Sharp increase in targeted attack campaigns

Targeted attacks - APT on important information systems with a lot of data and great influence, has been and is one of the attack trends chosen by many hacker groups. This trend is increasingly increasing in the context of many organizations and businesses shifting their operations to the digital environment, with increasingly larger data assets.

In fact, the situation of cyber security in the world and Vietnam in the first months of this year has clearly demonstrated the increasing trend of targeted attacks on the systems of units operating in key sectors such as energy, telecommunications, etc. Specifically, in Vietnam, in the first half of 2024, targeted attacks using ransomware on the systems of VNDIRECT, PVOIL, etc. caused disruptions in operations and material and image damage to these businesses as well as activities to ensure national cyber security.

In newly shared information, the National Cyber ​​Security Monitoring Center - NCSC under the Department of Information Security said that recently, the unit has recorded information related to cyber attack campaigns that intentionally use complex malware and sophisticated attack techniques to penetrate important information systems of organizations and businesses, with the main goal of cyber attacks, information theft and system sabotage.

In the warning on September 11 sent to IT and information security units of ministries, branches, and localities; state-owned corporations, general companies, telecommunications, Internet and digital platform service providers, and financial and banking organizations, the Information Security Department provided detailed information about APT attack campaigns by three attack groups: Mallox Ransomware, Lazarus and Stately Taurus (also known as Mustang Panda).

Specifically, along with synthesizing and analyzing the attack behaviors of attack groups in 3 targeted attack campaigns targeting important information systems including: Attack campaign related to Mallox ransomware, Lazarus group's campaign using Windows applications impersonating video conferencing platforms to spread many types of malware and Stately Taurus group's campaign exploiting VSCode to attack organizations in Asia, the Department of Information Security has also provided cyber attack indicators - IoC so that agencies, organizations and businesses nationwide can review and detect early risks of cyber attacks.

Just before that, in August 2024, the Department of Information Security also continuously issued warnings about other dangerous targeted attack campaigns such as: The campaign using the 'AppDomainManager Injection' technique to spread malware, identified as related to the APT 41 group and affecting organizations in the Asia-Pacific region, including Vietnam; the cyber attack campaign carried out by the APT StormBamboo group, targeting Internet service providers, with the aim of deploying malware on users' macOS and Windows systems to thereby take control and steal important information; the cyber attack campaign carried out by the APT MirrorFace attack group, with the 'target' being financial institutions, research institutes and manufacturers...

Information about targeted attack groups targeting large organizations and businesses in Vietnam is also a content that Viettel Cyber ​​Security focuses on analyzing and sharing in the report on information security situation in Vietnam in the first half of this year.

Specifically, analysis by Viettel Cyber ​​Security experts shows that in the first half of 2024, APT attack groups have upgraded the tools and malware used in attack campaigns. Accordingly, the main attack method of APT groups is to use fake documents and software to trick users into executing malware; and the popular technique used by many groups is DLL-Sideloading, taking advantage of clean executable files to load malicious DLLs or through CVE security vulnerabilities.

The APT groups assessed by Viettel Cyber ​​Security's technical system to have a major impact on businesses and organizations in Vietnam in the first months of 2024 include: Mustang Panda, Lazarus, Kimsuky, SharpPanda, APT32, APT 28, APT27.

Measures to prevent early risks of system being attacked by APT

In warnings about APT attacks, the Information Security Department has recommended that agencies, organizations, and businesses conduct inspections and reviews of information systems they are using that may be affected by the attack campaign. At the same time, they should proactively monitor information related to cyber attack campaigns to take early action to prevent the risk of being attacked.

At the same time, units are also recommended to strengthen monitoring and prepare response plans when detecting signs of exploitation and cyber attacks; regularly monitor warning channels of authorities and large information security organizations to promptly detect cyber attack risks.

In the context of cyber attacks, including targeted attacks, constantly increasing globally and in Vietnam, information security experts have also recommended domestic organizations and enterprises a number of measures to focus on to minimize risks and maintain continuous production and business activities.

These are: Reviewing processes and systems for managing customer data and internal data; proactively reviewing signs of intrusion on the system, detecting and responding early to targeted attack groups; reviewing and upgrading versions of software and applications containing security vulnerabilities with serious impacts...

Technical staff from Asia-Pacific countries practice responding to APT attacks . The international exercise APCERT 2024 with the theme 'Responding to APT attacks: Finding solutions to difficult problems' was held on August 29, with the participation of technical staff from Vietnam and other Asia-Pacific countries.