Kaspersky Lab has published the results of its more-than-year-long investigation into the activity of Lazarus – a notorious hacking group allegedly responsible for the theft of 81 million dollars from the Central Bank of Bangladesh in 2016.
During the forensic analysis of artefacts left by the group in South-East Asian and European banks, Kaspersky Lab has reached a deep understanding of what malicious tools the group uses and how it operates while attacking financial institutions, casinos, software developers for investment companies and crypto-currency businesses around the world. This knowledge has helped to interrupt at least two other operations which had one goal – to steal a large amount of money from financial institutions.
In February 2016, a group of hackers (unidentified at that time) attempted to steal $851 million USD, and managed to transfer 81 million USD from the Central Bank of Bangladesh. This is considered to be one of the largest, most successful cyber heists ever. Further investigation conducted by researchers from different IT security companies including Kaspersky Lab revealed a high chance that the attacks were conducted by Lazarus – a notorious cyber espionage and sabotage group responsible for a series of regular and devastating attacks, and known for attacking manufacturing companies, media and financial institutions in at least 18 countries around the world since 2009.
Although several months of silence followed the Bangladesh attack, the Lazarus group was still active. They had been preparing for a new operation to steal money from other banks and, by the time they were ready, they already had their foot in a financial institution in South East Asia. After being interrupted by Kaspersky Lab products and the following investigation, they were set back for another few months, and later decided to change their operation by moving to Europe. But here too, their attempts were interrupted by Kaspersky Lab’s security software detections, as well as the quick incident response, forensic analysis, and reverse engineering with support from company’s top researchers.
Based on the results of the forensic analysis of these attacks, Kaspersky Lab researchers were able to reconstruct the modus operandi of the group.
Initial compromise: A single system inside a bank is breached either with remotely accessible vulnerable code (i.e. on a webserver) or through a watering hole attack through an exploit planted on a benign website. Once such a site is visited, the victim’s (bank employee) computer gets malware, which brings additional components.
Foothold established: Then the group migrates to other bank hosts and deploys persistent backdoors – the malware allows them to come and go whenever they want.
Internal reconnaissance: Subsequently the group spends days and weeks learning the network, and identifying valuable resources. One such resource may be a backup server, where authentication information is stored, a mail server or the whole domain controller with keys to every “door” in the company, as well as servers storing or processing records of financial transactions.
Deliver and steal: Finally, they deploy special malware capable of bypassing the internal security features of financial software and issuing rogue transactions on behalf of the bank.
Geography and Attribution
The attacks investigated by Kaspersky Lab researchers lasted for weeks. However, the attackers could operate under the radar for months. For example, during the analysis of the incident in South-East Asia, experts discovered that hackers were able to compromise the bank network no less than seven months prior to the day when the bank’s security team requested incident response. In fact, the group had access to the network of that bank even before the day of the Bangladesh incident.
According to Kaspersky Lab records, from December 2015, malware samples relating to Lazarus group activity appeared in financial institutions, casinos software developers for investment companies and crypto-currency businesses in Korea, Bangladesh, India, Vietnam, Indonesia, Costa Rica, Malaysia, Poland, Iraq, Ethiopia, Kenya, Nigeria, Uruguay, Gabon, Thailand and several other countries. The latest samples known to Kaspersky Lab were detected in March 2017, showing that attackers have no intention of stopping.
Even though attackers were careful enough to wipe their traces, at least one server they breached for another campaign contained a serious mistake with an important artefact being left behind. In preparation for operation, the server was configured as the command & control center for the malware. The first connections made on the day of configuration were coming from a few VPN/proxy servers indicating a testing period for the C&C server. However, there was one short connection on that day which was coming from a very rare IP address range in North Korea.
According to researchers, that could mean several things:
- The attackers connected from that IP address in North Korea
- It was someone else’s carefully planned false flag operation
- Someone in North Korea accidentally visited the command and control URL
The Lazarus group heavily invests in new variants of their malware. For months they were trying to create a malicious toolset which would be invisible to security solutions, but every time they did this, Kaspersky Lab’s specialists managed to identify unique features in how they create their code, allowing Kaspersky Lab to keep tracking the new samples. Now, the attackers have gone relatively quiet, which probably means that they have paused to rework their arsenal.
“We’re sure they’ll come back soon. In all, attacks like the ones conducted by Lazarus group show that a minor misconfiguration may result in a major security breach, which can potentially cost a targeted business hundreds of millions of dollars in loss. We hope that chief executives from banks, casinos and investment companies around the world will become wary of the name Lazarus,” said Vitaly Kamluk, Head of Global Research and Analysis Team APAC at Kaspersky Lab.
