Russian cybersecurity provider Kaspersky has detected some servers in India that were used by the notorious North Korean hacker gang Lazarus which is believed to be behind the infamous WannaCry ransomware attack that affected thousands of computers in May this year and more recently the Bangladesh bank heist.
Kaspersky Lab has uncovered a number of compromised servers across Asia – including in India – while researching the latest activities of the notorious cyber criminal gang. According to the cyber security firm, these servers are most likely being used as part of the hacker gang's global command and control infrastructure.
"The compromised servers, found in Indonesia, India, Bangladesh, Malaysia, Vietnam, South Korea, Taiwan and Thailand, among others, could be used by Lazarus to launch targeted attacks against a company or organisation." Kaspersky Lab said in a statement.
According to the statement, the Korean-speaking Lazarus group could be behind several high-profile cyber attacks apart from the WannaCry ransomware epidemic. It is suspected to be behind the Sony Pictures hack in 2014 and stealing $81 million from the Central Bank of Bangladesh in 2016.
Back in 2014, a North Korean criminal group called "Guardians of Peace" hacked into Sony Pictures' servers, demanding Sony to pull down the film 'The Interview' which was a comic satire based on a plot to assassinate North Korea's supreme leader Kim Jong-un.
Kaspersky also claims that Lazarus, which is also based-out of North Korea, "is thought to be state-sponsored."
Meanwhile, India ranks No 3 in the top-three countries housing maximum number of compromised servers after the US and China, according to a Kaspersky Lab report.
"According to open source intelligence, three of the top five countries that still have servers carrying this vulnerability are in the Asia-Pacific region: China with 7,848 compromised servers, India (1,524) and Hong Kong (1,102). The US tops the list with the most vulnerable servers with 11,949, while the UK ranks 5th with 805," the report said.
Kaspersky Lab researchers have discovered that the compromised servers are infected using a malware called 'Manuscrypt' which could have been installed using a vulnerability in Microsoft Internet Information Services (IIS) that was patched on June 13, 2017.
