Skip to content

Iran-aligned Agrius group deploys new wiper through supply-chain attack in diamond industry, ESET Research discovers

  • Agrius conducted a supply-chain attack abusing an Israeli software suite used in the diamond industry.
  • Agrius is a newer Iran-aligned APT group solely focused on destructive operations.
  • The group then deployed a new wiper we named Fantasy. Most of its code base comes from Apostle, Agrius’s previous wiper.  
  • Along with Fantasy, Agrius also deployed a new lateral movement and Fantasy execution tool that we have named Sandals.
  • Victims include Israeli HR firms, IT consulting companies, and a diamond wholesaler; a South African organization working in the diamond industry; and a jeweler in Hong Kong.

BRATISLAVA, MONTREAL — December 7, 2022 — ESET researchers discovered a new wiper and its execution tool, both attributed to the Iran-aligned Agrius APT group. The malware operators conducted a supply-chain attack abusing an Israeli software developer to deploy their new wiper, Fantasy, and a new lateral movement and Fantasy execution tool, Sandals. The abused Israeli software suite is used in the diamond industry, and in February 2022, Agrius began targeting an Israeli HR firm, a diamond wholesaler, and an IT consulting firm. The group is known for its destructive activities. Victims were observed in South Africa and Hong Kong as well.

“The campaign lasted less than three hours, and within that timeframe, ESET customers were already protected with detections identifying Fantasy as a wiper and blocking its execution. We observed the software developer pushing out clean updates within a matter of hours of the attack,” says Adam Burgher, ESET Senior Threat Intelligence Analyst. ESET contacted the software developer to notify them about a potential compromise, but the inquiries went unanswered.

“On February 20, 2022, at an organization in the diamond industry in South Africa, Agrius deployed credential harvesting tools, probably in preparation for this campaign. Then, on March 12, 2022, Agrius launched the wiping attack by deploying Fantasy and Sandals, first to the victim in South Africa, then to victims in Israel, and lastly to a victim in Hong Kong,” elaborates Burgher.

Fantasy wiper either wipes all files on disk or wipes all files with extensions on a list of 682 extensions, including filename extensions for Microsoft 365 applications such as Microsoft Word, Microsoft PowerPoint, and Microsoft Excel, and for common video, audio, and image file formats. Even though the malware takes steps to make recovery and forensic analysis more difficult, it is likely that recovery of the Windows operating system drive is possible. Victims were observed to be back up and running within a matter of hours.

Agrius is a newer Iran-aligned group targeting victims in Israel and the United Arab Emirates since 2020. The group initially deployed a wiper, Apostle, disguised as ransomware, but later modified Apostle into fully fledged ransomware. Agrius exploits known vulnerabilities in internet-facing applications to install webshells, then conducts internal reconnaissance before moving laterally and then deploying its malicious payloads.

Since its discovery in 2021, Agrius has focused solely on destructive operations. Fantasy is similar in many respects to the previous Agrius wiper, Apostle. However, Fantasy makes no effort to disguise itself as ransomware. There are only a few small tweaks between many of the original functions in Apostle and the Fantasy implementation.

For more technical information about Agrius’s Fantasy wiper, check out the blogpost “Fantasy – a new Agrius wiper deployed through a supply-chain attack” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

JumpCloud RADIUS Certificate-Based Auth Feature Bulletin Blog

Streamlined and unified authentication to all resources is a core feature of JumpCloud’s open directory platform. That capability extends to secure network access into Wi-Fi and VPNs. JumpCloud’s cloud RADIUS service now supports credential-based (password) and certificate-based (passwordless) authentication. 

The combination of these authentication methods addresses the vast majority of risk levels an organization may face. Furthermore, the certificate-based authentication (CBA) approach is considered the most secure and frictionless method available today. JumpCloud’s CBA is consistent with the open directory principles, offering IT and network admins the flexibility to bring your own certificates (BYOC) as well as the future ability to manage certificates within JumpCloud.

What Is RADIUS Certificate-Based Authentication?

RADIUS Certificate-Based Authentication (CBA) is an authentication method that leverages the content of a X.509 compliant certificate to validate the identities of the device and the user requesting access to a network resource. RADIUS CBA obtains the certificate contents from the RADIUS client when a user requests access to an AP (access point) via client PC (RADIUS client). It then validates the standing of the certificate, as well as the certificate trust chain, with the corresponding certificate authority (CA). Finally, RADIUS CBA verifies the user status and access privileges against the JumpCloud Directory before allowing access to the RADIUS resource (typically Wi-Fi or VPN) when the certificate is validated. 

