How do I attack thee? Let me count the passwords. Apologies to Elizabeth Barrett Browning, but it seemed fitting, considering the numerous attack avenues available to password hackers these days. There’s the obvious infostealer malware route, which has resulted in billions of passwords being available to buy online, the equally obvious and just as dangerous email phishing campaigns, and, of course, then there are hackers. Not your common-or-garden cybercriminal groups either, but state-sponsored advanced persistent threat actors dedicated to targeting your system to extract Windows passwords and more. Here’s everything you need to know about APT Group123.
Windows Passwords Targeted By APT Group123
With multiple industry sectors in the crosshairs and across multiple global locations, one advanced persistent threat actor in particular has caught my attention: Group123. This state-sponsored North Korea criminal hacking group, has not only expanded its attack range beyond the original South Korean-only targets to include Japan, the Middle East and Vietnam, among others, but its impact as well. Whereas Group123 was originally only interested in cyber-espionage, it would appear that ransomware attacks and financial motives have now entered the attack equation.
A May 14 report from threat intelligence analysts at Cyfirma, has revealed that Group123 is taking aim at Windows systems with the Windows Credential Manager firmly in mind for the harvesting of credentials. Group 123, known by a multitude of aliases including Cloud Dragon, InkySquid, Reaper, Red Eyes, and ScarCruft, among others, has been observed using custom malware and leveraging Windows application programming interface calls in ongoing attacks. Initial access is by way of, yes, you probably guessed by now, phishing email campaigns, and target vulnerabilities in Microsoft Office, web servers and assorted internet-facing applications. The report has confirmed that the attackers will also deploy disk wipers and conduct ransomware operations during some of their campaigns.
Detecting the Group123 attackers is harder than spotting other cybercrime threats, as is often the case with such APT actors. Cyfirma noted that a number of methods are being employed to evade detection, including the use of HTTPS encryption, splitting of payloads into multiple stages, checking for defensive tools and a preference for sideloading DLLs. What you can do to protect your systems, however, is be on the alert for those initial phishing attacks, which means employing all the usual mitigations.
I have reached out to Microsoft for a statement regarding the Group123 risk to Windows passwords.
