KillDisk attack against Central American casino, etc. These cybercriminals rose to prominence with the infamous case of cybersabotage against Sony Pictures Entertainment. The Lazarus group was first identified in Novetta’s report Operation Blockbuster in February 2016 US-CERT and the FBI call this group HIDDEN COBRA.
#LAZARUS GROUP SOFTWARE#
In order to deliver its malware, the attackers used an unusual supply-chain mechanism, abusing legitimate South Korean security software and digital certificates stolen from two different companies.
The Meteorological Service of New Zealand, news media company Stuff, public-service radio broadcaster Radio New Zealand and Australian bank Westpac Banking Corp have also been hit with DDoS attacks in recent weeks.ESET researchers uncover a novel Lazarus supply-chain attack leveraging WIZVERA VeraPort softwareĮSET telemetry data recently led our researchers to discover attempts to deploy Lazarus malware via a supply-chain attack in South Korea. In August, the New Zealand stock exchange was hit by a DDoS attack that spanned several days and caused a disruption of some services. New Zealand-based enterprises have seen a rash of DDoS attacks over the past few months. Additionally, the New Jersey Cybersecurity and Communications Integration Cell issued an advisory in August on actors who targeted the finance and retail sectors with DDoS attacks, claiming to be members of Fancy Bear and Armada Collective. The threat actors claimed to represent the Russian hacker group Fancy Bear and demanded a ransom to avoid a DDoS attack.
In November 2019, New Zealand’s cybersecurity organization, CertNZ, issued a warning about ongoing extortion campaigns targeting companies in the financial sector. Groups posing as nation-state hacking groups while threatening ransom-backed DDoS attacks have been bubbling up over the past year. In January, the company was hit with REvil ransomware, forcing it to suspend all of its online services, including its app and internal email systems, for several weeks. The threat to Travelex comes as the company underwent one of the most notable ransomware attacks of the past year. The true actors or groups likely possess some DDoS capabilities that need to be taken seriously, so organizations should be prepared to deal with that sort of attack as part of their cybersecurity plan." "The attackers are trying to capitalize on the notoriety of well-known groups as a scare tactic to pressure victims into paying. "We've seen this come up quite a few times recently," DeBolt said. While it's unclear whether or not the North Korea-backed group was responsible for the note, Intel 471 VP of Intelligence Michael DeBolt says it’s "unlikely" to be related to the nation-state. The email also said that if Travelex didn’t comply by a certain date, the ransom would “increase by 10 Bitcoin for each day after deadline that passed without payment.”Ī bitcoin wallet address in the email shows that Travelex did not pay the attackers at any point. Two days later, the attackers carried out another DNS amplification attack against Travelex using Google DNS servers. “Is it worth it? You decide!”įollowing the extortion email, the threat actor conducted a volumetric attack on a custom port of four IP addresses serving the company’s subdomains. “It's a small price for what will happen when your whole network goes down,” the email read. The demand, which was sent in late August, asked for a value of approximately US $213,000. A group posing as notorious nation-state-linked hacking group “Lazarus Group” threatened to hit British foreign exchange company Travelex with a distributed-denial-of-service (DDoS) attack unless it paid 20 bitcoins.Īccording to an email discovered by Intel 471 researchers, attackers threatened to hit Travelex with an “extremely powerful” attack that would “peak over 2 Tbps” until the company paid a ransom.
0 kommentar(er)
