DOCSLIB.ORG

Systems Administration Guidance for Securing Windows 2000

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Systems Administration Guidance for Securing Windows 2000 Special Publication 800-43 Systems Administration Guidance for Securing Microsoft Windows 2000 Professional System Recommendations of the National Institute of Standards and Technology Murugiah Souppaya Anthony Harris Mark McLarnon Nikolaos Selimis This page intentionally left blank NIST Special Publication 800-43 Systems Administration Guidance for Securing Microsoft Windows 2000 Professional System Recommendations of the National Institute of Standards and Technology Send Comments to [email protected] C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 November 2002 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Phillip J. Bond, Under Secretary for Technology National Institute of Standards and Technology Arden L. Bement, Jr., Director This page intentionally left blank Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-43 Natl. Inst. Stand. Technol. Spec. Publ. 800 -43, 192 pages (November 2002) CODEN: XXXXX Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply reco mmendation or endorsement by the National Institute of Standards and Techn ology, nor is it intended to imply that the entities, materials, or equipment are necessa rily the best available for the purpose. U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 2001 For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov — Phone: (202) 512-1800 — Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 Acknowledgements The authors Murugiah Souppaya of NIST and Anthony Harris, Nikolaos Selimis, and Mark McLarnon of Booz Allen Hamilton wish to thank Timothy Grance and John Wack, staff at NIST, the National Security Agency, Steve Lipner, Jesper Johansson, and Kirk Soluk from Microsoft, and the entire Security Professional community for providing valuable contributions to the technical content of this guide. Additionally, the authors also thank the Defense Information Systems Agency (DISA), the Center for Internet Security (CIS), and SysAdmin Network Security Institute (SANS) for their valuable contributions to the baseline and their continued efforts to improve security in this and in other similar efforts. Trademark Information Microsoft, MS-DOS, Windows, Windows 2000, Windows NT, SMS, Systems Management Server, Internet Explorer (IE), Microsoft Office, Outlook, and Microsoft Word are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. Symantec and Norton AntiVirus are registered trademarks of Symantec Corporation. Netscape and Netscape Communicator are registered trademarks of Netscape Communications Corporation. McAfee, VirusScan, Network Associates, and NAI are registered trademarks of Network Associates Technology, Inc. F-Secure is a registered trademark of F-Secure Corporation. Qualcomm and Eudora are registered trademarks of Qualcomm Incorporated. IBM and LanDesk are registered trademarks of IBM Corporation. All other names are registered trademarks or trademarks of their respective companies. NIST SPECIAL PUBLICATION 800-43 Table of Contents Executive Summary ..............................................................................................................ES-1 1. Introduction...................................................................................................................... 1-1 1.1 Authority .................................................................................................................. 1-1 1.2 Purpose and Scope................................................................................................. 1-1 2. Windows 2000 Security Components Overview........................................................... 2-1 2.1 Kerberos Support .................................................................................................... 2-1 2.2 Smart Card Logon Support ..................................................................................... 2-1 2.3 PKI Support............................................................................................................. 2-2 2.4 IPsec Support.......................................................................................................... 2-2 2.5 PPTP And L2TP Support ........................................................................................ 2-3 2.6 Encrypting File System Support .............................................................................. 2-3 3. Stand-Alone Versus Domain Member ........................................................................... 3-1 3.1 Stand-Alone............................................................................................................. 3-1 3.2 Domain.................................................................................................................... 3-1 4. Security Configuration Tool Set..................................................................................... 4-1 4.1 Windows 2000 Security Templates ......................................................................... 4-1 4.2 Analysis and Configuration...................................................................................... 