Kaspersky Lab products successfully detect and block the malware used by the Lazarus threat actor with the following specific detection names:
The company is also releasing crucial Indicators of Compromise (IOC) and other data to help organisations search for traces of these attack groups in their corporate networks. For more information go to Securelist.com
We urge all organisations to carefully scan their networks for the presence of Lazarus malware samples and, if detected, to disinfect their systems and report the intrusion to law enforcement and incident response teams.
Welcome to world of 2099
The world of 2099 will be unrecognisable from the world of today, but it can be predicted, says one visionary. ARTHUR GOLDSTUCK met him in Singapore.
Futuristic structures tower over the landscape. Giant, alien-looking trees light up with dazzling colours amid the hundreds of plant species that grow up their trunks. Cosmetic stores sell their wares via public touch-screens, with products delivered instantly in drawers below the screens.
This is not a vision of the future. It is a sample of Singapore today. But it is also an inkling of the world we may all experience in the future.
Singapore was the venue, last week, of the World Cities Summit, where engineers, politicians, investors and visionaries rubbed shoulders as they talked about the strategies and policies that would enhance urban living in the future.
As part of the Summit, global payment technologies leader Mastercard hosted a small media briefing by one of Singapore’s leading thinkers about the future, Dr Damian Tan, managing director of Vickers Venture Partners. The company’s slogan “We invest in the extraordinary,” offers a small clue to Tan’s perspective.
“We look as far forward as 2099 because, as a venture capital firm, we invest in the long term,” he tells a group of journalists from Africa and the Middle East. “Companies explode in growth because there is value in the future. If there is no growth, they won’t explode.”
The big question that the Smart Cities Summit and Mastercard are trying to help answer is, what will cities look like in the year 2099? Tan can’t give an exact answer, but he offers a framework that helps one approach the question.
“If you want to look at 81 years into the future, and understand the change that will come, you need to double that amount and look into the past. That takes us to 1856. The difference between then and now is the difference you can expect between now and 2099.”
Click here or on the page link below to read on: Page 2: Soldiers and Health in 2099.
- Arthur Goldstuck is founder of World Wide Worx and editor-in-chief of Gadget.co.za. Follow him on Twitter on @art2gee and on YouTube
Street art goes electric
Kaspersky Lab and British street artist D*Face have unveiled the first-ever “art helmet” design at the Formula E finale for electric cars in New York.
The ‘Save The World’ helmets will be raced by DS Virgin Racing’s drivers, Sam Bird and Alex Lynn, as they traverse the New York street circuit during the final races of the Formula E season.
The announcement signals the first art helmet by a Formula E team, continuing the heritage of art in motorsport and the cybersecurity brand’s commitment to contemporary art, creativity and innovation. D*Face took inspiration from Kaspersky Lab’s tagline, “A Company To Save The World”, and hopes that his colourful work will inspire people to take positive action.
D*Face will announce his first-ever art car design with a custom-made livery for the DS Virgin Racing Team. Its design will be released at the “Art Goes Green” event after Saturday’s race. The helmets and art car are the latest installations in the “Save the World” collection, following a major permanent public mural that was installed in Brooklyn, New York, in May.
D*Face, whose real name is Dean Stockton, said: “It is exciting to work with Kaspersky Lab on this project and create art with a real message of hope for a better future. After all, this is our world and we need to look after it. It will take every one of us to make a real lasting, impactful change. I love the mentality of the DS Virgin Racing Team and that of Formula E by showcasing sport in a way that doesn’t harm the environment, but is still just as exhilarating and fun.
“It is time for us all to stand together and make a change… be that stopping data steals, climate change, plastic waste or using damaging fuels. I want everyone to make a pledge to do one thing that will help make a change.”
As a sponsor of DS Virgin Racing Team, Kaspersky Lab is responsible for protecting the team’s devices against cyber threats. The company sees the technical environment in the global sport of Formula E as the next frontier in furthering its research and development of new technologies to keep vehicles secure in the digital world.
Sylvain Filippi, Managing Director at DS Virgin Racing, said: “The whole team fully supports this great initiative and our thanks got to Kaspersky and D*Face for their collaboration. It’s an honour to have such an innovative artist bring his talents to bear in our team ahead of the season-finale; the car, drivers’ crash helmets and mural all look amazing.”
Aldo Fucelli Pessot del Bo, Head of Global Partnerships and Sponsorships at Kaspersky Lab added: “There is a need for innovation on a global scale, both in contemporary art and in the fast-growing sport of Formula E. Now, for the first time ever, Kaspersky Lab is proudly bringing together the two sectors in an effort to Save the World and unleash creativity, encourage freedom of expression and further innovation.”