Kaspersky pulls out of the US
Cette publication existe aussi en Français
Cybersecurity software developer Kaspersky Labs is to shut down its US operation after the US government issued sanctions against the Russian company.
The US government sanctions barred sales and downloads into the country from September, with new business banned from later this month.
The company has around 50 staff in the US.
- Automotive execs don’t understand cybersecurity says Kaspersky
- Airbiquity integrates Kaspersky platform for secure OTA
“Despite proposing a system in which the security of Kaspersky products could have been independently verified by a trusted 3rd party, Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services,” said the company.
“Kaspersky does not engage in activities which threaten U.S. national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted U.S. interests and allies,” it also said.
The company had supplied security software for the MITRE vulnerabilities in the Internet of Things (IoT) and customised services for embedded systems as well as security for vehicles.
However it had been subject to restrictions across Europe since 2017, long before the invasion of Ukraine that triggered the latest round of sanctions.
Ironically Kaspersky’s Global Research and Analysis Team (GReAT) had uncovered an Advanced Persistent Threat (APT) group called CloudSorcerer that has been targeting Russian government entities.
- Cybersecurity threat model for embedded devices
- Kaspersky offers custom threat intelligence reporting
Despite the similarities to CloudWizard, also discovered by Kaspersky, CloudSorcerer employs a unique codebase and functionality, setting it apart as a distinct cyber threat.
The group uses public cloud infrastructure, including Microsoft Graph, Yandex Cloud and Dropbox, as its primary command and control (C2) servers. The malware interacts with C2 servers through APIs, employing authentication tokens retrieved from a seemingly legitimate GitHub page.
CloudSorcerer employs a multi-stage attack strategy. First, attackers manually deploy the malware onto a victim’s machine. On gaining access, CloudSorcerer adapts its functionality based on the process it infects. For instance, it may behave differently when running in mspaint.exe compared to msiexec.exe.
To establish communication with its command and control center (C2), CloudSorcerer retrieves details, potentially a cloud storage location, from a GitHub page. This information is encoded within the page itself.
Finally, the malware gathers system information and exfiltrates it to the designated cloud storage using the chosen cloud service’s API.
Significantly, CloudSorcerer employs complex obfuscation and encryption techniques to avoid detection. It decodes commands using a hardcoded charcode table and manipulates Microsoft COM object interfaces to execute its malicious operations.
“The deployment of CloudSorcerer highlights a sophisticated use of public cloud services for espionage, illustrating how threat actors exploit these platforms to conceal their activities. By integrating legitimate cloud services into their operations, these actors not only enhance their ability to remain undetected but also leverage the robust infrastructure of these platforms to execute complex espionage operations effectively. Our ongoing analysis underlines the importance of recognizing and mitigating such stealth tactics in governmental and corporate cybersecurity strategies,” said Sergey Lozhkin, principal cybersecurity researcher at Kaspersky’s GReAT.
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