The Benefits of RADIUS CBA

The benefits of CBA are predicated on two fundamental capabilities. First, the ability to positively identify the authenticating party by leveraging the digital private/public key pair technology recognized as the most secure technology in the industry; and second, the ability to authenticate the user bound to the certificate without any input from the user (frictionless). Small and medium-sized enterprises (SMEs) can use CBA to secure and streamline user authentication flows and eliminate the potential for identity silos or duplicate systems.

Key Features of RADIUS CBA

All current cloud RADIUS features are available with the RADIUS CBA release. The following new capabilities are part of this new release:

  • Bring your own certificates (BYOC) – The initial release of RADIUS CBA allows IT administrators to import their certificates into RADIUS for authentication. The certificate lifecycle management and delivery to target endpoints is achieved by tools external to JumpCloud. 
  • Multilayer User Authentication – Before allowing user access, RADIUS CBA authenticates the good standing of a certificate (expiration, origin, and revoke status), compliance to one of three JumpCloud user certificates supported (Email user identifier in Subject Alternative Name field, Email user identifier in Distinguished Name field, or Username user identifier in Common Name field), the user status in JumpCloud directory, and finally the user certificate location (must be located on target client device).
  • Password as an alternative to certificates – RADIUS CBA allows administrators to use credentials as an initial alternative to certificate. This capability enables the gradual migration to certificate based authentication. Users can initially authenticate using their Username/Password then transition to certificates.
  • User groups – The traditional user group association capability and assignment to RADIUS AP is also available with certificates. Groups leverage JumpCloud’s attribute-based access control (ABAC) to automate identity lifecycle management.
  • Consolidated IT infrastructure –No additional servers, Windows Server roles, or on-premise infrastructure is required to set up and maintain cloud RADIUS CBA. This lowers IT’s administrative overhead and reduces potential cyberattack surface areas.
  • ​​​​​​​Certificate Status check during Authentication BYOC supports validating the good standing of a certificate on every authentication transaction via the Online Certificate Status Protocol (OCSP). 

The Benefits of RADIUS CBA/BYOC

Certificates may originate from multiple CAs. Organizations that already use and manage certificates can import them into JumpCloud and use them for authentication to JumpCloud RADIUS to secure network access. For more on the JumpCloud CBA, see Certificate-Based Authentication to RADIUS for Admins.

Examples of BYO Certs in Action

When the SME wants its users to authenticate securely and without friction, the administrator:

  • Selects the “passwordless” authentication method
  • Imports the certificate chain, which allows the JumpCloud RADIUS server to challenge the RADIUS client with EAP-TLS mutual authentication. 

The admin can also allow password authentication as a fallback method for those users who have not yet received a certificate.

Admin 

screenshot of primary authentication

When a user initially connects to a Wi-Fi device configured for JumpCloud RADIUS with certificate authentication (and password as a fallback), they can select “connect using a certificate.” Going forward, authentication to the Wi-Fi AP will happen automatically without any additional input from the user.

screenshot of connecting to RADIUS

JumpCloud’s cloud RADIUS validates the certificate contents provided and checks if the certificate, and user, are in good standing before granting access to the Wi-Fi network.

Try JumpCloud Cloud RADIUS

JumpCloud offers its full open directory platform without any charges for up to 10 users and devices. Free chat support is provided for 10 days to help get you started. Pricing is workflow-based to help SMEs meet their unique requirements versus feature-based SKUs. Would you prefer tailored, white-glove implementation assistance? Schedule a free 30-minute technical consultation to learn about the service offerings available to you.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

How Does PAM Help Protect Against Ransomware Attacks?

According to data extracted from a Cybersecurity Ventures‘ survey, ransomware costs will reach $20 billion next year. The survey also predicts this type of cyberattack will target corporations every 11 seconds.

Ransomware consists of malware used by malicious agents to block their victims’ computers and then demand a ransom. This malware has evolved, going beyond encrypting data and causing the shutdown of operations in companies: ransomware such as Maze also causes the leak of sensitive information, endangering the credibility of a company and can generate great financial losses.

The good news is that it is possible to prevent this threat by using Privileged Access Management (PAM), and this is the subject of this article. Keep reading our text to the end and learn everything about it!

  • How to Prevent Ransomware Attacks with PAM
  • In this topic, we will show you how PAM helps prevent ransomware attacks. In practice, it allows to:
  • Know and Manage Privileged Credentials
  • Use Protection Strategies Based on Zero Trust
  • Implement the Principle of Least Privilege
  • Enhance Security in Remote Access
  • Audit Actions Performed Through Privileged Credentials

Below, we explain each of these aspects in more detail:

Know and Manage Privileged Credentials

In various types of cyberattacks, hackers use compromised credentials, and ransomware is no different, after all, to run this malicious software one needs to have privileges.

