Alleged North Korean Threat Actor Targets Select Victims with another Critical 0-Day Vulnerability

[Faybert]

Attributing cyberattacks and advanced malware to a particular country or entity is usually troublesome. Forensic artefacts can sometimes be planted or forged to point to a specific country or cybercriminal group.

However, analyzing the current geopolitical context and matching it against victims and available forensic evidence can sometimes make attribution more plausible. This holds true with a recently discovered advanced threat that leveraged a critical Adobe Flash zero-day vulnerability (CVE-2018-4878).

Primarily targeting the public and private sectors of South Korea, as well as Japan, the Middle East and other parts of Asia, security researchers believe the likely culprit to be a North Korean threat actor known as APT37, Group123 or Reaper.
..
..

Exploiting the vulnerability

The alleged North Korean threat actor that leveraged the zero-day vulnerability targeted victims using spearphishing emails containing tainted attachments and promising time-sensitive information.

This recent campaign used a document that contained a Flash object to be opened within a browser as soon as the victim executed the attachment. Once opened, the Flash object exploited a vulnerability within the Adobe Flash application and downloaded an additional payload from a command and control (C&C) server.
..
..

Real-time hypervisor-level introspection detects zero-day exploits, prevents breaches

Technologies such as memory-based introspection that run completely outside the operating system are specifically designed to identify memory manipulation techniques associated with advanced threats. Since business and organizations regularly use virtual workloads – such as VDIs – to boost productivity, augmenting in-guest security solutions with hypervisor-enforced security is far more effective in protecting against sophisticated attacks.
...
...