F-Secure: Enhance EDR to Stop Lazarus Group

Security researchers have urged organizations to upskill incident detection and response teams, after revealing a new Lazarus Group attack which managed to bypass advanced EDR and network security at a cryptocurrency firm.

The tactical intelligence report details an attack which took place last year as part of the North Korean state-sponsored group’s wider multi-year campaign against crypto firms. Active since 2018, the attackers are likely to have used the same artifacts in at least 14 countries: the United States, China, the United Kingdom, Canada, Germany, Russia, South Korea, Argentina, Singapore, Hong Kong, Netherlands, Estonia, Japan and the Philippines.

Lazarus Group invested “significant effort” to bypass the victim organization’s cyber-defenses, such as by disabling AV on compromised hosts and removing evidence of malicious implants. However, these actions were “noisy” in themselves and served as clear signs that should have been picked up, said F-Secure.

The group also used native OS utilities to blend in, but again “elements of the commands used will often be anomalous and use specific esoteric strings that offer blue teams detection opportunities,” said F-Secure.

“These commands can blend in with standard activity, so it may not be possible to build high fidelity detection for all the techniques used,” the report noted.

“In this situation the use of lower fidelity detections that are then aggregated on a host basis in order to correlate activity and build intelligent thresholding in to alerting systems can help to detect malicious activity without generating too many false positives.”

In fact, Lazarus Group has been using the same family of tooling observed back in 2016. It is still effective because of these obfuscation techniques, although this offers further opportunities for detection.

F-Secure concluded that effective detection and response is not simply about having the right tools, but also the users who know what to look for.

“The target in this investigation had a leading EDR and network security tool installed that captured telemetry of Lazarus Groups actions, but this did not result in a positive detection that was actioned,” it argued.

“It is F-Secure’s view that people play an important role in building effective detection capability, and this incident serves as an example of the need to invest in people as well as technology.”

What’s Hot on Infosecurity Magazine?