Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Internet Provider. Show all posts

Lazarus Employs Public ManageEngine Exploit to Breach Internet Firms

 

The North Korean state-backed hacking group Lazarus has been compromising an internet backbone infrastructure provider and healthcare organisations by exploiting a major flaw (CVE-2022-47966) in Zoho's ManageEngine ServiceDesk. 

The attacks kicked off earlier this year with the goal of infiltrating companies in the United States and the UK in order to disseminate the QuiteRAT malware and a newly found remote access trojan (RAT) known as CollectionRAT. 

CollectionRAT was discovered after researchers analysed the infrastructure employed by the campaigns, which the threat actor had previously used for past assaults. 

Targeting internet firms 

Researchers at Cisco Talos observed attacks against UK internet enterprises in early 2023 when Lazarus exploited CVE-2022-47966, a pre-authentication remote code execution bug impacting numerous Zoho ManageEngine products.

"In early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider in the United Kingdom to successfully deploy QuiteRAT. The actors exploited a vulnerable ManageEngine ServiceDesk instance to gain initial access," researchers at Cisco Talos stated. 

According to the analysts, Lazarus began employing the attack just five days after it became public. Multiple hackers used the exploit in attacks, as discovered by Rapid7, Shadowserver, and GreyNoise, forcing CISA to issue a warning to organisations. 

Lazarus hackers dropped the QuiteRAT malware from an external URL after exploiting the vulnerability to infiltrate a target.

QuiteRAT, found in February 2023, is described as a basic yet powerful remote access trojan that appears to be a step up from the more well-known MagicRAT, which Lazarus deployed in the second part of 2022 to target energy suppliers. 

The nalware's code is leaner than MagicRAT's, and careful library selection has decreased its size from 18MB to 4MB while preserving the same set of functions, researchers added.

New Lazarus malware 

In a separate report published earlier this week, Cisco Talos stated that Lazarus hackers had developed a new malware known as CollectionRAT, which is related to the "EarlyRAT" family. The new threat was discovered when experts examined the infrastructure employed by the actor in earlier operations.

CollectionRAT's features include arbitrary command execution, file management, gathering system information, reverse shell creation, new process spawning, fetching and launching new payloads, and self-deletion. 

Another intriguing feature of CollectionRAT is its use of the Microsoft Foundation Class (MFC) framework, which allows it to decrypt and execute code on the fly, elude detection, and frustrate analysis. 

Cisco Talos learned further indications of evolution in Lazarus' tactics, techniques, and procedures, such as the extensive use of open-source tools and frameworks, such as Mimikatz for credential stealing, PuTTY Link (Plink) for remote tunnelling, and DeimosC2 for command and control communication. 

This strategy makes it difficult to attribute, monitor, and create efficient defences because Lazarus leaves behind fewer identifiable traces.

Ukraine War: Major Internet Provider Suffers Cyber-Attack

 

A cyber-attack was launched against a significant Ukrainian internet provider. Ukrtelecom is working to restore service after it believes it was the victim of an attack. The network was shut down to "safeguard the vital network infrastructure." 

Ukrtelecom JSC is Ukraine's monopolist telephone company, also active in Internet service providing and mobile markets. Yuriy Kurmaz, the CEO of the company stated in a statement: “In order to protect the critical network infrastructure and not interrupt services to the Armed Forces, other military bodies and users of critical infrastructure, we were forced to temporarily restrict internet access to most private users and business customers.” 

Netblocks, an international internet monitoring organisation, stated it was the company's biggest outage since the beginning of the Russian invasion last month, with connectivity down to 13% of what it was before President Vladimir Putin announced the war. 

They said on Twitter: “Update: Ukraine's national internet provider Ukrtelecom has confirmed a cyberattack on its core infrastructure. Real-time network data show an ongoing and intensifying nation-scale disruption to service, which is the most severe registered since the invasion by Russia.” 

According to the BBC, other people in Ukraine using various internet providers had no problems. In terms of geographical coverage, Ukrtelecom is the largest internet provider, although Kyivstar is the largest in terms of customer numbers. 

The United Nations has confirmed 1,179 civilian deaths and 1, 860 civilian injuries since the war began in late February, but the total is believed to be substantially higher. Furthermore, the attack has triggered a humanitarian crisis, with more than 10 million people forced to evacuate their homes, with 3.8 million of them seeking refuge in neighbouring nations.