From zero-day ex­ploits to ram­pant ran­somware

Kuwait Times - - TECHNOLOGY -

The sec­ond quar­ter of 2017 saw so­phis­ti­cated threat ac­tors un­leash a wealth of new and en­hanced ma­li­cious tools, in­clud­ing three zero-day ex­ploits and two un­prece­dented at­tacks: Wan­naCry and ExPetr. Ex­pert analysis of the last two sug­gests the code may have es­caped into the wild be­fore it was fully ready, anunusual sit­u­a­tion for­well­re­sourced at­tack­ers. These and other trends are cov­ered in Kasper­sky Lab’s lat­est quar­terly threat in­tel­li­gence sum­mary.

The months from April to end June wit­nessed­sig­nif­i­cant de­vel­op­ments in tar­geted at­tacks by, among oth­ers, Rus­sian-, English-, Korean-, and Chi­nese-speak­ing threat ac­tors. These de­vel­op­ments have­far-reach­ing im­pli­ca­tions for busi­ness IT se­cu­rity: so­phis­ti­cated ma­li­cious ac­tiv­ity is hap­pen­ing con­tin­u­ously al­most ev­ery­where in the world, in­creas­ing the risk of com­pa­nies and non­com­mer­cial or­ga­ni­za­tions­be­com­ing col­lat­eral dam­age in cy­ber war­fare.

The al­legedly na­tion-state backed Wan­naCry and ExPetr de­struc­tive epi­demics, whose vic­tims in­cluded many com­pa­nies and or­ga­ni­za­tion across the globe, be­came the first but most likely not the last ex­am­ple of the new, dan­ger­ous trend.

High­lights in Q2, 2017 in­clude:

Three Win­dows zero-day ex­ploits be­ing used inthe-wild by the Rus­sian-speak­ing So­facy and Turla threat ac­tors. So­facy, also known as APT28 or Fan­cyBear, de­ployed the ex­ploits against a range of Euro­pean tar­gets, in­clud­ing gov­ern­men­tal and po­lit­i­cal or­ga­ni­za­tions. The threat ac­tor was also ob­served try­ing out some ex­per­i­men­tal tools, most no­tably against a French po­lit­i­cal party mem­ber in ad­vance of the French na­tional elec­tions.

Gray Lam­bert - Kasper­sky Lab has an­a­lyzedthe­most ad­vanced tool­kit to date for the Lam­berts group, a highly so­phis­ti­cated and com­plex, English-speak­ing cy­beres­pi­onage fam­ily. Two new re­lated mal­ware fam­i­lies were iden­ti­fied. The Wan­naCry at­tack on 12 May and the ExPetr at­tack on 27 June. While very dif­fer­ent in na­ture and tar­gets, both were sur­pris­ingly in­ef­fec­tive as ‘ran­somware’. For ex­am­ple, in the case ofWan­naCry, it­srapid global spread and high pro­fileput a spotlight on the at­tack­ers’ Bit­coin ran­som ac­count and made it hard for them to cash out. This sug­gests that the real aim of the Wan­naCry at­tack was data de­struc­tion.Kasper­sky Lab’s ex­perts dis­cov­ered fur­ther ties be­tween the Lazarus group and Wan­naCry. The pat­tern of de­struc­tive mal­ware dis­guised as ran­somware showed it­self again in the ExPetr at­tack.

ExPetr, tar­get­ing or­ga­ni­za­tions in the Ukraine, Rus­sia and else­where in Europe also ap­peared to be ran­somware but turned out to be purely de­struc­tive. The mo­tive be­hind the ExPetr at­tacks re­mains a mys­tery. Kasper­sky Lab’s ex­perts have es­tab­lished a low con­fi­dence link to the threat ac­tor known as Black En­ergy. “We have long main­tained the im­por­tance of truly global threat in­tel­li­gence to aid de­fend­ers of sen­si­tive and crit­i­cal net­works. We con­tinue to wit­ness the de­vel­op­ment of overzeal­ous at­tack­ers with no re­gard for the health of the In­ter­net and those in vi­tal in­sti­tu­tions and busi­nesses who rely on it on a daily ba­sis. As cy­beres­pi­onage, sab­o­tage, and crime run ram­pant, it’s all the more im­por­tant for de­fend­ers to band to­gether and share cut­ting-edge knowl­edge to bet­ter de­fends against all threats,” said Juan An­dres Guer­reroSaade, Se­nior Se­cu­rity Re­searcher, Global Re­search and Analysis Team, Kasper­sky Lab.

The Q2 APT Trends re­port sum­ma­rizes the find­ings of Kasper­sky Lab’s sub­scriber-only threat in­tel­li­gence re­ports. Dur­ing the sec­ond quar­ter of 2017, Kasper­sky Lab’s Global Re­search and Analysis Tam cre­ated 23 pri­vate re­ports for sub­scribers, with In­di­ca­tors of Com­pro­mise (IOC) data and YARA rules to as­sist in foren­sics and mal­ware-hunt­ing.

Newspapers in English

Newspapers from Kuwait

© PressReader. All rights reserved.