4-2 4.3 Group Policy Distribution......................................................................................... 4-5 4.4 Secedit .................................................................................................................... 4-6 4.4.1 Secedit Syntax............................................................................................. 4-6 4.4.2 Secedit Advantages..................................................................................... 4-6 4.5 Creating Security Templates ................................................................................... 4-6 4.6 Summary of Recommendations .............................................................................. 4-9 5. Auditing and Event Logging........................................................................................... 5-1 5.1 Systemwide Auditing............................................................................................... 5-1 5.2 Individual File Auditing ............................................................................................ 5-3 5.3 Summary of Recommendations .............................................................................. 5-4 6. Windows 2000 Professional Installation ....................................................................... 6-1 6.1 Why Choose NTFS? ............................................................................................... 6-1 6.2 How to Convert Non-NTFS Partitions ..................................................................... 6-1 6.3 Other settings.......................................................................................................... 6-2 6.4 Creating and Protecting the ERD ............................................................................ 6-2 6.4.1 How to Create an ERD ................................................................................ 6-3 6.4.2 How to Protect ERD..................................................................................... 6-3 6.4.3 How to Protect ERD Backup........................................................................ 6-4 6.5 Summary of Recommendations .............................................................................. 6-5 7. Updating and Patching Guidelines................................................................................ 7-1 7.1 Windows 2000 Professional Updates...................................................................... 7-1 7.2 Windows 2000 Patching Resources........................................................................ 7-3 7.2.1 Internet Security Portals .............................................................................. 7-3 7.2.2 Windows Update Web Site .......................................................................... 7-4 7.3 Summary of Recommendations .............................................................................. 7-5 vii NIST SPECIAL PUBLICATION 800-43 8. Windows 2000 Pro Configuration Guidelines............................................................... 8-1 8.1 Securing the File System Using ACLs .................................................................... 8-1 8.1.1 File
Load more

Recommended publications
  • Tokenvator Release 3 Written by Alexander Polce Leary | July 22, 2021 Tokenvator Release 3 Is a Long Overdue Update That Includes a Major Overhaul to the Tool
    Tokenvator Release 3 written by Alexander Polce Leary | July 22, 2021 Tokenvator Release 3 is a long overdue update that includes a major overhaul to the tool. From the user interface, it will be mostly familiar with some command line tweaks. Under the surface, large portions of the code base have been reworked, and parts of the base have had some updates. In this series, we will go over some of the changes and new features added. Teaser Alert: Adding Privileges & Creating Tokens Improvements First and foremost, the user interface. Historically, every action had a series of positional arguments that were clunky and generally difficult to remember. They were also not very flexible, and as the commands started to have more, and additional optional arguments, they became completely unwieldy. These have been replaced with flags that will auto complete. For instance, to list and enable privileges: This also works in the non-interactive mode (though it won’t tab complete – sorry, it’s Windows): Additionally, the scroll back function was improved and numerous bugs were resolved. For instance, now when you press up you will always go to the last command issued. A printable command history has also been added if you want to copy and paste instead or keep a log of your actions. The info functionality was improved again, removing many bugs and adding additional information, such as impersonation contexts: (Tokens) > whoami [*] Operating as NT AUTHORITY\SYSTEM (Tokens) > info [*] Primary Token [+] User: S-1-5-21-258464558-1780981397-2849438727-1001
    [Show full text]
  • Oracle® Database Administrator's Reference
