RL Blog
|

The Week in Security: Lazarus attacks same South Korean entity twice, use of hard-coded secrets is up

Carolynn van Arsdale
Blog Author

Carolynn van Arsdale, Writer, ReversingLabs. Read More...

lazarus-attack-secrets

Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: North Korean-linked hacking group Lazarus attacked the same South Korean financial entity twice in 2022. Also: The number of hard-coded secrets is way up. 

This Week’s Top Story

Lazarus hacking group rises after new details emerge from its latest attack on a South Korean financial org

According to The Hacker News, Lazarus, a North Korean-linked hacking group, attacked the same financial business entity in South Korea twice in 2022. Lazarus first attacked the organization in May 2022 by exploiting a vulnerable version of a certificate software, used widely by public entities and universities. In the hacking group’s latest attack, occurring in October 2022, Lazarus exploited a zero-day in the same software program. 

AhnLab Security Emergency Response Center (ASEC), the firm that discovered both attacks, has not yet disclosed the exploited software, since “the vulnerability has not been fully verified,” ASEC said in an update. In the latest attack, hackers were able to gain access to the system (so far, it is unknown how they did this), and then abused the zero-day bug, allowing them to perform lateral movement. Lazarus then used a Bring Your Own Vulnerable Driver (BYOVD) attack to disable the AhnLab V3 anti-malware engine, which the group has used in prior attacks according to AhnLab and ESET, another cybersecurity firm. 

Lazarus also attempted to evade detection by changing file names before deleting them, as well as modifying timestamps using timestomping, an anti-forensic technique. This latest attack also allowed the hacking group to deliver multiple backdoor payloads designed to connect to a remote command-and-control (C2) server, allowing Lazarus to retrieve additional binaries and execute them in a fileless manner. 

According to ASEC, Lazarus is a capable threat actor that continually researches software vulnerabilities and changes their TTPs (Techniques, Tactics and Procedures). They do this by “altering the way they disable security products and carry out anti-forensic techniques,” allowing the group to interfere with or delay any detection and analysis. Based on the hacking group’s willingness to exploit new vulnerabilities, it’s likely that they could carry out more attacks in South Korea and elsewhere.

News Roundup

Here are the stories we’re paying attention to this week… 

Hard-coded secrets are up 67% as secrets sprawl threatens software supply chain (CSO)

According to GitGuardian’s State of Secrets Sprawl 2023 report, the number of detected hard-coded secrets increased by 67% last year compared to 2021, with 10 million new secrets discovered in public GitHub commits in 2022. 

Israel blames prolific Iranian-linked hacking group for February university hack (Cyberscoop)

A prolific hacking group known as MuddyWater, which is affiliated with the Iranian government, is responsible for the Feb. 11 cyberattack on Technion University in Israel, the Israeli government said this past Tuesday.

Emotet malware attacks return after three-month hiatus (BleepingComputer)

Emotet is a notorious malware distributed through email containing malicious Microsoft Word and Excel document attachments. When users open these documents and macros are enabled, the Emotet DLL will be downloaded and loaded into memory.

Darktrace warns of rise in AI-enhanced scams since ChatGPT release (The Guardian)

The cybersecurity firm Darktrace has warned that since the release of ChatGPT it has seen an increase in criminals using artificial intelligence to create more sophisticated scams to con employees and hack into businesses.

New TPM 2.0 flaws could let hackers steal cryptographic keys (BleepingComputer)

The Trusted Platform Module (TPM) 2.0 specification is affected by two buffer overflow vulnerabilities that could allow attackers to access or overwrite sensitive data, such as cryptographic keys.



Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts

Do More With Your SOAR

Do More With Your SOAR

Running an SOC is complex — and running without the best tools makes it more difficult. Learn how RL File Enrichment can automate and bolster your SOC.
Read More