5 Ways to Minimize the Risk of Lazarus Group Hacking

    Online hacks frequently target cryptocurrency users, as seen in the recent case of Mark Cuban losing nearly a million dollars from his digital wallet. However, there are three straightforward guidelines that can significantly enhance the security of your funds, which will be discussed in this article. 

    Before we delve into these guidelines, it is essential to comprehend the current threat landscape.

    FBI Presents Solid Evidence on the Lazarus Group

    The Lazarus Group is a hacking group sponsored by the North Korean government. They are notorious for their advanced cyberattacks, including the WannaCry ransomware attack. WannaCry caused significant disruptions in various organizations, such as healthcare institutions and government agencies. It encrypted files on infected computers and demanded ransom payments in Bitcoin.

    One of the group’s early hacks in the cryptocurrency realm was the breach of South Korean crypto exchange Yapizon (later rebranded to Youbit) in April 2017. This resulted in the theft of 3,831 Bitcoin, valued at over $4.5 million at the time.

    The Lazarus Group’s involvement in the cryptocurrency space has raised concerns about their ability to generate funds for the North Korean regime while evading international sanctions. In 2022, they were linked to several high-profile cryptocurrency hacks, including the theft of $620 million from Axie Infinity bridge Ronin.

    The Federal Bureau of Investigation (FBI) has attributed multiple hacks, such as Alphapo, CoinsPaid, and Atomic Wallet, to the Lazarus Group. They estimate that the group has stolen over $200 million through these hacks in 2023.

    Just recently, the FBI linked the Lazarus Group to a $41 million hack of the crypto gambling site Stake. This attack was carried out through a spear-phishing campaign targeting the site’s employees.

    Lastly, according to the blockchain security firm SlowMist, the $55 million hack of the crypto exchange CoinEx was perpetrated by the North Korean state-sponsored hackers.

    Social Engineering and Human Error: Common Factors in Hacks

    Contrary to what movies often depict, most hacks don’t involve physical device access or brute-forcing passwords. Instead, they occur through phishing and social engineering techniques, exploiting human curiosity or greed to manipulate victims.

    Hackers may pretend to be customer support representatives or other trusted individuals to deceive victims into revealing their personal information. For example, an attacker might masquerade as an IT support agent, contacting an employee and claiming they need to verify their login credentials for a system update. To establish credibility, the attacker may use public information about the company and the target’s role.

    Phishing attacks rely on deceptive emails or messages to trick recipients into taking harmful actions. An attacker might impersonate a reputable organization like a bank and send an email asking the user to click on a link to verify their account. However, the link leads to a fraudulent website designed to steal their login credentials.

    Baiting attacks entice victims with something appealing, such as free software or a job opportunity. The attacker poses as a recruiter and creates a convincing job posting on a reputable job search site. To gain trust, they may even conduct a fake video interview and later inform the candidate that they have been selected. The hackers then send a seemingly harmless file, like a PDF or a Word document, which actually contains malware.

    5 Tips Minimize The Risk of Hacks and Exploits

    1: Is it Necessary to Stop an Attacker Immediately?

    Once an attack is discovered and incident response begins, it is crucial for the management of the affected company to make swift decisions. They must decide whether to immediately halt all attack activity or allow it to continue in a controlled manner, observing the attacker’s actions to gain a better understanding of the attack. This decision is critical because it directly impacts the business and its services.

    In any case, it is important to avoid reconfiguring affected computers or those that are suspected of being compromised. If this happens, valuable forensic data will be lost, making it impossible to uncover the actions taken by the attackers on those systems. Unfortunately, in the Grapevine case, some systems were reconfigured before we were called in, preventing us from conducting a thorough investigation. We strongly advise preserving forensic artifacts or complete system images for further examination before reinstalling a system. This approach allows investigators to revert to the original state of the system if new information becomes available later in the investigation.

    2: Why Two-Factor Authentication is Not Enough

    The Grapevine attack allegedly started by sending a phishing email to someone known by one of the employees. However, we couldn’t find any evidence to confirm this assumption. After gaining access to the employee’s computer, the attacker attempted to further infiltrate the network. They targeted an account used on private workstations connected to a virtual workstation through Microsoft Azure cloud. 

    Authentication logs show that shortly after a valid authentication from the account’s usual IP address (referred to as ‘patient zero’), another successful authentication occurred from an unknown foreign IP address. Unlike the first authentication, the second one didn’t require two-factor authentication (2FA) as a valid token was presented to Microsoft Azure.

    This example highlights the importance of using two-factor authentication, but it also underscores the need for careful implementation and vigilance to minimize the risk of unauthorized access. Furthermore, we strongly recommend monitoring log files for any abnormal login behavior, such as duplicate sessions from different IP addresses. By improving log monitoring, the Grapevine attack could have been detected earlier. However, it’s crucial that these log files are readily accessible, as the following information will demonstrate.

    3: Always Log and Ensure Accessibility of Logs

    The initial targets of the Lazarus attackers were Linux hosts. However, the logging on these hosts was insufficient and did not provide process or command information. The logging on Citrix and Azure was also lacking in detail for user login behavior. This lack of comprehensive logging resulted in a lack of understanding of the attackers’ activities. To address this, it is crucial to enable accessible logging and promptly analyze the collected data. It is recommended to test in advance if this is the case.

    As a secondary target, the attackers focused on Windows servers. Luckily, the logging on these servers was better organized. This allowed us to observe that the attackers gained higher user privileges. It is likely that this privilege escalation occurred during the movement stage of the attack by exploiting a known vulnerability in a hijacked DLL. Conducting a vulnerability scan is the preferred method to identify such vulnerabilities, and with Extended Detection and Response, it is highly probable that this would have been detectable.

    4: Choose Passwords That Are Easy to Read

    Attackers frequently attempt to gather credentials in order to gain access to accounts with higher privileges. One commonly targeted protocol is Windows WDigest Authentication, which stores login credentials in plain text in memory. If an attacker has administrator privileges on the system, they can extract and read these passwords. 

    Although this feature has been disabled by default since Windows 8.1, it can be reactivated by modifying a registry value. In the case of the Grapevine attack, the attackers changed the registry setting to enable the storage of passwords in plain text in memory, allowing them to read the passwords. Therefore, we recommend configuring how installed WDigest credentials are stored, which can be achieved through a registry setting.

    5: Separate Your Network into Segments

    Finally, there are two crucial measures to minimize the extent to which attackers can infiltrate the network. The first measure is to implement network segmentation, which restricts hackers from progressing beyond specific segments. As a second measure, businesses should consider limiting security activities to individual workstations on-site. This ensures that even if an attacker gains administrator privileges, they will be unable to perform any actions on the systems.

    To sum up, here are our 5 recommended measures:

    • Avoid reconfiguring compromised computers.
    • Ensure strong implementation of two-factor authentication.
    • Log all activities and ensure accessibility to logs.
    • Stay vigilant against attackers trying to collect credentials.
    • Implement network segmentation.

    Ongoing Threat from Lazarus

    While the Lazarus group is known for constantly improving and adapting its tools, they are not invincible, just like any other threat actor. By taking proper precautions and having a clear response strategy, it is possible to prevent Lazarus or any other North Korean operation from succeeding.

    By following the aforementioned steps, you can make it much harder for any Lazarus-inspired threat actor or the group itself.

    Most Popular

    Related Posts