    Oracle® Database Administrator's Reference 18c for Microsoft Windows E83889-01 August 2018 Oracle Database Administrator's Reference, 18c for Microsoft Windows E83889-01 Copyright © 1996, 2018, Oracle and/or its affiliates. All rights reserved. Primary Authors: Tanaya Bhattacharjee, Sunil Surabhi, Mark Bauer Contributing Authors: Lance Ashdown Contributors: Alexander Key, Sivaselvam Narayanasamy, Ricky Chen, David Collelo, David Friedman, Prakash Jashnani, Sue K. Lee, Rich Long, Satish Panchumarthy, Ravi Thammaiah, Michael Verheij This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency- specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
    [Show full text]
  • 11.7 the Windows 2000 File System
    830 CASE STUDY 2: WINDOWS 2000 CHAP. 11 11.7 THE WINDOWS 2000 FILE SYSTEM Windows 2000 supports several file systems, the most important of which are FAT-16, FAT-32, and NTFS (NT File System). FAT-16 is the old MS-DOS file system. It uses 16-bit disk addresses, which limits it to disk partitions no larger than 2 GB. FAT-32 uses 32-bit disk addresses and supports disk partitions up to 2 TB. NTFS is a new file system developed specifically for Windows NT and car- ried over to Windows 2000. It uses 64-bit disk addresses and can (theoretically) support disk partitions up to 264 bytes, although other considerations limit it to smaller sizes. Windows 2000 also supports read-only file systems for CD-ROMs and DVDs. It is possible (even common) to have the same running system have access to multiple file system types available at the same time. In this chapter we will treat the NTFS file system because it is a modern file system unencumbered by the need to be fully compatible with the MS-DOS file system, which was based on the CP/M file system designed for 8-inch floppy disks more than 20 years ago. Times have changed and 8-inch floppy disks are not quite state of the art any more. Neither are their file systems. Also, NTFS differs both in user interface and implementation in a number of ways from the UNIX file system, which makes it a good second example to study. NTFS is a large and complex system and space limitations prevent us from covering all of its features, but the material presented below should give a reasonable impression of it.
    [Show full text]
  • Process Explorer Copyright © 1996-2012 Mark Russinovich Sysinternals
    Process Explorer Copyright © 1996-2012 Mark Russinovich Sysinternals - www.sysinternals.com Process Explorer is an advanced process management utility that picks up where Task Manager leaves off. It will show you detailed information about a process including its icon, command-line, full image path, memory statistics, user account, security attributes, and more. When you zoom in on a particular process you can list the DLLs it has loaded or the operating system resource handles it has open. A search capability enables you to track down a process that has a resource opened, such as a file, directory or Registry key, or to view the list of processes that have a DLL loaded. The Process Explorer display consists of two sub-windows. The top always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window, which you can close, depends on the mode that Process Explorer is in: if it is in handle mode you will see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you will see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. You can obtain equivalent command-line tools, Handle and ListDLLs, at the Sysinternals Web site.
    [Show full text]
  • Page 1 of 3 How to Enable NTLM 2 Authentication 2/8/2012 Http
    How to enable NTLM 2 authentication Page 1 of 3 Article ID: 239869 - Last Review: January 25, 2007 - Revision: 4.7 How to enable NTLM 2 authentication System Tip This article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you. Visit the Windows 7 Solution Center This article was previously published under Q239869 SUMMARY Historically, Windows NT supports two variants of challenge/response authentication for network logons: • LAN Manager (LM) challenge/response • Windows NT challenge/response (also known as NTLM version 1 challenge/response) The LM variant allows interoperability with the installed base of Windows 95, Windows 98, and Windows 98 Second Edition clients and servers. NTLM provides improved security for connections between Windows NT clients and servers. Windows NT also supports the NTLM session security mechanism that provides for message confidentiality (encryption) and integrity (signing). Recent improvements in computer hardware and software algorithms have made these protocols vulnerable to widely published attacks for obtaining user passwords. In its ongoing efforts to deliver more secure products to its customers, Microsoft has developed an enhancement, called NTLM version 2, that significantly improves both the authentication and session security mechanisms. NTLM 2 has been available for Windows NT 4.0 since Service Pack 4 (SP4) was released, and it is supported natively in Windows 2000. You can add NTLM 2 support to Windows 98 by installing the Active Directory Client Extensions. After you upgrade all computers that are based on Windows 95, Windows 98, Windows 98 Second Edition, and Windows NT 4.0, you can greatly improve your organization's security by configuring clients, servers, and domain controllers to use only NTLM 2 (not LM or NTLM).
