Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Lazarus Group. Show all posts

US Court Rules Against Tornado Cash Sanctions




A U.S. appeals court has ruled that the Treasury Department overstepped its authority when it imposed sanctions on the cryptocurrency mixer Tornado Cash in 2022. The department accused Tornado Cash of facilitating over $7 billion in the laundering of funds, a portion of which was reportedly linked to North Korean hackers. However, the court stated that the sanctions were not lawfully justified under federal law.


Tornado Cash is a cryptocurrency mixer—a type of software that anonymizes digital transactions. It helps users conceal the origin and ownership of their cryptocurrencies by pooling and shuffling deposits. The Treasury's Office of Foreign Assets Control (OFAC) has blacklisted Tornado Cash under the International Emergency Economic Powers Act (IEEPA), as it was alleged that it had been used for laundering cybercrime proceeds, among which is $455 million reportedly stolen by the Lazarus Group, a North Korean hacking group.


Court's Ruling and Key Arguments

This came about with a decision by a panel of three judges from the New Orleans 5th U.S. Circuit Court of Appeals. A spokesperson from the panel, Judge Don Willett, wrote, "The smart contracts forming Tornado Cash did not constitute 'property.'" Law puts the authorization of regulating the property to OFAC but held that because these were immutables and unchangeables, the codes could neither be owned nor controlled hence would exempt from sanctions.


The court acknowledged that the risks that technologies like Tornado Cash pose are legitimate, but it held that updating the law to address such issues is the job of Congress, not the judiciary.

The lawsuit challenging the sanctions was brought by six Tornado Cash users with the financial support of Coinbase, a major cryptocurrency exchange. The court's decision was called a "historic win for crypto and liberty" by Paul Grewal, Coinbase's chief legal officer. Coinbase had argued that sanctioning an entire technology could stifle innovation and harm privacy rights. 


Legal Troubles for Tornado Cash Developers

Despite the court ruling, there are still legal problems for those associated with Tornado Cash. In May, developer Alexey Pertsev was sentenced to over five years in prison in the Netherlands for money laundering. Founders of Tornado Cash, Roman Semenov and Roman Storm, are also charged with money laundering and sanctions violations in the United States.


The Bigger Picture 

This case, therefore, underlines the legal and ethical challenges of privacy-focused technologies such as cryptocurrency mixers. It also calls for updated regulations to balance innovation, privacy, and security in the digital age.


DMM Bitcoin Hack: 500 BTC Transfer Linked to $305 Million Theft Raises New Concerns

 

A cryptocurrency address linked to the $305 million DMM Bitcoin hack in May has reportedly transferred 500 Bitcoin, valued at approximately $30.4 million. On August 22, PeckShield Alert reported that the suspect address initially split the funds into two separate addresses, each receiving around 250 BTC. This movement of funds marks a significant development in the aftermath of the DMM Bitcoin hack, which remains one of the most substantial cryptocurrency thefts of 2024. The DMM Bitcoin hack, which occurred in May, resulted in the theft of 4,502.9 BTC, valued at approximately $305 million at the time. 

The current value of the stolen Bitcoin is just over $274 million. In response to the breach, DMM Bitcoin quickly raised $320 million to reimburse affected users, demonstrating the exchange’s commitment to mitigating the impact of the hack on its customers. Blockchain investigator ZachXBT previously attributed the attack to the Lazarus Group, a notorious hacking organization allegedly linked to the Democratic People’s Republic of Korea. The Lazarus Group has been implicated in several high-profile cyberattacks, and its involvement in the DMM Bitcoin hack highlights the growing sophistication of cybercriminals targeting the cryptocurrency industry. 

According to on-chain analysts, the methods used to launder the stolen funds and various off-chain indicators strongly suggest the Lazarus Group’s involvement in the heist. Following the hack, the attackers reportedly split the stolen Bitcoin into smaller batches of 500 BTC and transferred them to new wallets. PeckShield identified that the latest funds moved since the May 31 incident originated from one of these wallets. This strategy of splitting and moving funds is a common tactic among cybercriminals to obfuscate the trail of stolen assets and avoid detection. 

In July, ZachXBT alleged that the attackers transferred approximately $35 million worth of Bitcoin to the Cambodia-based exchange Huione Guarantee. The exchange has faced accusations of facilitating the laundering of funds from various crypto hacks, pig butchering scams, and other illicit activities. The involvement of exchanges like Huione underscores the challenges in tracking and recovering stolen cryptocurrency, as these platforms can serve as intermediaries for converting stolen assets into fiat currency or other cryptocurrencies. 

