fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Sunburst Backdoor Shares Features With Russian APT Malware

Sunburst Backdoor Shares Features With Russian APT Malware

Kaspersky researchers found that the Sunburst backdoor, the malware deployed during the SolarWinds supply-chain attack, shows feature overlaps with Kazuar, a .NET backdoor tentatively linked to the Russian Turla hacking group.

Turla (aka VENOMOUS BEAR and Waterbug) has been coordinating information theft and espionage campaigns as far back as 1996 and is the main suspect behind attacks targeting the Pentagon and NASA, the U.S. Central Command, and the Finnish Foreign Ministry.

Kazuar is one of the tools used during past Turla operations and, according to Kaspersky, it shares several of its features with the malware created by the group behind the SolarWinds hack (tracked as UNC2452 and DarkHalo).

A week ago, the FBI, CISA, and the NSA also said that a Russian-backed Advanced Persistent Threat (APT) group is likely behind the SolarWinds hack.

Code similarities

Samples of the Kazuar backdoor discovered in the wild since February 2020 when Sunburst was first deployed have been tweaked continuously with the similarities deepening towards November 2020 but, at the moment, the connection between the two is not yet known.

The features found to be overlapping in both Kazuar and Sunburst include the algorithm used to generate victim UIDs (unique identifiers), the extensive usage of the FNV-1a hash throughout the malware, and the sleeping algorithm used by both backdoors.

Also Read: What Do 4 Messaging Apps Get From You? Read The iOS Privacy App Labels

Kaspersky also points out that, despite similarities, the algorithms used to implement these overlapping features are still not 100% identical which hints at a potential relationship between the two malware strains and their developers, although “the nature of this relation is still not entirely clear.”

The code parts that reveal the feature overlap further show that “a kind of a similar thought process went into the development of Kazuar and Sunburst.”

Some of the explanations for these similarities highlighted by Kaspersky’s report include:

  • Sunburst was developed by the same group as Kazuar
  • The Sunburst developers adopted some ideas or code from Kazuar, without having a direct connection (they used Kazuar as an inspiration point)
  • Both groups, DarkHalo/UNC2452 and the group using Kazuar, obtained their malware from the same source
  • Some of the Kazuar developers moved to another team, taking knowledge and tools with them
  • The Sunburst developers introduced these subtle links as a form of false flag, in order to shift blame to another group

However, as Kaspersky’s researchers pointed out, “[o]ne coincidence wouldn’t be that unusual, two coincidences would definitively raise an eyebrow, while three such coincidences are kind of suspicious to us.”

Potential of deliberately introduced false flags

Kaspersky also highlighted the risk that these similarities in code could very well be false flags planted by the authors of the Sunburst malware to divert investigators’ efforts to another threat actor.

“While Kazuar and Sunburst may be related, the nature of this relation is still not clear,” Kaspersky added. “Through further analysis, it is possible that evidence confirming one or several of these points might arise.”

“At the same time, it is also possible that the Sunburst developers were really good at their opsec and didn’t make any mistakes, with this link being an elaborate false flag.

“To clarify – we are NOT saying that DarkHalo / UNC2452, the group using Sunburst, and Kazuar or Turla are the same.”

However, Kaspersky found that the Sunburst and Kazuar developers were potentially aware of feature changes in each others’ malware which points to a connection between the two given that Sunburst was only discovered in December 2020, after FireEye was breached in the SolarWinds supply-chain attack.

Kazuar’s developers have also continuously tweaked the feature set and refactored the malware’s codebase since the first time it was deployed in attacks in 2017.

Additionally, Kazuar samples are very rarely uploaded to malware analysis platforms such as VirusTotal which makes it extremely hard if not impossible to keep track of changes between variants.

“The identified connection does not give away who was behind the SolarWinds attack, however, it provides more insights that can help researchers move forward in this investigation,” Costin Raiu, the director of the Kaspersky Global Research and Analysis Team (GReAT), said.

Also Read: Key PDPA Amendments 2019/2020 You Should Know

“We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach.”

Further technical information regarding the Sunburst and Kazuar code similarities and indicators of compromise can be found in Kaspersky’s full report.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us