SPONSORED CONTENT

Kaspersky reveals two APT incidents related to vaccine research

December 30, 2020 23:30 IST
Tennis player James Blake
Kaspersky

In the autumn of 2020, Kaspersky researchers identified two APT incidents that targeted entities related to COVID-19 research -a Ministry of Health body and a pharmaceutical company. Kaspersky experts assessed with high confidence that the activities can be attributed to the infamous Lazarus group.

As the pandemic and restrictive measures across the world continue, many parties involved are trying to speed up vaccine development by any means available. While most of the work is well-intentioned, there is another side to this coin as some threat actors are trying to capitalize on this for their own gain. As they continue to track the Lazarus group's ongoing campaign targeting various industries, Kaspersky experts have discovered that the actor went after COVID-19-related entities just a couple of months ago. Namely, two incidents were identified.

The first one was an attack against a Ministry of Health body. Two Windows servers in the organization were compromised with sophisticated malware on October 27, 2020. The malware used is known Kaspersky, named 'wAgent'. Closer analysis has shown that the wAgent malware used against the Ministry of Health has the same infection scheme as the malware Lazarus group previously used in attacks on cryptocurrency businesses.

The second incident involved a pharmaceutical company. According to Kaspersky telemetry, the company was breached on September 25, 2020. This company is developing a COVID-19 vaccine and is also authorized to produce and distribute it. This time, the attacker deployed the Bookcode malware, previously reported () by a security vendor to be connected to Lazarus, in a supply chain attack through a South Korean software company. Kaspersky researchers also witnessed the Lazarus group carry out spear-phishing or strategically compromise websites in order to deliver Bookcode malware in the past.

Both wAgent and Bookcode malware, used in both attacks, have similar functionalities, such as a full-featured backdoor (). After deploying the final payload, the malware operator can control a victim's machine in nearly any manner they wish.

Given the noted overlaps, Kaspersky researchers confirm with high confidence that both incidents are connected to the Lazarus group. The research is still ongoing.

"These two incidents reveal the Lazarus group's interest in intelligence related to COVID-19. While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well. We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyberattacks," commented Seongsu Park, a security expert at Kaspersky.

Kaspersky products detect the wAgent malware as HEUR:Trojan.Win32.Manuscrypt.gen and Trojan.Win64.Manuscrypt.bx.

The Bookcode malware is detected as Trojan.Win64.Manuscrypt.ce.

To stay safe from sophisticated threats, Kaspersky recommends taking the following security measures:

*Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal () grants access to the company's TI, providing cyberattack data and insights gathered by Kaspersky for more than 20 years. Free access to its curated features that allow users to check files, URLs and IP addresses is available here

*Provide your staff with basic cybersecurity hygiene training (), as many targeted attacks start with phishing or other social engineering techniques.

*Organizations that would like to conduct their own investigations will benefit from Kaspersky Threat Attribution Engine (). It matches a discovered malicious code against malware databases, and, based on the code similarities, attributes it to previously revealed APT campaigns.

*For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response ().

*In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as the Kaspersky Anti Targeted Attack Platform ().

For further details on the new exploits documented above, read the full report on Securelist ().

This story is provided by Bloomingdale. ANI will not be responsible in any way for the content of this article.

DISCLAIMER


(This story has not been edited by Business Standard staff and is auto-generated from a syndicated feed.)

 

Dear Reader,


Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.

As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.

Support quality journalism and subscribe to Business Standard.

Digital Editor

Kaspersky reveals two APT incidents related to vaccine research

In the autumn of 2020, Kaspersky researchers identified two APT incidents that targeted entities related to COVID-19 research -a Ministry of Health body and a pharmaceutical company. Kaspersky experts assessed with high confidence that the activities can be attributed to the infamous Lazarus group.

As the pandemic and restrictive measures across the world continue, many parties involved are trying to speed up vaccine development by any means available. While most of the work is well-intentioned, there is another side to this coin as some threat actors are trying to capitalize on this for their own gain. As they continue to track the Lazarus group's ongoing campaign targeting various industries, Kaspersky experts have discovered that the actor went after COVID-19-related entities just a couple of months ago. Namely, two incidents were identified.

The first one was an attack against a Ministry of Health body. Two Windows servers in the organization were compromised with sophisticated malware on October 27, 2020. The malware used is known Kaspersky, named 'wAgent'. Closer analysis has shown that the wAgent malware used against the Ministry of Health has the same infection scheme as the malware Lazarus group previously used in attacks on cryptocurrency businesses.

The second incident involved a pharmaceutical company. According to Kaspersky telemetry, the company was breached on September 25, 2020. This company is developing a COVID-19 vaccine and is also authorized to produce and distribute it. This time, the attacker deployed the Bookcode malware, previously reported () by a security vendor to be connected to Lazarus, in a supply chain attack through a South Korean software company. Kaspersky researchers also witnessed the Lazarus group carry out spear-phishing or strategically compromise websites in order to deliver Bookcode malware in the past.

Both wAgent and Bookcode malware, used in both attacks, have similar functionalities, such as a full-featured backdoor (). After deploying the final payload, the malware operator can control a victim's machine in nearly any manner they wish.

Given the noted overlaps, Kaspersky researchers confirm with high confidence that both incidents are connected to the Lazarus group. The research is still ongoing.

"These two incidents reveal the Lazarus group's interest in intelligence related to COVID-19. While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well. We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyberattacks," commented Seongsu Park, a security expert at Kaspersky.

Kaspersky products detect the wAgent malware as HEUR:Trojan.Win32.Manuscrypt.gen and Trojan.Win64.Manuscrypt.bx.

The Bookcode malware is detected as Trojan.Win64.Manuscrypt.ce.

To stay safe from sophisticated threats, Kaspersky recommends taking the following security measures:

*Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal () grants access to the company's TI, providing cyberattack data and insights gathered by Kaspersky for more than 20 years. Free access to its curated features that allow users to check files, URLs and IP addresses is available here

*Provide your staff with basic cybersecurity hygiene training (), as many targeted attacks start with phishing or other social engineering techniques.

*Organizations that would like to conduct their own investigations will benefit from Kaspersky Threat Attribution Engine (). It matches a discovered malicious code against malware databases, and, based on the code similarities, attributes it to previously revealed APT campaigns.

*For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response ().

*In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as the Kaspersky Anti Targeted Attack Platform ().

For further details on the new exploits documented above, read the full report on Securelist ().

This story is provided by Bloomingdale. ANI will not be responsible in any way for the content of this article.

DISCLAIMER


(This story has not been edited by Business Standard staff and is auto-generated from a syndicated feed.)

image
Business Standard
177 22