The DMM Bitcoin hack is a significant addition to the growing list of cryptocurrency thefts in 2024, which had already claimed over $473 million in losses before this incident. The hack is the second largest in Japan’s history, following the 58 billion yen loss suffered by Coincheck in 2018. In the aftermath of the DMM Bitcoin hack, the exchange halted all spot trading on its platform and warned that withdrawals in Japanese yen might take longer than usual, as they implemented measures to prevent further unauthorized outflows. This incident also highlights broader trends in the cryptocurrency industry. 

According to a Chainalysis report, while illegal activity on blockchain networks has decreased by almost 20% year-to-date, malware attacks and stolen funds have surged. Stolen funds inflows doubled to $1.58 billion compared to $857 million last year, and ransomware inflows climbed around 2%, reaching $459.8 million. The DMM Bitcoin hack serves as a stark reminder of the ongoing vulnerabilities in the cryptocurrency sector and the need for enhanced security measures to protect digital assets from increasingly sophisticated cyber threats.

North Korean Hackers Exploit LinkedIn in Targeted Attacks

 


The North Korean hacker group Lazarus has once again made headlines, this time for exploiting LinkedIn in their cyber operations. According to a report by blockchain security analytics firm SlowMist, Lazarus hackers are leveraging the professional networking platform to target unsuspecting users and pilfer their assets through malware attacks.


LinkedIn Used as a Trojan Horse

This involves Lazarus members masquerading as blockchain developers seeking employment opportunities in the cryptocurrency industry. By posing as job seekers, they lure in vulnerable targets, enticing them to share access to their code repositories under the guise of collaborative work. However, the innocuous-seeming code snippets provided by the hackers contain malicious elements designed to syphon off confidential information and assets from the victims' systems.


History of Innovation in Cybercrime

This tactic isn't new for Lazarus, as they previously employed a similar strategy in December 2023, posing as recruiters from Meta. Back then, they convinced victims to download malware-infected coding challenges, which, when executed, granted remote access to their computers.


Lazarus: A Cyber Threat

Lazarus has earned a notorious reputation in the cybersecurity realm since its emergence in 2009. The group is infamous for orchestrating some of the largest cryptocurrency heists, including the 2022 Ronin Bridge hack, which saw a staggering $625 million being stolen.


Laundering Techniques

Once they've plundered their ill-gotten gains, Lazarus employs sophisticated techniques, such as crypto mixing services, to launder the funds back to North Korea. Reports suggest these funds are funnelled into financing the country's military endeavors.


Industry Response and Countermeasures

In response to persistent cyber threats, crypto companies are advocating for heightened security measures and conducting awareness seminars to educate employees about potential risks. The industry's proactive stance has led to the implementation of robust security protocols and increased investment in cybersecurity to safeguard against data breaches and financial theft.


The recent exploits by Lazarus serve as a stark reminder of the ever-present dangers lurking in the digital realm. As cyber threats continue to expand, it's imperative for individuals and organisations alike to remain careful and adopt proactive measures to mitigate risks and be digitally secured.


By staying informed and proactive, investors, traders, and social media users can collectively work towards thwarting cyber threats and safeguarding digital assets in an increasingly interconnected world.


Lazarus Group Hackers Resurface Utilizing Tornado Cash for Money Laundering

 

The Lazarus hacking group from North Korea is reported to have reverted to an old tactic to launder $23 million obtained during an attack in November. According to investigators at Elliptic, a blockchain research company, the funds, which were part of the $112.5 million stolen from the HTX cryptocurrency exchange, have been laundered through the Tornado Cash mixing service.

Elliptic highlighted the significance of this move, noting that Lazarus had previously switched to Sinbad.io after U.S. authorities sanctioned Tornado Cash in August 2022. However, Sinbad.io was later sanctioned in November. Elliptic observed that Lazarus Group appears to have resumed using Tornado Cash to obscure the trail of their transactions, with over $23 million laundered through approximately 60 transactions.

The researchers explained that this shift in behavior likely stems from the limited availability of large-scale mixers following law enforcement actions against services like Sinbad.io and Blender.io. Despite being sanctioned, Tornado Cash continues to operate due to its decentralized nature, making it immune to seizure and shutdown like centralized mixers.

Elliptic has been monitoring the movement of the stolen $112.5 million since HTX attributed the incident to Lazarus. The funds remained dormant until March 13 when they were observed passing through Tornado Cash, corroborated by other blockchain security firms.

North Korean hackers utilize services such as Tornado Cash and Sinbad.io to conceal the origins of their ill-gotten gains and convert them into usable currency, aiding the regime in circumventing international sanctions related to its weapons programs, as per U.S. government claims.

According to the U.S. Treasury Department, North Korean hackers have utilized Sinbad and its precursor Blender.io to launder a portion of the $100 million stolen from Atomic Wallet customers in June, as well as substantial amounts from high-profile crypto thefts like those from Axie Infinity and Horizon Bridge.

Researchers estimate that North Korean groups pilfered around $1.7 billion worth of cryptocurrency in 2022 and approximately $1 billion in 2023. The Lazarus Group, operational for over a decade, has reportedly stolen over $2 billion worth of cryptocurrency to finance North Korea's governmental activities, including its weapons programs, as stated by U.S. officials. The group itself faced U.S. sanctions in 2019.

Cyber Attacks by North Korean Hackers on Cryptocurrency Platforms Reach $1 Billion in 2023

 

A recent study by Chainalysis, a blockchain analytics firm, has revealed a surge in cyber attacks on cryptocurrency platforms linked to North Korea. The data, covering the period from 2016 to 2023, indicates that 20 crypto platforms were targeted by North Korean hackers in 2023 alone, marking the highest level in the recorded period.

According to the report, North Korean hackers managed to steal just over $1 billion in crypto assets in the past year. While this amount is slightly less than the record $1.7 billion stolen in 2022, the increasing trend is a cause for concern among cybersecurity experts.

Chainalysis highlighted the growing threat from cyber-espionage groups like Kimsuky and Lazarus Group, employing various malicious tactics to accumulate significant amounts of crypto assets. This aligns with the Federal Bureau of Investigation's (FBI) previous attribution of a $100 million crypto heist on the Horizon Bridge in 2022 to North Korea-linked hackers.

Supporting these findings, TRM Labs, a blockchain intelligence firm, reported that North Korea-affiliated hackers stole at least $600 million in crypto assets in 2023. The frequency and success of these attacks underscore the sophistication and persistence of North Korea's cyber capabilities.

The report cited a notable incident in September, where the FBI confirmed that North Korea's Lazarus Group was responsible for stealing around $41 million in crypto assets from the online casino and betting platform Stake.com. Investigations led to the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioning Sinbad.io, a virtual currency mixer identified as a key money-laundering tool for Lazarus Group.

Global efforts to counter the threat include sanctions, particularly as previous research indicated that North Korea-affiliated hackers used stolen crypto funds to finance nuclear weapons programs. The UN has imposed sanctions to limit the regime's access to funding sources supporting its nuclear activities.

TRM Labs emphasized the need for ongoing vigilance and innovation from businesses and governments, stating, "With nearly $1.5 billion stolen in the past two years alone, North Korea’s hacking prowess demands continuous vigilance and innovation from business and governments."

Despite advancements in cybersecurity and increased international collaboration, the report predicts that 2024 is likely to see further disruptions from North Korea, posing a challenge for the global community to strengthen defenses against the relentless digital attacks. The report was released by CNBC.

U.S. Seizes Sinbad Crypto Mixer Tied to North Korean Hackers

Federal authorities in the United States have effectively confiscated the Sinbad crypto mixer, a tool purportedly used by North Korean hackers from the Lazarus organization, in a key action against cybercriminal activities. The operation, which focused on the Lazarus group's illegal financial operations, is an important development in the continuous international effort to tackle cyber threats.

The Lazarus organization, a state-sponsored hacker outfit renowned for coordinating high-profile cyberattacks, is connected to North Korea, which is how the Sinbad cryptocurrency mixer got its reputation. A crucial component of this operation was reportedly played by the U.S. Department of Treasury.

The WannaCry ransomware assault in 2017 and the notorious Sony Pictures hack from 2014 are only two of the cybercrimes the Lazarus organization has been connected to. These occurrences highlight the group's advanced capabilities and possible threat to international cybersecurity.

The Sinbad crypto mixer, seized by U.S. authorities, was allegedly used by the Lazarus group to obfuscate and launder cryptocurrency transactions. Cryptocurrency mixers are tools designed to enhance privacy and security by mixing transactions with those of other users, making it challenging to trace the source and destination of funds. However, when used for illicit purposes, such mixers become a focal point for law enforcement.

The U.S. Department of the Treasury issued a press release on the matter, emphasizing the government's commitment to countering cyber threats and safeguarding the financial system's integrity. The move is part of a broader strategy to disrupt the financial networks that support malicious cyber activities.

The US Treasury Secretary stated, "The seizure of the Sinbad crypto mixer is a clear signal that the United States will not tolerate those who use technology to engage in malicious cyber activities. We are committed to holding accountable those who threaten the security and stability of our financial systems."

