In this article
-
NCC Group and Fox-IT recently identified a campaign within the network of a financial sector customer. The campaign, which we codenamed Grapevine, has strong indications that it may be the work of the Lazarus group.
-
As a continuously adapting, par excellence threat actor, Lazarus and its copycats continue to pose a threat globally and continue to hold the North Korean regime’s favor.
-
Based on our research into the Grapevine case, this article contains 5 recommendations on how to prevent a successful Lazarus-style attack on your business.
The North Korean hacker group Lazarus has been an adversary of stature and a state actor par excellence for more than a decade. And where other countries have a huge shortage of cybersecurity specialists, North Korea trains hundreds a year, albeit for offensive rather than defensive tasks. This is one of the reasons why Lazarus is able to develop good quality attack tools and keep improving them. It is also one of the reasons why we can still often recognize the group's numerous tools and attack methods.
In recent months, the NCC Group and Fox-IT Threat Analysis Group identified a Lazarus campaign during an incident response assignment that we codenamed Grapevine. This was a threat within a financial sector customer's network that we investigated and found to be typical of Lazarus.
By publishing the findings of our research, we aim to provide risk managers with the necessary information for active risk management. Our Managed Detection and Response (MDR) clients have already automatically received this information.
A threat actor that continuously adapts
In this article, based on a concrete real-world example, we discuss several countermeasures that businesses can take to prevent the risks of a successful Lazarus attack. These are measures that, of course, also reduce the risk of similar attacks from other groups.
As mentioned, we know that Lazarus continues to evolve its attack methods and tools, and this is also true of other hacker groups from North Korea. They are constantly adapting and improving their capabilities. These include improvements in organizing, equipment, tactics, and techniques. Over the years, we have seen that any pause or apparent pause in Lazarus' operations can be part of a later attack campaign. While one form of operation appears to be stagnant, another is likely already in development or even underway to exploit new vulnerabilities.
Lazarus' agility and flexibility help North Korea effectively adapt attack methods in the short term to maintain the initiative so that it can achieve its goals and objectives in the long term. For risk management, it means constantly adapting countermeasures. By and large, however, the measures recommended here will greatly reduce risks in the longer term.
Target not always clear
Lazarus has several "subdivisions" that focus on stealing money. The unit in the Grapevine case operates in the financial sector and also deals with crypto-currencies. It is possible that the attackers were out to steal cryptocurrency or that they wanted to steal the company's trading algorithms. However, it is unclear how those trading algorithms would really help Lazarus - or, more broadly, North Korea. Moreover, we have never been able to connect Lazarus with crypto market manipulation. It remains unclear what Lazarus is really after.
Get monthly updates on the latest threat intel straight in your inbox.
Sign up for our Threat Pulse newsletter.
1. Should an attacker be stopped immediately?
Once an attack is discovered and the incident response starts, the management of the affected company must quickly decide whether all attack activity should be stopped, or whether to let the attack continue (in a controlled manner) and observe the attacker's activity to get a better overview of the attack. This is pre-eminently a management decision because it directly affects the business and the service.
What should be avoided in any case is the reconfiguration of affected computers, or those thought to be potentially affected. If that happens, there will be little or no forensic data left to find, making it impossible to uncover what attackers did on those systems. Unfortunately, in the Grapevine case, some systems were reconfigured before we were called in. The client had reinstalled these hosts during the mitigation actions, negating the opportunity for deeper investigation. We strongly recommend that forensic artifacts or complete images be saved for further investigation before reinstalling a system. This also allows investigators to go back to the original situation on the system if new information becomes available later in the investigation.
2. Two-factor authentication is not sufficient
The Grapevine attack presumably started via a phishing email to an acquaintance of one of the employees, and it seems it was not a targeted attack. But we were unable to find any evidence of this. Once inside the employee's computer, the attacker tried to get further onto the network. They attacked an account used from private workstations, connecting to a virtual workstation via the cloud (in this case, Microsoft Azure). The authentication logs show that shortly after a valid authentication of 'patient zero' from the account's normal IP address, another successful authentication occurs from a second unknown foreign IP address. Unlike the first authentication, this second authentication did not require two-factor authentication (2FA) because the logs show that a valid token was presented to Microsoft Azure.
This example shows that the advice to use two-factor authentication is good in itself, but its implementation and any opportunities to bypass 2FA definitely need attention to minimize the risk of intrusion. Furthermore, we recommended that log files be monitored for anomalous login behavior such as duplicate sessions from different IP addresses. Different login attempts would have been detected with improved log monitoring in the Grapevine case. But those log files must be available, as the following shows.
3. Remember to log and make the logs accessible
The first hosts the Lazarus attackers targeted were Linux hosts. However, the logging on these hosts was limited and did not show any processes or commands being executed. Likewise, the logging on Citrix and Azure did not show enough detail to understand the login behavior of users. The lack of sufficient logging on these systems resulted in a lack of insight into the attacker's activities. It is not only important that logging is enabled, but also that the logs are accessible in a system that makes investigation easy. The collected data should therefore not only be stored but also quickly analyzed. Test in advance whether this is actually the case.
As a second target, the attackers had Windows servers in mind. Because the logging on the Windows servers at this organization was in better order, we could see that the attackers were able to get higher user privileges. This privilege escalation during the movement phase of the attack was most likely performed by hijacking a DLL for which the vulnerability was known. A vulnerability scan is the preferred way to find these types of vulnerabilities, and with Extended Detection and Response, this would likely have been detectable.
4. Consider readable passwords
Attackers often try to collect credentials to gain access to accounts with more privileges. For example, Windows WDigest Authentication is a common target because this protocol stores login credentials as plain text in memory. An attacker with administrator rights to the system, can dump these passwords and read them out. Since Windows 8.1, this is disabled by default, but can be reactivated by setting a registry value. The Grapevine attackers changed the registry setting for storing passwords in plain text in memory to read passwords. We, therefore, recommend configuring how installed WDigest credentials can be stored and this can be done through a registry setting.
5. Implement network segmentation
Finally, there are two important measures to prevent attackers from penetrating deeper into the network as much as possible. The first is to implement network segmentation that prevents a hacker from going beyond a segment(s). As a second measure, businesses should consider allowing security activities only from individual workstations on site. This makes sure that an attacker, who manages to obtain administrator privileges, cannot do anything on the systems.
The continuous threat of Lazarus
While the Lazarus group is notorious for its relentless efforts in improving and adapting its tools, the group is not invincible, as no threat actor is. With proper due diligence and a clear strategy in case of an attack, a lot can be done to prevent the story from turning out in favor of Lazarus or any minion North Korean operation. Avoid reconfiguration of affected computers; make sure to implement your two-factor authentication strongly; remember to log and to make your logs accessible; be wary of attackers’ attempts to collect credentials, and finally, make sure to implement network segmentation. Doing so will make life more difficult for any Lazarus-inspired threat actor, or the culprit itself.
Want to know more about the Lazarus group?
Read our portrait of the threat actor group or watch our Threat Monitor webinar where we shine a light on the Lazarus group.