For this reason, it is recommended to discover and manage privileged credentials through Privileged Access Management (PAM). This solution makes it possible to discover, integrate, manage, switch, and audit credentials, as well as eliminate credentials that are no longer in use.

The best PAM tool for the discovery and management of privileged credentials is PAM senhasegura, which has discovery features considered best-in-class by the PAM market.

Use Protection Strategies Based on Zero Trust

Deploying the Zero Trust-based network security model is also essential to prevent ransomware attacks.
This concept considers no user or device should be allowed to connect to IT systems and services without first being authenticated, according to the strategy ?never trust, always verify?.

In practice, the Zero Trust model works as an extremely effective protection, which verifies credentials continuously before granting access through methodologies such as Just in Time.

Just in Time is a technique that offers each user only the necessary access for the required time to perform their activities.With PAM, it is possible to ensure the granular definition of privileges through strategies based on Zero Trust, such as Just in Time. Forrester highlighted the access granularity of senhasegura in its Wave for PIM report.

Implement the Principle of Least Privilege

One of the ways to prevent most ransomware attacks is through the Principle of Least Privilege (POLP).
This strategy also limits the impact of ransomware that can be installed in your IT environment, preventing hackers from moving laterally and diminishing their ability to elevate privileges.

That is, if the malicious attacker steals a credential with limited access or without privileges, the losses will be much lower. In this sense, endpoint privilege management tools are essential features of Privileged Access Management platforms.

This is because the connection of endpoint devices such as IoT devices, smartphones, laptops, and tablets increases the attack surface, making it easier for malicious attackers to work.

senhasegura offers GO Endpoint Manager for Windows and Linux endpoint and workstation privilege management, which allows segregation for access to confidential information, isolating critical environments.

Enhance Security in Remote Access

Remote access is one of the major security vulnerabilities of companies in general. With it, employees and third-party suppliers do not always adhere to the security practices stipulated by the companies. We highlight the choice of weak or reused passwords or the use of the same password by a group of people among the main failures.

With Privileged Access Management, each user will only have access to resources indispensable to performing their tasks, thus reducing the attack surface, since administrators will be able to approve or deny access requests.

Through senhasegura Domum, secure remote access can be performed by employees and third parties with all senhasegura PAM remote session capabilities, providing Zero Trust-based access to corporate network devices without the need for a VPN.

Audit Actions Performed Through Privileged Credentials

Another capability of Privileged Access Management is to facilitate the audit of actions performed through privileged credentials, controlling risks such as improper access to these accounts.

senhasegura enables the implementation of stricter controls, which automate and centralize access to privileged credentials, protecting the IT infrastructure against data theft and compliance failures.
Through senhasegura PAM, it is possible to:

  • Obtain automated control of privileged account policies, enabling continuous monitoring and adherence to audit requirements;
  • Ensure full visibility of “who, when, and where”, as well as “what” happened during a session with privileged credentials;
  • Issue simplified audit reports from a central audit data repository;
  • Reduce operational costs and response time with ongoing audits.

About senhasegura

We are senhasegura, a company that integrates MT4 Tecnologia, a group founded in 2001 with a focus on digital security.

We are present in more than 50 countries, with a commitment to providing digital sovereignty and cybersecurity to our clients, granting control over actions and sensitive data and preventing information thefts and leaks.

To achieve this goal, we follow the lifecycle of privileged access management through machine automation, before, during, and after accesses. We also work for:

  • Avoiding the interruption of activities of companies, which may impair their performance;
  • Automatically auditing the use of privileges;
  • Automatically auditing privileged actions in order to identify and avoid privilege abuses;
  • Offering advanced Privileged Access Management solutions;
  • Reducing cyber threats; and
  • Keeping organizations in compliance with audit criteria and standards such as HIPAA, PCI DSS, ISO 27001, and Sarbanes-Oxley.

Conclusion

In this article, you saw that:

  • Ransomware consists of malware used by malicious agents to block their victims’ computers;
  • This malicious software can be countered by Privileged Access Management (PAM) tools;
  • This tool allows one to know and manage privileged credentials, use protection strategies based on Zero Trust, implement the principle of least privilege, reinforce security in remote access, and audit actions performed through privileged credentials.

Did you like our article? Then share it with others who want to know how Privileged Access Management contributes to preventing ransomware attacks.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

Why do you need both IDS and IPS, or maybe the NGFW too?

