18-Nov-2017

IT security firm detects cyber gang-controlled servers in India

A major IT security software maker has detected some servers in India that are used by notorious cyber criminal gang Lazarus, which is believed to be behind large-scale cyber attacks across the world, including the recent WannaCry ransomware.

While researching the latest activities of the infamous cyber criminal group Lazarus, the company uncovered a number of compromised servers being used as part of the threat actor's global command and control infrastructure, the software company said.

"The compromised servers, found in Indonesia, India, Bangladesh, Malaysia, Vietnam, South Korea, Taiwan, Thailand, among others, could be used by Lazarus to launch targeted attacks against a company or organisation," the company said in a statement.

Korean-speaking Lazarus group is believed to be behind recent high-profile cyber attacks like the 2014 hack of Sony Pictures, the million-dollar Bangladesh Bank heist in 2016 and the recent WannaCry destructive ransomware epidemic, as per the statement.

The criminal group, by name of Guardians of Peace, had claimed responsibility for the hack of Sony Pictures. It had demanded Sony to pull down the film 'The Interview,' which was a comedy about a plot to assassinate North Korean leader Kim Jong-un.

The IT security major said Lazarus, which is also a Korean-speaking group, "is thought to be state-sponsored".

The US, China and India are the top three countries housing the maximum number of compromised servers, the company's report said.

3rd highest in India

"According to open source intelligence, three of the top five countries that still have servers carrying this vulnerability is in the APAC region: China (with 7,848), India (1,524) and Hong Kong (1,102). The US tops the list with the most vulnerable servers (11,949), while the United Kingdom ranks fifth with 805," the report said.

The company said researchers have discovered that the servers had been infected using malware called Manuscript, which could have been installed using a vulnerability in Microsoft Internet Information Services that was patched by Microsoft on June 13, 2017.