Bookcode, which has targeted a software vendor, a defense contractor, and a pharmaceutical company.AppleJeus, which has targeted a cryptocurrency exchange, a fintech company, and a blockchain company.ThreatNeedle, which targets cryptocurrency exchanges, mobile game companies, the defence industry, and security researchers.The truth is that Lazarus has evolved to consist of several different "clusters," including: Researchers also confuse the Lazarus Group with the alleged Chinese threat group known as Winnti, said Seongsu Park, senior security researcher at Kaspersky's Global Research and Analysis Team. Lazarus is best known for launching the 2014 attack on Sony Pictures and later was connected to the 2017 WannaCry 2.0 attacks. ![]() Security researchers have complained that all North Korean malware is attributed to a single threat actor known as the Lazarus Group, also known as Hidden Cobra. In a year, I wouldn't be surprised if they were significantly more improved from where they are now." So, the real thing to expect is that they are going to keep innovating. "They are always going to keep introducing new initial access vectors, new intermediary PowerShell stagers, attackers, and loaders. "The big thing to expect from Carbon Spider is that they will always keep improving," Lou said. ![]() There's no going back to POS data thefts because ransomware is too lucrative. The real danger from ransomware groups, then, is that they can adapt to new trends and reinvent themselves, the CrowdStrike researchers said. On July 21, a new group called BlackMatter emerged seeking access to big game ransomware targets with annual revenues above $100 million in the US, Canada, Australia, and the UK.ĬrowdStrike reverse-engineered the DarkSide and BlackMatter Windows variants and saw sufficient overlaps to believe that BlackMatter is simply DarkSide in a new guise. However, Carbon Spider did not halt operations even after these developments, which drew harsh condemnation from the US government and the international community.Įvidence suggested that it was renewing activity in other malware delivery incidents. Three weeks later, the US Justice Department announced it had seized the affiliate cut from the Colonial Pipeline ransom payment. ![]() ![]() The researchers examined the tactics, techniques, and procedures and the distinctive use of tooling, shared infrastructure, and other forensic evidence to name Carbon Spider as the culprit in the pipeline attack.Ī week after the May 8 attack, the DarkSide RaaS operation was shut down. Then, in August 2020, Carbon Spider shifted its ransomware efforts to its own malware, DarkSide, which the group opened up to affiliates as an RaaS provider in November 2020.ĬrowdStrike's attribution of the Colonial Pipeline attack to Carbon Spider came through no single data point but by comparing numerous DarkSide incidents to Carbon Spider. The malicious actors moved instead toward more ambitious campaigns, including ransomware attacks using REvil's ransomware as a service (RaaS). In April 2020, the COVID-19 pandemic forced the group to perform a "dramatic pivot" away from card data theft as the crisis reduced in-person transactions. In 2016, Cobalt Spider broke off from Carbon Spider to handle the card data thefts while Carbon Spider continued to target financial entities. But as Josh Reynolds, a senior security researcher at CrowdStrike, and Eric Lou, a senior intelligence analyst at CrowdStrike, spelled out at VB2021, the group wasn't always a "big game" ransomware threat.Ĭarbon Spider started in 2013 using Carbanak malware to target financial institutions before moving on in 2015 to target restaurants and the hospitality industry with point-of-sale (POS) malware to collect payment card data. CrowdStrike researchers quickly attributed the Colonial Pipeline attack this past May to a group known as Carbon Spider, likely an Eastern European or Russia-based threat group.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |