![]() “Aside from commonalities in the tools used to spread WannaCry, there are also a number of links between WannaCry itself and Lazarus. Alphanc is closely related to a variant of the Destover backdoor that was used in the attack on Sony Pictures Entertainment in 2014, and Bravonc uses an IP address for a command-and-control server that also has been used by the Duuzer variant of Destover. The earlier WannaCry attacks also employed a pair of Trojans, known as Alphanc and Bravonc, that were used to drop the ransomware on compromised PCs. The latter file, hptasks.exe, was used to then copy and execute WannaCry on other network computers using the passwords stolen by mks.exe.” The file mks.exe is a variant of Mimikatz, a password-dumping tool that is widely used in targeted attacks. Two files, mks.exe and hptasks.exe (see Appendix C: Indicators of Compromise), were found on one affected computer. “The first evidence Symantec has seen of WannaCry being used in the wild was February 10, 2017, when a single organization was compromised. Within two minutes of the initial infection, more than 100 computers in the organization were infected. The attackers left behind several tools on the victim’s network that provided substantial evidence into how WannaCry spread. Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign,” Symantec researchers said in a post analyzing the links. “Analysis of these early WannaCry attacks by Symantec’s Security Response Team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry. The code in the ransomware is virtually identical, but the tactics are different. But those were highly targeted and didn’t use the exploit code and worm-likes reading mechanism that the current version does. The first attacks involving WannaCry emerged in February, with others following in March and April. There are a number of code artifacts shared between tools used by the Lazarus group and WannaCry, and researchers at Symantec have published new details that show the ransomware campaign has several other technical links to the Lazarus group’s operations, too. Last week, researchers at Kaspersky Lab, who have studied the Lazarus group closely, said that the WannaCry ransomware had strong technical links to Lazarus. The Lazarus group is a hacking team tied to North Korea that researchers have linked to a number of major intrusions, including the attack on the Bank of Bangladesh and the Sony Pictures Entertainment hack. The attackers were able to gain lateral movement into 3CX’s network and inject malicious libraries into the Windows and MacOS versions of the Desktop App.The links between the WannaCry ransomware and the Lazarus group, which is believed to be responsible for several high-profile attacks, are deeper and more substantial than previously thought, according to new evidence unearthed by security researchers. This is the first supply chain compromise attack, which has led to a cascading software supply chain compromise, Mandiant said in the report. The X_TRADER software was discontinued in 2020 but was still available for download from the company’s website in 2022. This software had been trojanized with a backdoor as a part of a different software supply chain attack. The hackers gained access to 3CX’s network after one of the company’s employees installed a futures trading platform called X_TRADER from Trading Technologies on their personal computer in 2022. The 3CX supply chain compromise attack was carried out as hackers gained access to the company’s network and systems as a result of a different software supply chain attack involving a third-party application for futures trading, according to Mandiant. Initiated by prior supply chain compromise
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |