The malicious code injected into it was designed to steal confidential files saved on the secure partition of the drive.
December 2, 2024: Kaspersky found that a secure USB drive was compromised with malicious code injected into its access management software. This drive was developed by a government entity in Southeast Asia to securely store and transfer files between machines in sensitive environments. The malicious code injected into it was designed to steal confidential files saved on the secure partition of the drive while also acting as a USB worm and spreading the infection to USB drives of the same type. While this tactic was similar to the compromise of drives that used the UTetris USB management software last year, attributed to Kaspersky to TetrisPhantom, the malicious code implanted on the drive in the latest incident was new. An analysis of the Trojanized USB management software used in this attack, as well as other trends in tools used by cybercriminal groups in attacks around the world, is provided in the latest Kaspersky Q3 APT report.
Other notable findings described in Kaspersky’s Q3 APT report include:
Asia
- Kaspersky detected new attack schemes that utilized the P8 attack framework, which was previously used to target Vietnamese organizations. Most of the infections took place in financial institutions in Vietnam, with one victim active in the manufacturing industry.
Asia, Turkiye, Europe, and Russia
- Awaken Likho is an APT campaign, active since at least July 2021, that primarily targets government organizations and contractors. To date, Kaspersky has detected more than 120 targets in Russia, India, China, Vietnam, Taiwan, Turkiye, Slovakia, the Philippines, Australia, Switzerland, and the Czech Republic, among others. While previously attackers relied on the use of the legitimate remote administration tool UltraVNC, in a campaign uncovered in June 2024 (still ongoing), the attackers changed the final payload from UltraVNC to MeshAgent (another remote administration tool; it uses an open-source remote management server).
Africa & Asia
- The Scieron backdoor, a tool commonly used in cyber-espionage campaigns by the Scarab group, was detected in a new campaign that targeted a government entity in Africa and a telecom provider in Central Asia.
Middle East
- MuddyWater is an APT actor that surfaced in 2017 and has traditionally targeted countries in the Middle East, Europe, and the USA. Recently, Kaspersky uncovered VBS/DLL-based implants used in intrusions by the MuddyWater APT group, which are still active today. The implants were found at multiple government and telecom entities in Egypt, Kazakhstan, Kuwait, Morocco, Oman, Syria, and the UAE.
- Tropic Trooper (aka KeyBoy and Pirate Panda) is an APT group that has been operating since 2011. The group’s targets have traditionally included government entities, as well as the healthcare, transportation, and high-tech industries located in Taiwan, the Philippines, and Hong Kong. Kaspersky’s most recent analysis revealed that in 2024, the group conducted attacks against a government entity in Egypt. An attack component was detected that was presumably used by Chinese-speaking actors.
Russia
- In 2021, a campaign called ExCone was detected by Kaspersky, targeting government entities in Russia using vulnerabilities in the VLC media player. Later, victims were also found in Europe, Central Asia, and Southeast Asia. In 2022, spear-phishing emails started to be used as an infection vector, and an updated version of the Pangolin Trojan was deployed. In mid-July 2024, the actor turned to embedding a JavaScript loader as the initial infection vector and attacked Russian educational institutions.
LATAM & Asia
- In June, Kaspersky identified an active campaign called PassiveNeuron, targeting government entities in Latin America and East Asia using previously unknown malware. The servers were compromised before security products were installed, and the method of infection remains unknown. The implants used in this operation do not share any code similarities with known malware, so attribution to a known threat actor is not possible at this time. The campaign shows a very high level of sophistication.
“Throughout 2024, there were 3 billion local threats detected and blocked by Kaspersky globally. The compromise of software on secure USB drives is unusual, but it underscores the fact that protected local digital spaces can be compromised by sophisticated schemes. Cybercriminals constantly update their toolsets and expand the scope of their activities, broadening their targets, both in terms of the spheres targeted and geographically. We also see more open-source tools employed by APT threat actors,” comments David Emm, principal security researcher at Kaspersky.
To read the full APT Q3 2024 trends report, please visit Securelist.
Advanced persistent threats (APTs) are continuous, clandestine, and sophisticated hacking techniques used to gain access to a system and remain inside for a prolonged period of time, with potentially destructive consequences. APTs are usually leveled at high-value targets, such as nation-states and large corporations, with the ultimate goal of stealing information over a long period of time, rather than simply “dipping in” and leaving quickly, as many black-hat attackers do during lower-level cyber assaults.
To avoid falling victim to a targeted attack, Kaspersky researchers recommend individuals and organizations:
- Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20 years.
- Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
- Implement a corporate-grade security solution that detects advanced threats at the network level at an early stage, such as the Kaspersky Anti Targeted Attack Platform.
- Use centralized and automated solutions such as Kaspersky Next XDR Expert to enable comprehensive protection of all your assets.
- Introduce security awareness training and teach practical skills to your team—for example, through the Kaspersky Automated Security Awareness Platform, as many targeted attacks start with phishing or other social engineering techniques.
- Update the OS and software as soon as possible and do so regularly.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, The Mainstream formerly known as CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, The Mainstream formerly known as CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK
