TSMC Refutes Ransomware Gang’s Claim as Third-Party Supplier Discloses Data Breach Attack
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
Taiwan-based TSMC (Taiwan Semiconductor Manufacturing Company) in a statement denied the claims of being hacked by the infamous ransomware group, LockBit. World largest chipmaker found itself on the group’s leak site due to the breach suffered by one of its IT hardware suppliers.
Meanwhile, TSMC in a statement, shared with different media outlets, disclosed that they were not attacked, rather one of their outsourced hardware suppliers had suffered a LockBit hack. In the cybersecurity incident, Kinmax Technology found that data related to initial server setup and configuration had been compromised.
The company further went on to say that the incident had not affected its business operations, nor compromised any customer information. TSMC also disclosed that after confirming that none of its network system had been impacted, ‘immediately terminated its data exchange with this concerned supplier in accordance with the Company’s security protocols and standard operating procedures’’.
The impacted supplier, Kinmax released a statement on 29 June 2023, where it disclosed the cyberattack, ‘’In the morning of June 29, 2023, the Company discovered that our internal specific testing environment was attacked, [..] The leaked content mainly consisted of system installation preparation that the Company provided to our customers as default configurations. [..] The company has thoroughly investigated this incident and implemented enhanced security measures to prevent such incidents from occurring in the future.’’
TSMC is said to be the largest player in the semiconductor market, worldwide. It employs more than 65,000 people with reported revenues of over $72 billion in 2022. The Taiwan-based Kinmax Technology is a systems integrator company that claims to partner with major companies like HPE, Cisco, Microsoft, VMware, Nvidia, RedHat, among others.
North Korean ‘Andariel’ Threat Group Adds New EarlyRAT Malware to Its Phishing Campaign
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
In mid-2022, the threat actor Andariel was known for using the DTrack malware and Maui ransomware. To breach its target’s network, Andariel also exploited the Log4j vulnerability, while introducing several types of new malware, like YamaBot, MagicRat and updated versions of NukeSpeed and DTrack.
EarlyRAT was discovered by Kaspersky in an unrelated investigation while looking into Andariel’s campaign. It was observed that the threat group infected its target’s machine by executing a Log4j exploit, which further downloaded malwares from a C2 (command & control) server.
However, in the case of EarlyRAT, it was seen that the malware was propagated using phishing documents (Microsoft Word). These files used macros to fetch the malware from a server related to the Maui ransomware campaign.
EarlyRAT is a simple remote access trojan , which when executed collects system information and sends it to a C2 server. ‘’In terms of functionality, EarlyRat is very simple. It is capable of executing commands, and that is about the most interesting thing it can do,’’ the report stated. Similarity was also seen between EarlyRAT and MagicRAT. Both have limited functionality and are also written using framework, PureBasic for EarlyRAT and Qt for MagicRAT.
The investigation further revealed that the commands were being executed by an inexperienced human operator, based on the number of mistakes, and typing errors. Moreover, a new attack tactic used by Andariel was also identified, i.e., using a set of off-the-shelf legitimate tools like PuTTY, 3Proxy, ForkDump, NTDSDumpEx, Powerline and SupRemo, among others.
Given that Lazarus and its sub-groups not only engage in APTs but also cybercrimes, like ransomware deployment, it’s imperative to study both complex and simple malwares introduced by this group. By focusing on TTPs (tactics, techniques, and procedures), targeted organizations can pre-empt attacks and deploy ‘’proactive countermeasures to prevent incidents from happening,’’ noted Kaspersky.