    [Show full text]
  • Understanding Windows Lateral Movements
    Understanding Windows Lateral Movements ATTL4S & ElephantSe4l # ATTL4S • Daniel López Jiménez (a.k.a. ATTL4S) • Twitter: @DaniLJ94 • GitHub: @ATTL4S • Youtube: ATTL4S • Loves Windows and Active Directory security • Senior Security Consultant at NCC Group • Associate Teacher at Universidad Castilla-La Mancha (MCSI) Confs: NavajaNegra, No cON Name, h-c0n, Hack&Beers Posts: Crummie5, NCC Group’s blog, Hackplayers Certs: CRTO, PACES, OSCP, CRTE www.crummie5.club # ElephantSe4l • Godlike Programmer and Elephant Seal • Twitter: @ElephantSe4l • GitHub: @ElephantSe4l • Very curious, he enjoys understanding complex and weird things • Mind behind all the low-level contents of my talks This has been written by ATTL4S www.crummie5.club WWW.CRUMMIE5.CLUB www.crummie5.club The goal of this talk is understanding how to perform lateral movements in Windows and Active Directory environments by comprehending the art of user impersonation www.crummie5.club Credential theft │ Password │ Hash │ Token UserA UserB HostA UserB HostB Agenda 1. Ways of Authentication 2. Authentication Packages 3. Logon Sessions 4. Access Tokens 5. User Impersonation 6. Let’s Move www.crummie5.club Ways of Authentication www.crummie5.club [SAM] : Local Auth [NTDS] : Domain Auth HostA DC [SAM] HostA\UserA [SAM] HostA\UserB [NTDS] Corp\DomainUserA HostB [NTDS] Corp\DomainUserB Remote Authentications • We don’t (usually) care about physical authentications • We care about remote authentications and they require privileges • Being a local user in a system doesn’t mean you have privileges
    [Show full text]
  • When Windows 2000 Or Windows Server 2003 Is Introduced
    IMPORTANT INFORMATION FOR PRIMERGY CUSTOMERS July 11th, 2007 FUJITSU, LTD. NOTICE: Any server using an Intel Xeon 7100 or higher model CPU and has either Windows 2000, Windows 2000 Server, or Windows 2003 Server installed may encounter a “blue screen.” The problem occurs when the operating system running on a computer with a fast processor and a large L3 cache encounters a timing problem with asynchronous hardware. Although Fujitsu has not received any reports of this problem to date, there is a possibility that PRIMERGY server products may be affected. Problem: Any computer running any edition of Windows 2000, Windows 2000 Server, or Windows 2003 with an Intel Xeon processor (model 7100 or higher) that utilizes a large L3 cache may generate a “blue screen.” An error similar to: STOP 0x0000008E(parameter1, parameter2, parameter3, parameter4) KERNEL_MODE_EXCEPTION_NOT_HANDLED or STOP 0x0000001E(parameter1, parameter2, parameter3, parameter4) KERNEL_MODE_EXCEPTION_NOT_HANDLED may be displayed with Windows 2003-based and Windows 2000-based computers, respectively. Affected Operating Systems: Microsoft® Windows® 2000 Server Microsoft® Windows® 2000 Advanced Server Microsoft® Windows Server® 2003, Standard Edition (*) Microsoft® Windows Server® 2003, Enterprise Edition (*) (*)This problem has been corrected in Service Pack 1 for Windows Server 2003. Therefore Windows 2003 Server SP1 is not affected by this problem. Affected Fujitsu PRIMERGY models: The following models use Intel Xeon 7100 or higher processors. PRIMERGY Models, Product Codes, and CPU z PRIMERGY RX600 S3 (SAS), Product codes PGR603D* and PGR603B* ¾ Dual Core Intel® Xeon® Processor 7140M (3.40GHz)/7120M (3GHz) z PRIMERGY RX600 S3, Product codes PGR6038* and PGR6036* ¾ Dual Core Intel® Xeon® Processor 7140M (3.40GHz)/7120M (3GHz) * Changes by type.
    [Show full text]
  • Qualifying Operating Systems
    Qualifying Operating Systems The following operating systems qualify for the Windows 10 Pro Upgrade and/or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing. New Enterprise Microsoft Products Agreement and Services Existing EA/ Microsoft Cloud Academic and Qualifying Operating Systems (EA)/Open Value Agreement OV-CW2 Agreement Charity Company-Wide (MPSA)/Select (OV-CW)1 Plus/Open3 Windows 10 4 Enterprise (N, KN) , Pro (N, KN) Education, Home Windows 8 and Windows 8.1 Enterprise (N, K, KN), Pro (N, K, KN, diskless) Windows 8 and Windows 8.1 (including Single Language) Windows 7 Enterprise (N, K, KN), Professional (N, K, KN, diskless), Ultimate Home Premium, Home Basic, or Starter Edition Windows Vista Enterprise (N, K, KN), Business (N, K, KN, Blade), Ultimate Home Premium, Home Basic, Starter Edition Windows XP Professional (N, K, KN, Blade), Tablet Edition (N, K, KN, Blade), XP Pro N, XP Pro Blade PC Home and Starter Edition Apple Apple Macintosh Windows Embedded Operating Systems Windows 10 IoT Enterprise Windows Vista Business for Embedded Systems, Ultimate for Embedded Systems Windows 2000 Professional for Embedded Systems Windows 7 Professional for Embedded Systems, Ultimate for Embedded Systems Windows XP Professional for Embedded Systems Windows Embedded 8 and 8.1 Pro, Industry Pro Windows 10 IoT Enterprise for Retail or Thin Clients5 5 Windows Embedded 8 and 8.1 Industry Retail Windows Embedded POSReady 7 Pro5 5 Windows Embedded for Point of Service Windows Embedded POSReady 20095 5 Windows Embedded POSReady 7 5 Windows XP Embedded Windows Embedded Standard 75 5 Windows Embedded 2009 5 Windows Embedded 8 Standard 1Also applicable to Qualified Devices acquired through merger or acquisition.
    [Show full text]
  • Windows 2000 Accessibility Options
    © 2004 Microsoft Corporation Step By Step Tutorials for Microsoft® Windows 2000 Accessibility Options Step by Step Tutorials for Microsoft Windows 2000 Accessibility Options Table of Contents Overview .................................................................................................................................. 4 Using the Accessibility Wizard ............................................................................................... 6 Opening Accessibility Wizard ............................................................................................... 7 Changing the Font Size of Text on the Screen ...................................................................... 9 Switching to a Lower Screen Resolution to Increase the Size of Items on the Screen ....... 10 Changing the Size of Items on the Screen ........................................................................... 11 Disabling Personalized Menus ............................................................................................ 13 Setting Options for People Who Are Blind or Have Difficulty Seeing Things on the Screen ............................................................................................................................................. 14 Setting Options for People Who Are Deaf or Have Difficulty Hearing Sounds from the Computer ............................................................................................................................. 16 Setting Options for People Who Have Difficulty Using the Keyboard
    [Show full text]
  • Run a Program Under Administrator Privilege
    Knowledgebase Article Run a program under Administrator privilege © Copyright 2001-2012 EMCO Software Company web site: emcosoftware.com Support telephone: +44 20 3287-7651 Support email: [email protected] +1 646 233-1163 Knowledgebase Article Run a program under Administrator privilege 2 Run a program under Administrator privilege In this tutorial we will show you how to execute a program under another user rights to gain more access if you don't have it from your current user logon. Some of our programs require Administrator rights to the remote computer to perform correctly, and the most common support questions we get are because the user that is using our product's does not have the required privilege needed for the program to perform the way it should be!. About the RunAs feature The RunAs feature allows you to run any program under another user account rights. Think about it... if you are not a full member of the Administrator group on the computer you are logged into and have a need to run a program as the administrator user you can use the RunAs feature any time you want. But of course you need to know the password for the administrator or the user you want to use for the RunAs function. There are many ways to use and access the RunAs feature, and we will write about two of them here in this short tutorial. emcosoftware.com © Copyright 2001-2012 EMCO Software Knowledgebase Article Run a program under Administrator privilege 3 Using RunAs from the command line, Cmd.exe From the screenshot below you can see how we access this feature easily by writing just the RunAs.exe as the filename into the Cmd.exe dialog.
