geopolitical crises, the main driver of cyber threats

The latest report from Kaspersky related to trends APT (advanced and persistent threats) of the first quarter of 2022 revealed that, during the first months of the year, the activity of the APT groups has been intense.

Newly discovered and ongoing campaigns by new and known operators have contributed significant changes in the APT threat landscape.

With attacks primarily targeting businesses or government entitiesAPT actors have updated their malicious toolset and diversified their techniques to increase their attacks.

In the first three months of 2022, Kaspersky researchers discovered global APT attacks using new tools, techniques and campaigns.

The APT Quarterly Trend Report is the result of research conducted by Kaspersky using the threat intelligence and reviewed major cyber developments and incidents.

During the first quarter of 2022, APT activity was driven by new campaigns and a series of attacks linked to geopolitical events sensitive.

Here are some of the most relevant results.


    Geopolitical crises and APT developments in Kaspersky analysis

    In the cyber threat landscape, there are many attacks related to Ukrainian crisis. Between February and March, many Ukrainian entities targeted, such as HermeticRansom and DoubleZero.

    There was a significant increase in the amount of new infrastructures distributed by APT Gamaredon and UNC1151 groups (Writer ghost).

    During the investigation, Kaspersky researchers identified two samples of the WhisperGate prototype developed in December 2021 that contained test strings and previous revisions of the ransom letter already seen in the samples shared by Microsoft.

    The researchers then concluded, with high certainty, that these samples were nothing more than previous iterations of the windshield wiper allegedly used in Ukraine.

    At the same time, Kaspersky researchers have identified three campaigns linked to threat actor Konni, active since mid-2021 and committed to targeting Russian diplomatic entities.

    Although the attackers used the same Konni RAT rig in all campaigns, the infection vectors were different in each campaign: documents containing embedded macros, an installer disguised as a Covid-19 registration application and, finally, a downloader with a screensaver as a decoy. for new Year.

    The return of low level attacks

    Last year, Kaspersky researchers predicted a further development of low-level systems.

    A striking example of this trend is Moonbounce, discovered by Kaspersky and the third known instance of bootkit firmware in the wild.

    The malicious implant was hidden inside UEFI firmware (Unified Extensible Firmware Interface), an essential part of every computer, and was detected in SPI flash, a storage component external to the hard drive.

    The campaign has been credited to well-known APT actor, APT41.

    APT actors hunt cryptocurrencies

    During the quarter, Kaspersky noted some interest from APT players in cryptocurrencies.

    Unlike most state-sponsored APT groups, Lazarus and other threat actors associated with this APT have made financial gain their primary focus.

    This actor has deployed Trojan centralized finance (DeFi) applications to increase its profits.

    Lazarus abuses legitimate apps used to manage cryptocurrency wallets and spreads malware that control the victim's systems.

    Abuse of updates and online services

    APT actors - continues Kaspersky's analysis - are continually looking for new ways to increase the effectiveness of their attacks.

    The group of cyber mercenaries dubbed DeathStalker continues to update its unsophisticated tools, in order to make attacks more and more effective.

    Janicab, their legacy malware first introduced in 2013, is a prime example of this trend.

    Overall, Janicab displays the same functionality as other malware families of its competitors, but instead of downloading the tools during the intrusion, as it did with the EVILNUM and Powersing intrusions, the new champions have most tools integrated and hidden inside the dropper.

    Additionally, DeathStalker uses the world's most popular online services such as YouTube, Google+ and WordPerssas a dead-drop resolver (DDR) to command and control efficiently and stealthily.

    Kaspersky's commentary

    David EmmSenior Security Researcher at Kaspersky GReAT, said: "Geopolitics has always been a major driver of APT attacks, and it has never been more evident than it is today. We are living in difficult times and cybersecurity is also a testament to this.

    At the same time, we can confirm that for several threat actors, the first quarter was ordinary activity: continuous tool updates and new campaigns that seek information and, above all, money.

    This means organizations need to be better prepared than ever and ensure they are well equipped with all the tools they need to protect against existing and emerging threats.".

    Q1 APT Trends report summarizes results gathered from Kaspersky customer-only threat intelligence surveys: Indicators of Compromise (IoC) data and YARA rules are also included to help analyze and find malware .

    Read all our articles on Kaspersky

    Leave a Reply

    Your email address will not be published.

    Go up