Government, aviation, education and telecom sectors in South and Southeast Asia have come under attack from a new hacking group known as Lancefly advanced persistent threat (APT). The group uses a custom-written backdoor called ‘Merdoor’ in that commenced in mid-2022 and continued into the first quarter of 2023.
According to researchers in Symantec—Broadcom Software, Lancefly’s custom malware is a powerful backdoor that appears to have existed since 2018. Symantec researchers observed it being used in some activity in 2020 and 2021, as well as in this more recent campaign.
Intelligence gathering is believed to be Lancefly’s motive behind the attack. “The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted,” Symantec Threat Labs said in an analysis.
The attack chain
Symantec researchers previously saw the Merdoor backdoor used to target victims in the same geographies in the government, communications and technology sectors in 2020 and 2021.
Evidence from Lancefly’s earlier campaign in 2020 suggested that the group may have used a phishing email with a lure, targeting the 37th ASEAN Summit as an initial infection vector.
In this case, Symantec hasn’t yet discovered the initial infection vector used by Lancefly. However, the threat group has used phishing emails and SSH credentials. They have also used brute forcing and exploited vulnerable public-facing servers for unauthorized access.
Lancefly has also been using an updated ZXShell rootkit that has a loader that could prompt payload deployment and shellcode reading and execution, among others. Other Chinese APT operations, including APT41 and APT17, have also used such a tool.
Systemic cybersecurity risks
Cybersecurity incidents can cause a domino effect, affecting organizations and even going beyond borders. The risks this creates are potentially systemic, and often beyond the control of any single entity. The changing landscape of technological innovation has outpaced regulation and cybersecurity threat actors have continued to learn and evolve rapidly.
Effectively managing systemic cybersecurity risk at the speed cannot be left solely to individual organizations. “Cyber Resilience is a constantly moving target as businesses can get exposed to new threats and risks every second, every hour and every day while exploiting the benefits from their digital transformation journey,” said Amit Jain, Executive Vice President, Cybersecurity & GRC Services, HCLTech.
A way ahead
According to Global Cybersecurity Outlook 2023 report, 17% of security executives expressed concern about the level of cyber resilience in their business. This was up slightly from 13% of security executives the year before.
Conversely, the increased level of awareness of cyber risk among business executives led to a marked increase in concern. This might be due to a better understanding by business leaders of the damage that can be done to their business operations, commercial relationships and reputation by a major cyberattack.
In late 2022, the United States Securities and Exchange Commission (SEC) created rules that make cyber-risk reporting and business resilience planning a vital component of effective board management.
Given the potential financial impacts of cyber risks, the World Economic Forum and National Association of Corporate Directors (NACD) Principles for Board Governance of Cyber Risk insights report finds that this is a board level issue that needs to be proactively addressed. It is essential for the board to ensure budgets allocated to cybersecurity risk align to effectively mitigate potential impact.
A dynamic Cybersecurity approach is the need of the hour, which not only looks at policies, process and technology but also considers people and culture as a key ingredient to building a resilient posture,” said Renju Varghese, Fellow & Chief Architect, Cybersecurity & GRC Services, HCLTech.
The days where security budgets are set without business impact context are over. To embed a culture of proactive cyber security, security leaders should consolidate their security controls into a more unified platform as opposed to several best of the breed disparate products. This will not only lower the costs involved, but also improve operational efficiencies, leading to a stronger security posture because of lower complexity.
“Cyberattacks can’t be avoided but preparedness and agility, along with lower complexity would allow organizations to truly be able to respond to cyber threats quickly and create a sustainable dynamic Cyber Resilience,” said Jain.