This operation highlights the collaboration between law enforcement agencies and the private sector in tackling cyber threats. It serves as a reminder of the importance of international cooperation to address the evolving challenges posed by state-sponsored hacking groups.

The seizure of the Sinbad cryptocurrency mixer is evidence of the determination of authorities to safeguard people, companies, and countries from the dangers of cybercrime, particularly at a time when the world community is still struggling to contain the sophistication of cyber threats.

KandyKorn: Apple MacOS Malware Targets Blockchain Engineers of Crypto Exchange Platform


A new malware linked to the North Korean threat group Lazarus was discovered on Apple’s macOS, and it appears that it was intended for the blockchain engineers of a crypto exchange platform. 

KandyKorn Malware 

According to a study conducted by Elastic Security Labs, the malware, dubbed as ‘KandyKorn’ is a sophisticated backdoor that could be used to steal data, directory listing, file upload/download, secure deletion, process termination, and command execution.

At first, the attackers used Discord channels to propagate Python-based modules by pretending to be active members of the community.

Apparently, the social engineering attacks pose as an arbitrage bot intended to generate automatic profits by coercing its members into downloading a malicious ZIP archive called “Cross=platform Bridges.zip.” However, there are 13 malicious modules that are being imported by the file to work together in order to steal and alter the stolen information. 

The report reads, “We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking.”

Users of Unibot were notified by blockchain analytics company Scopescan about an ongoing hack, which was subsequently verified by an official source:

“We experienced a token approval exploit from our new router and have paused our router to contain the issue.” Later, Unibot guaranteed that it would compensate all the victims who lost their funds in the exploit. 

Lazarus Group/ Lazarus is a North Korean state-sponsored cyber threat group, linked to the Reconnaissance General Bureau that operates out of North Korea. As part of a campaign called Operation Blockbuster by Novetta, the group, which has been operating since at least 2009, is said to have been behind the devastating wiper attack against Sony Pictures Entertainment in November 2014. The malware that Lazarus Group uses is consistent with other known campaigns, such as DarkSeoul, Operation Flame, Operation 1Mission, Operation Troy, and Ten Days of Rain.

However, in certain definitions of the North Korean group, security researchers apparently report all North Korean state-sponsored cyber activities under the term Lazarus Group instead of tracking clusters or subgroups like Andariel, APT37, APT38, and Kimsuky.

The crypto industry remains a main target for Lazarus, with a primary motivation of profit rather than espionage, which is their second primary operational focus.

The fact that KandyKorn exists proves that macOS is well within Lazarus's target range and highlights the threat group's amazing ability to create subtle and sophisticated malware specifically designed for Apple devices.  

Atomic Wallet Hit by North Korean Hackers

 

According to a recent blog post by Elliptic, a blockchain intelligence firm, users of Atomic Wallet may have been targeted by Lazarus, the notorious hacking group from North Korea. The post highlights that Atomic Wallet users could have potentially become victims of Lazarus. 

Group-IB, a cybersecurity firm, has released a report indicating that Lazarus, the notorious hacking group is allegedly behind various notable cryptocurrency thefts. Notably, the report links Lazarus to the infamous 2018 Coincheck hack, recognized as one of the largest cryptocurrency heists in history, where more than $500 million worth of digital currency was lost. 

On an early Saturday morning, the developers of Atomic, a non-custodial cryptocurrency wallet, disclosed that certain users had experienced security breaches resulting in the loss of funds from their wallets. The company clarified that the affected users constituted less than 1% of their "monthly active users." This announcement came in response to numerous Reddit posts where users expressed grievances about their depleted wallets. 

A claim made by a blockchain investigator named ZachXBT suggests that the recent security breach involving Atomic Wallet resulted in the unauthorized acquisition of users' digital assets. The stolen cryptocurrencies allegedly encompass bitcoin (BTC), ether (ETH), tether (USDT), dogecoin (DOGE), litecoin (LTC), BNB coin (BNB), polygon (MATIC), and USDT based on Tron. It is estimated that this incident has led to a financial impact of approximately $35 million. However, it is important to note that the credibility of ZachXBT's claim is unverified and should be treated with caution.

Atomic Wallet vulnerabilities highlighted by Least Authority: 

• Inadequate cryptography implementation 
• Insufficient adherence to wallet design best practices 
• Lack of comprehensive project documentation 
• Improper use of the Electron framework 

Insights from Hacken's CEO, Dyma Budorin: 

• Potential vulnerability in the generation of recovery phrases, making them susceptible to brute-force attacks 
• Possibility of mathematical derivation of private keys from Bitcoin blockchain data, as outlined in a recent research paper 
• Identification of an outdated and vulnerable dependency in the Android version of Atomic Wallet, specifically related to transaction signing 

Impact of the security breach: 

• Unauthorized access to users' funds 
• Potential theft of funds due to the identified vulnerabilities in Atomic Wallet 

Furthermore, the CEO of Atomic declined to provide any insights into the potential cause of the hack when he was approached for comment. However, Gladych investigative firm mentioned that a portion of the stolen funds has been identified on exchanges and subsequently frozen or blocked as a precautionary measure.

