Desk report, October 26: Russian cybersecurity firm Kaspersky Lab has uncovered compromised servers around the world, including many in the Asia-Pacific region, being used by the notorious cybercrime group Lazarus for its hacking activities including last year’s $81-million heist on the Bangladeshi central bank.In a press statement, Kaspersky Lab said these hacked servers were part of the groups’ global command and control infrastructure and were found in Indonesia, India, Bangladesh, Malaysia, Vietnam, South Korea, Taiwan and Thailand, among others.
These hacked servers “could be used by Lazarus to launch targeted attacks against a company or organization,” the firm said, adding that “the Korean language group is thought to be state-sponsored.”
The researchers discovered the servers had been infected using malware called “Manuscrypt,” which the hackers had been using since 2013. The malware was installed by exploiting a vulnerability in Microsoft Internet Information Services 6.0 that was patched by Microsoft in June 2017.
“Many servers worldwide remain at risk of this exploit,” Kaspersky Lab said. “Three of the top five countries that still have servers carrying this vulnerability are in the Asia-Pacific region: China (with 7,848 servers), India (1,524) and Hong Kong (1,102).”
“The US tops the list with the most vulnerable servers (11,949), while United Kingdom ranks fifth with 805,” it added.
Successful exploits allow the malware to hand control of the compromised host to the attacker and easily implant additional malware on the server. Kaspersky Lab researchers have also found several tools on the servers, including an information harvester. Using this information gathering tool, the attacker can then steal information from the victim’s own infrastructure.
Apart from the Bangladesh bank heist, Lazarus is also believed to be behind the 2014 hacking of Sony Pictures and the recent WannaCry ransomware epidemic.
“Companies are increasingly worried about being hit by advanced targeted attack groups like Lazarus,” Kaspersky Lab senior security researcher Park Seongsu said. “Unknown to them, their own corporate servers could be infected and manipulated by the hackers against them, or used to launch attacks on others.”
Park predicts that with these incidents targeting enterprise networks, IT security priorities and processes will need to adapt as customers will require technology that is combined with intelligence and expertise, to protect them from both known and unknown threats.