Lazarus Group Hacks Cryptocurrency Firm
Lazarus Group Hacks Cryptocurrency Firm
Palo Alto Unit42 shared details of an engagement with an unnamed cryptocurrency firm attacked by the North Korean threat actor group, Lazarus. The threat actor has been active in the cryptocurrency space, targeting organizations stealing large sums of money for financial gain. "They used a combination of commercial and custom-developed tools and persistent mechanisms to find a single device that allowed them to breach the network to steal several hundred thousand dollars’ worth of clients’ crypto funds." A phishing email was used as the initial access vector resulting in the installation of a backdoor. The attackers achieved persistence in the environment, while the company has been engaged in a trial with an EDR product initially removing them from the environment. An infected host without the EDR product installed, enabled the hackers to return. The attackers harvested credentials and moved laterally within the environment, "The attacker then pivoted to other corporate assets with the stolen credentials to get into the corporate email tenant using legitimate systems and credentials and removed users from distribution lists that would have been notified of any unauthorized financial transfers." The threat actors completed their objective by initiating multiple crypto transfers. With funds exfiltrated, the attackers cleaned up the malware used in the environment and exited.