Defense firms in over a dozen countries have found themselves targeted by a new backdoor threat named as ThreatNeedle. And it’s hitting firms hard.
The last thing that a defense firm wants is for their networks to be breached. Not only does it damage their reputation as a defense firm, but it puts significant data at risk. Hackers, of course, love to cause trouble, so a defense organization is the perfect target. But the hackers behind the ThreatNeedle malware are more than just a minor hacking group. The threat is believed to come from Lazarus, a secretive hacking group with ties to the North Korean government.
As this is a major threat we’re going to put ThreatNeedle under the microscope for a closer look.
What is ThreatNeedle?
ThreatNeedle takes a spear phishing approach to begin its campaign and does this by faking email addresses that look as though they belong to the target company. This move, which is relatively easy with an email server and the right software, allows the victims to be lulled into a false sense of security. This scenario is then exploited by embedding malicious links or attaching infected documents. Often, these emails have been laced with a COVID-19 theme in order to fully engage the user, but any subject may be used to rush the recipient into action.
The attackers, once the ThreatNeedle payload has been unleashed, are then able to take control of the victim’s PC. Naturally, this means that they will carry out typical hacking attacks such as:
- Executing remote commands to run applications and download further malware
- Send workstations into hibernation mode to disrupt IT activities
- Log data and transmit to a remote PC where it can be archived and exploited
However, ThreatNeedle also has an innovative ace up its sleeve. Generally, if a network is segmented then malware will be limited to the segment it infects. This limits the amount of damage that can be caused to an entire network. So, for example, a set of PCs which are not connected to a network by the internet should be safe from all hacks. Unfortunately, ThreatNeedle is able to take advantage of IT department’s administrator privileges. This grants them the opportunity to access all segmented areas of a network. And it maximizes the damage they can cause.
How Do You Protect Against ThreatNeedle?
As with all malware, you don’t have to fall victim to ThreatNeedle. You just need to keep your wits about you and understand its threat. You can do this by carrying out the following:
- Disable Macros: The ThreatNeedle emails rely on macros being executed within infected documents. But, if you disable Macros across your organization, the malware will not be able to run. This will stop ThreatNeedle at the earliest opportunity.
- Educate Staff on Phishing Emails: It’s important that your staff are fully trained on the dangers of phishing emails. Social engineering is a popular technique employed by hackers, but it can be thwarted if you know what to look for.
- Always Install Updates: ThreatNeedle, as far as researchers are aware, does not exploit any vulnerabilities in software or hardware. But this doesn’t mean it can’t or won’t in the future. Either way, it always pays to be proactive with installing updates to protect your PC.
For more ways to secure and optimize your business technology, contact your local IT professionals.