I would like to straighten the defense of the web application by talking about Intrusion Detection and Prevention Systems (IDS and IPS) as the third member of this security trio defense: WAF, RASP, and IDPS. In the previous articles, I talked about security defense technology Runtime Application Self-Protection (RASP) and Web Application Firewall (WAF).

What are IDS and IPS?

 

Intrusion Detection Systems and Intrusion Prevention Systems are used to detect intrusions and, if the intrusion is detected, to protect from it.

First, I will focus on explaining the differences between the WAF, RASP, and IDPS.

 

What is the difference between WAF, RASP, and IDPS?

 

I have already explained in previous articles the difference between WAF and RASP. Still, I will introduce IDPS and show you exactly why a combination of this trio is the best security choice.

Summary: IDPS is used to detect intrusions and protect from them. WAF will detect and block attacks based on rules, patterns, algorithms, etc. RASP detects the application runtime behavior using algorithms.

 

Why is it best to use both IDS and IPS?

 

To better understand why it is important to use both systems, we need to know what each of them does and doesn’t do and how combining them gives more effective protection. Each of those systems has its own types, which will be explained below.

 

Location and Range

 

These two types of security systems operate in different locations and have different ranges.

Facts:

·   IDS works across the enterprise network in real-time by monitoring and analyzing network traffic.

·   IPS works in the same network location as a firewall by intercepting network traffic.

·   IPS can use IDS to expand the range of monitoring.

By knowing this and using both IDPS, you can cover more range.

 

Host-based IDS and IPS

 

There are a few types of IDS and IPS. I will mention them so you can know which one targets what, but there is plenty of online documentation for more information.

 

Host-based IDS (HIDS) is used for protecting individual devices. It is deployed at the endpoint level. It checks network traffic in and out of a device, and it can examine logs and running processes. HIDS protects only the host machine. It does not scan complete network data. Similar to this type, IPS has its own Host-based IPS (HIPS). HIPS is deployed on clients/servers, and it monitors the device level as well.

 

Network-based IDS and IPS

 

Network-based IDS (NIDS) works on monitoring the entire network. It looks out at every network device and analyzes all the traffic to and from those devices. On the other side, IPS has its own type, called Network-based IPS (NIPS), deployed within the network infrastructure. It monitors the complete network and, if needed, tries to protect it.

**NIDS and NIPS are very important to network forensics and incident response because they compare incoming traffic to malicious signatures and differentiate good traffic from suspicious traffic.

 

Wireless IPS

 

IPS also has Wireless IPS (WIPS) type that monitors radio waves (wireless LAN) for unauthorized access points, which you can use to automate wireless network scanning. Techtarget site provided ways of using WIPS in enterprise in this article. Check it out!

 

Protocol-based intrusion detection systems (PIDS) and Application protocol-based intrusion detection systems (APIDS)

 

Both protocol-based systems are the type of IDS. They both monitor traffic to and from devices. The only difference is that PIDS monitors one server and APIDS group of servers.

 

Network behavioral analysis (NBA)

 

Network behavioral analysis (NBA) is the type of IPS that looks for unexpected behavior within patterns of a network itself.

 

IDS and IPS modes

 

IDS is generally set to work in inline mode. As for IPS, it is set to work in the network behind the firewall. It can operate in both modes: as an end host or in inline mode.

 

Most used IDS/IPS tools in 2022

 

According to softwaretestinghelp.com, the list of most used IDS tools is this:

·   SolarWinds Security Event Manager

·   Bro

·   OSSEC

·   Snort

·   Suricata

·   Security Onion

·   Open WIPS-NG

·   Sagan

·   McAfee Network Security Platform

·   Palo Alto Networks

For more info regarding pricing, pros, cons and features of these tools checkout the softwaretestinghelp site.

Also, spiceworks.com provided the list of the most used IDPS tools:

·   AirMagnet Enterprise

·   Amazon Web Services (AWS) GuardDuty

·   Azure Firewall Premium IDPS

·   Blumira

·   Cisco Secure IPS (NGIPS)

·   Darktrace Enterprise Immune System

·   IBM Intrusion Detection and Prevention System (IDPS) Management

·   Meraki MX Advanced Security Edition

·   NSFocus Next-Generation Intrusion Prevention System

·   Snort

For more info regarding pricing, pros, cons and features of these tools check out the spiceworks site. This research will also help you choose the right IDPS solution based on these tools’ features.

 

What is Next-Generation Firewall (NGFW) or Unified Threat Management (UTM)?