    [Show full text]
  • Forceware Release 50 Graphics Drivers User’S Guide
    nViewGuide_.book Page 1 Monday, October 20, 2003 4:31 PM ForceWare Release 50 Graphics Drivers User’s Guide Version 52.16 for Windows NVIDIA Corporation October 2003 (v0.3) nViewGuide_.book Page 2 Monday, October 20, 2003 4:31 PM NVIDIA Display Properties User’s Guide Published by NVIDIA Corporation 2701 San Tomas Expressway Santa Clara, CA 95050 Copyright © 2003 NVIDIA Corporation. All rights reserved. This software may not, in whole or in part, be copied through any means, mechanical, electromechanical, or otherwise, without the express permission of NVIDIA Corporation. Information furnished is believed to be accurate and reliable. However, NVIDIA assumes no responsibility for the consequences of use of such information nor for any infringement of patents or other rights of third parties, which may result from its use. No License is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in the software are subject to change without notice. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation. NVIDIA, the NVIDIA logo, Accuview Antialiasing, Detonator, Digital Vibrance Control, GeForce, nForce, nView, NVKeystone, PowerMizer, Quadro, RIVA, TNT, TNT2, TwinView, and Vanta are registered trademarks or trademarks of NVIDIA Corporation in the United States and/or other countries. International Color Consortium and the ICC logo are registered trademarks of the International Color Consortium. Intel and Pentium are registered trademarks of Intel. DirectX, Microsoft, Microsoft Internet Explorer logo, Outlook, PowerPoint, Windows, Windows logo, Windows NT, and/or other Microsoft products referenced in this guide are either registered trademarks or trademarks of Microsoft Corporation in the U.S.
    [Show full text]
  • Lazarus Under the Hood Kaspersky Lab Global Research and Analysis Team Executive Summary
    Lazarus Under The Hood Kaspersky Lab Global Research and Analysis Team Executive Summary The Lazarus Group’s activity spans multiple years, going back as far as 2009. Its malware has been found in many serious cyberattacks, such as the massive data leak and file wiper attack on Sony Pictures Entertainment in 2014; the cyberespionage campaign in South Korea, dubbed Operation Troy, in 2013; and Operation DarkSeoul, which attacked South Korean media and financial companies in 2013. There have been several attempts to attribute one of the biggest cyberheists, in Bangladesh in 2016, to Lazarus Group. Researchers discovered a similarity between the backdoor used in Bangladesh and code in one of the Lazarus wiper tools. This was the first attempt to link the attack back to Lazarus. However, as new facts emerged in the media, claiming that there were at least three independent attackers in Bangladesh, any certainty about who exactly attacked the SWIFT systems, and was behind one of the biggest ever bank heists in history, vanished. The only thing that was certain was that Lazarus malware was used in Bangladesh. However, considering that we had previously found Lazarus in dozens of different countries, including multiple infections in Bangladesh, this was not very convincing evidence and many security researchers expressed skepticism abound this attribution link. This paper is the result of forensic investigations by Kaspersky Lab at banks in two countries far apart. It reveals new modules used by Lazarus group and strongly links the SWIFT system attacking tools to the Lazarus Group’s arsenal of lateral movement tools. Considering that Lazarus Group is still active in various cyberespionage and cybersabotage activities, we have segregated its subdivision focusing on attacks on banks and financial manipulations into a separate group which we call Bluenoroff (after one of the tools they used).
    [Show full text]