{"id":10609,"date":"2022-07-07T09:32:39","date_gmt":"2022-07-07T09:32:39","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbincyber2024\/?post_type=session&p=10609"},"modified":"2023-05-26T05:06:27","modified_gmt":"2023-05-26T05:06:27","slug":"lazarus-groups-undercover-operations","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/","title":{"rendered":"Lazarus Group’s Undercover Operations: Large-Scale Infection Campaigns 2022 – 2023"},"content":{"rendered":"

The Lazarus Group is one of the major threat actors targeting South Korea. In this talk, we will cover the activities of Lazarus Group’s threat campaigns in South Korea from at least 2022 to the present in 2023.<\/strong><\/p>\n

KrCert\/CC has detected the Lazarus group’s undercover information gathering activities targeting major companies in Korea. This campaign was carried out through a large-scale infection method using vulnerabilities in financial security solutions and watering hole techniques. We investigated the campaign by examining over 60 companies and more than 200 hosts to identify the threat actors’ TTPs. <\/strong>In this talk, we will cover:<\/p>\n

Infiltration<\/strong><\/p>\n

The Lazarus Group hacked into websites visited by a large number of people and set up watering hole pages. After the target accessed the watering hole pages, the group infected their target with malware by exploiting vulnerabilities in financial security software (the misused financial security software was the security software used by most Koreans and companies).<\/p>\n

Lateral movement<\/strong><\/p>\n

The group carried out internal propagation using various methods depending on the target’s situation. They performed internal spread by scanning networks, exploiting SMB services, and taking advantage of vulnerabilities in financial security software.<\/p>\n

Exfiltration<\/strong><\/p>\n

Threat actors compromised the company’s key servers for information leakage. The compromised servers have been abuse as a major hub for information leakage.<\/p>\n

We will also provide detailed information and TTPs to trace and respond to the threat actors involved in the “large-scale infection campaign using vulnerabilities in financial security solutions and watering hole techniques” campaign conducted by Lazarus Group, which has been confirmed through our investigation process.<\/p>\n","protected":false},"template":"","class_list":["post-10609","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"\nLazarus Group's Undercover Operations: Large-Scale Infection Campaigns 2022 - 2023 - HITB (in)Cyber 2024 - Abu Dhabi<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Lazarus Group's Undercover Operations: Large-Scale Infection Campaigns 2022 - 2023 - HITB (in)Cyber 2024 - Abu Dhabi\" \/>\n<meta property=\"og:description\" content=\"The Lazarus Group is one of the major threat actors targeting South Korea. In this talk, we will cover the activities of Lazarus Group’s threat campaigns in South Korea from at least 2022 to the present in 2023. KrCert\/CC has detected the Lazarus group’s undercover information gathering activities targeting major companies in Korea. This campaign […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/\" \/>\n<meta property=\"og:site_name\" content=\"HITB (in)Cyber 2024 - Abu Dhabi\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-26T05:06:27+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/\",\"name\":\"Lazarus Group's Undercover Operations: Large-Scale Infection Campaigns 2022 - 2023 - HITB (in)Cyber 2024 - Abu Dhabi\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/#website\"},\"datePublished\":\"2022-07-07T09:32:39+00:00\",\"dateModified\":\"2023-05-26T05:06:27+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Lazarus Group’s Undercover Operations: Large-Scale Infection Campaigns 2022 – 2023\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/\",\"name\":\"HITB (in)Cyber 2024 - Abu Dhabi\",\"description\":\"May 14 - 16, Etihad Arena \",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Lazarus Group's Undercover Operations: Large-Scale Infection Campaigns 2022 - 2023 - HITB (in)Cyber 2024 - Abu Dhabi","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/","og_locale":"en_US","og_type":"article","og_title":"Lazarus Group's Undercover Operations: Large-Scale Infection Campaigns 2022 - 2023 - HITB (in)Cyber 2024 - Abu Dhabi","og_description":"The Lazarus Group is one of the major threat actors targeting South Korea. In this talk, we will cover the activities of Lazarus Group’s threat campaigns in South Korea from at least 2022 to the present in 2023. KrCert\/CC has detected the Lazarus group’s undercover information gathering activities targeting major companies in Korea. This campaign […]","og_url":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/","og_site_name":"HITB (in)Cyber 2024 - Abu Dhabi","article_modified_time":"2023-05-26T05:06:27+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/","url":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/","name":"Lazarus Group's Undercover Operations: Large-Scale Infection Campaigns 2022 - 2023 - HITB (in)Cyber 2024 - Abu Dhabi","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/#website"},"datePublished":"2022-07-07T09:32:39+00:00","dateModified":"2023-05-26T05:06:27+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/lazarus-groups-undercover-operations\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbincyber2024\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/"},{"@type":"ListItem","position":3,"name":"Lazarus Group’s Undercover Operations: Large-Scale Infection Campaigns 2022 – 2023"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/#website","url":"https:\/\/conference.hitb.org\/hitbincyber2024\/","name":"HITB (in)Cyber 2024 - Abu Dhabi","description":"May 14 - 16, Etihad Arena ","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbincyber2024\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/session\/10609"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/types\/session"}],"version-history":[{"count":2,"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/session\/10609\/revisions"}],"predecessor-version":[{"id":12008,"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/session\/10609\/revisions\/12008"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/media?parent=10609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}