Defence firms are among a swathe of businesses to be targeted by a newly identified malware threat.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
Global cyber security giant Kaspersky has uncovered ‘PseudoManuscrypt’ — a new malware threat that was blocked by the company on 35,000 computers across 195 countries between January and November 2021.
The threat contains similar features to the advanced persistent threat (APT) group Lazarus’ Manuscrypt malware.
Victims of PseudoManuscrypt reportedly include government organisations and industrial control systems across numerous industries.
Some of the impacted organisations were military-industrial enterprises and research laboratories, 7.2 per cent of attacked computers part of industrial control systems (ICS).
Engineering and building automation represented the most affected industries.
According to Kaspersky, PseudoManuscrypt is initially downloaded on targets’ systems via fake pirated software installer archives, some of which are for ICS-specific pirated software.
The fake installers could be offered via a Malware-as-a-Service (MaaS) platform, and in some cases, installed via the Glupteba botnet.
Following initial infection, a complicated infection chain is initiated that eventually downloads the main malicious module.
Two variants of this module have been identified, both capable of advanced spyware capabilities, including logging keystrokes, copying data from the clipboard, stealing VPN (and potentially RDP) authentication credentials and connection data, and copying screenshots.
Kaspersky has recommended organisations:
- install endpoint protection software on all servers and workstations;
- check that all endpoint protection components are enabled on all systems and a policy is in place which requires the administrator password be entered in the event someone attempts to disable the software;
- check that Active Directory policies include restrictions on user attempts to log in to systems, only allowing users log in to those systems which they need to access to perform their job responsibilities;
- restrict network connections, including VPN, between systems on the OT network; block connections on all those ports that are not required for the continuity and safety of operations;
- use smart cards (tokens) or one-time codes as the second authentication factor when establishing a VPN connection. In cases where this is applicable, use Access Control List technology to restrict the list of IP addresses from which a VPN connection can be initiated;
- train employees in working securely with all communication channels and explain the possible consequences of downloading and executing files from unverified sources;
- use accounts with local administrator and domain administrator privileges only when this is necessary to perform job responsibilities;
- consider using Managed Detection and Response class services to gain quick access to high-level knowledge and the expertise of security professionals; and
- use dedicated protection for shop-floor systems that protect industrial endpoints and enable OT network monitoring to identify and block malicious activity.
“This is a highly unusual campaign, and we are still piecing together the various information we have,” Vyacheslav Kopeytsev, security expert at Kaspersky, said.
“However, one fact is clear: this is a threat that specialists need to pay attention to.
“It has been able to make its way onto thousands of ICS computers, including many high-profile organisations. We will be continuing our investigations, keeping the security community apprised any new findings.”