 

There is a modern type of technology that combines IDS and IPS with firewalls called Next-Generation Firewall (NGFW) or Unified Threat Management (UTM).

NGFW includes:

·   Standard firewall features (packet filtering, stateful inspection, and VPN awareness)

·   Integrated Intrusion Prevention (IPS)

·   Application awareness of threats

·   Detect and block risky apps

·   Threat intelligence

·   Upgrading security features (such as future information feeds)

·   New techniques that help to address new security threats

Researchers for nomios site have gathered information and made a list of the top 5 vendors for NGFW in 2022. Also, they gave suggestions on what you should look for when choosing the right NGFW tool. Check it out!

 

Conclusion

 

You should combine IDS and IPS because of three things: response, protection, and impact. If you decide to use IDS, the testing will stop at the detection phase but using IPS based on settings and policy testing will also include the prevention. Because IPS reacts immediately, it gives a certain layer of protection aside from detecting malicious activity. However, there are false positives possible using IPS that will end up shutting your network.

Organizations often set up Integration Detection Systems to handle the logs and notifications/alerts, routers, firewalls, and servers to fight threats.

A better solution would be using a combination of IDPS and setting it up when planning security. In the future, when the organization grows and needs better protection, it will be possible to use IDS/IPS solutions for additional networks, servers, or devices.

Also, depending on the organization’s security needs and cost restrictions, NGFW can be a good choice too!

 

Cover photo by krakenimages

#IPS #IDS #IDPS #NGFW

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Chinese-speaking MirrorFace targeted a Japanese political party with espionage and credential-stealing malware ahead of elections, ESET Research uncovers

  • At the end of June 2022, MirrorFace launched Operation LiberalFace, which targeted Japanese political entities.
  • Spearphishing email messages containing the group’s flagship backdoor LODEINFO were sent to the targets.
  • LODEINFO was used to deliver additional malware, exfiltrate the victims’ credentials, and steal the victims’ documents and emails.
  • A previously undescribed credential stealer we have named MirrorStealer was used in Operation LiberalFace.
  • MirrorFace is a Chinese-speaking APT group targeting companies and organizations based in Japan.

 
BRATISLAVA, BRNO — December 14, 2022 — ESET researchers discovered a spearphishing campaign, launched in the weeks leading up to the Japanese House of Councillors elections in July 2022, by the APT group that ESET Research tracks as MirrorFace. The investigation into the campaign, which ESET Research has named Operation LiberalFace and which targeted Japanese political entities, revealed that the members of a specific Japanese political party were of particular focus in this campaign. The spearphishing email messages contained the group’s flagship backdoor LODEINFO, which was used to deliver additional malware, exfiltrate the victims’ credentials, and steal the victims’ documents and emails. MirrorFace is a Chinese-speaking threat actor with targets based in Japan.

Purporting to be a Japanese political party’s PR department, MirrorFace asked the email recipients to distribute the attached videos on their own social media profiles to further strengthen the party’s PR and to secure victory in the House of Councillors. Furthermore, the email provides clear instructions on the videos’ publication strategy. The email was purportedly sent on behalf of a prominent politician. All spearphishing messages contained a malicious attachment that upon execution deployed LODEINFO on the compromised machine. MirrorFace started the attack on June 29, 2022, ahead of the Japanese elections in July.

LODEINFO is a MirrorFace backdoor that is under continual development. Its functionality includes capturing screenshots, keylogging, killing processes, exfiltrating files, executing additional files, and encrypting defined files and folders. The attack used a previously undocumented credential stealer that ESET Research has named MirrorStealer. It is able to steal credentials from various applications, such as browsers and email clients.

“During the Operation LiberalFace investigation, we managed to uncover further MirrorFace tactics, techniques, and procedures, such as the deployment and utilization of additional malware and tools to collect and exfiltrate valuable data from victims. Moreover, our investigation revealed that the MirrorFace operators are somewhat careless, leaving traces and making various mistakes,” says ESET researcher Dominik Breitenbacher, who discovered the campaign.

MirrorFace is a Chinese-speaking threat actor targeting companies and organizations based in Japan. While there is some speculation that this threat actor might be related to APT10, ESET is unable to link it with any known APT group. Therefore, ESET is tracking it as a separate entity named MirrorFace. In particular, MirrorFace and LODEINFO, its proprietary malware used exclusively against targets in Japan, have been reported as targeting media, defense-related companies, think tanks, diplomatic organizations, and academic institutions. The goal of MirrorFace is espionage and exfiltration of files of interest.

For more technical information about Operation LiberalFace by the MirrorFace APT group, check out the blog post “Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×