Displaying items by tag: apts

GUEST OPINION by Raj Samani, Chief Scientist, Rapid7: The “evolving threat landscape” is a term we often hear within webinars and presentations taking place across the cybersecurity industry. Such a catch-all term is intended to capture the litany of threat groups and their evolving tactics, but in many ways it fails to truly acknowledge the growth in their capabilities. This is particularly true of APT groups who have for years demonstrated a remarkable increase in their capabilities to remain undetected and carry out instructions from those orchestrating the broader campaigns under which they operate.

The latest research paper from Rapid7 Labs examines the tactics of North Korea’s Kimsuky threat group. It is published to serve as a learning on the evolving capabilities of a highly adept and industrious threat group, and, more importantly, to provide the necessary insights for supporting security teams in the implementation of defensive strategies.

Key insights to be found in this research include:

Targeting capabilities

The paper details Kimsuky’s delivery method as largely focused on email, but of course, a key component of this is determining who to target and what the most effective lure is likely to be.

Historically, this threat group has been particularly successful at the latter with considerable time and expense taken to identify “individuals” on whom their attention should be focused.

It is all too easy to shrug and comment on the need for security awareness as the panacea control to prevent all such initial entry vectors. The reality is that we all remain susceptible, given the right hook. And the ability of this threat group to target and compromise individuals around the globe reveals an alarming level of capability to elicit a response from victims.

Evolving technical capabilities

As detailed earlier this year, we are seeing technical innovation borne from the need to evade security controls within the victim environment. In this instance we detail the use of .LNK file payloads derived from an LNK builder proof of concept. This, however, is just the tip of the iceberg, with many other payloads delivered using alternate methods.

What this reveals — with a very high degree of confidence — is that there is an element to continual tooling improvements. Much like a component of this group dedicated to strong OSINT (as above), there is likely a subset of the group dedicated to technical innovation as a means to evade detection.
This allows the group to develop an arsenal of malware, for example, that can be used at will; but more importantly, it can be built upon and developed as defensive techniques improve.

Always on the move
The historic dependency upon reputations as a vehicle to identify malicious infrastructure is fast becoming less than effective. Politely put — and as demonstrated within the paper — we see Kimsuky establish infrastructure across the globe but quickly leverage new domains as needed. This is just another example of how this group understands and develops the ability to quickly move as it identifies new targets.

Subsequently, the publication provides tactical, actionable insights into the defensive measures that can be taken. For example, full details of coverage are included within the paper, as well as persistence measures undertaken by the threat actor, which are a critical indicator of compromise during retroactive threat hunts. All TTPs detailed within the paper are also incorporated into detection coverage across the Rapid7 portfolio.

Microsoft's Windows operating system is the target of a massive majority of the malicious software that abounds these days. And it has adopted the same strategy for avoiding blame as it did with the problem of viruses and worms: presenting itself as part of the solution, not the problem.

Russian security firm Kaspersky has published a blog post about the alleged threat to Linux from targeted attacks and so-called advanced persistent threats — code for state-based actors — that falls squarely into the category known as FUD.

Security outfit FireEye has renamed its expertise- and intelligence-backed offerings to its threat intelligence unit, Mandiant, raising the possibility that it may look to sell this unit, one which it acquired in 2013 for about US$1 billion.

Canadian security software and services firm Blackberry claims five attack groups serving the interests of China have been targeting Linux servers, Windows systems and Android devices for nearly 10 years, remaining undetected in the process.

Russian security outfit Kaspersky says it will continue to provide details of advanced persistent threats (APTs or nation-state actors) no matter the country of their origin, but these details will only be available to customers who subscribe to their services.

Russian security outfit Kaspersky, formerly known as Kaspersky Lab, has opened its threat intelligence portal to a bigger audience from Thursday onwards. The service was previously available to business customers and as a premium service only.

Russian security firm Kaspersky — formerly Kaspersky Lab — appears to be providing details of campaigns by nation-state actors, including from the US, to those who subscribe to its private APT (advanced persistent threat or nation-state actors) intelligence reports, judging by one of its recent blog posts.

Russia’s largest cybercriminal arrest has happened in part thanks to the enlightened efforts of security supremos, Kaspersky Lab, with the Lurk gang of 50 people arrested.