Lazarus Hackers Exploit Windows IIS Web Servers for Initial Access

 

The notorious Lazarus hacking group has once again made headlines, this time for targeting Windows Internet Information Services (IIS) web servers as a means of gaining initial access to compromised systems. The group, believed to have links to the North Korean government, has a long history of conducting high-profile cyberattacks for various purposes, including espionage, financial theft, and disruption.

According to security researchers, Lazarus has been exploiting a vulnerability in Microsoft Internet Information Services (IIS) servers, specifically targeting those running older versions such as IIS 6.0 and IIS 7.0. This vulnerability tracked as CVE-2021-31166, allows remote code execution and has been previously patched by Microsoft. However, many organizations still fail to apply these critical security updates, leaving their systems vulnerable to exploitation.

The attack campaign starts with the hackers sending specially crafted HTTP requests to the targeted IIS servers, triggering a buffer overflow and ultimately allowing the execution of arbitrary code. Once the hackers gain a foothold in the compromised system, they can further expand their access, exfiltrate sensitive data, or even deploy additional malware for advanced persistence.

The motives behind Lazarus' targeting of IIS servers remain unclear, but given the group's history, it is likely to involve espionage or financial gain. It's important to note that the Lazarus group has been involved in numerous high-profile attacks, including the infamous WannaCry ransomware attack in 2017.

To protect against such attacks, organizations must prioritize the security of their web servers. This includes ensuring that all necessary security updates and patches are promptly applied to IIS servers. Regular vulnerability scanning and penetration testing can help identify any weaknesses that could be exploited by threat actors.

Additionally, organizations should implement robust security measures, such as web application firewalls (WAFs) and intrusion detection systems (IDS), to detect and block suspicious activities targeting their web servers. Strong access controls, regular monitoring of system logs, and user awareness training are also crucial in mitigating the risk of initial access attacks.

The Lazarus group's continued activities serve as a reminder that cyber threats are ever-evolving and require constant vigilance. Organizations must stay proactive in their approach to cybersecurity, staying up to date with the latest threats and implementing appropriate measures to protect their systems and data.

Lazarus Group's Deathnote Cluster: A Threat to the Defense Sector


The Lazarus Group, a well-known cybercriminal organization, has pivoted to the defense sector with its Deathnote cluster. The group has previously been linked to cryptocurrency attacks and other malicious activities. However, its latest move into the defense industry marks a significant shift in its operations.

According to reports, the Deathnote campaign began in 2020 and has been active ever since. The group has been using advanced tactics to infiltrate defense companies, particularly those involved in developing military technology. Once inside, the hackers have been stealing sensitive data and intellectual property.

The Lazarus Group's tactics have evolved significantly over the years. In the past, it has relied on spear-phishing attacks and other traditional methods of cyber espionage. However, it has now adopted more sophisticated techniques, such as the use of supply chain attacks and zero-day exploits.

The Deathnote cluster is particularly concerning because of its ability to evade detection. The group has been using a range of techniques to remain hidden, including the use of fake social media profiles and encrypted communication channels. This makes it extremely difficult for companies to identify and mitigate the threat.

One of the key vulnerabilities that the Lazarus Group has been exploiting is the lack of awareness among employees. Many of the attacks have been successful because of simple human error, such as the failure to follow basic security protocols. This highlights the importance of ongoing employee training and education in the fight against cybercrime.

The Lazarus Group's move into the defense sector is a worrying development that highlights the need for greater vigilance when it comes to cybersecurity. Companies must take a proactive approach to protect their systems and data, including using advanced security solutions and regular vulnerability assessments.

In conclusion, the Lazarus Group's Deathnote cluster represents a significant threat to the defense industry and beyond. Its evolving tactics and ability to remain hidden make it a formidable opponent in the fight against cybercrime. It is crucial that companies take the necessary steps to protect themselves and their customers from these types of attacks.

Energy and Healthcare Firms Are The Focus of The Lazarus Group Once Again

 


The North Korean Lazarus Group, which was employed by the North Korean government to target medical research and energy organizations with cyberattack campaigns, was reported by security researchers on February 2.  

The campaign was discovered by threat intelligence analysts at WithSecure. They were trying to unravel a ransomware attack that they suspected had been launched against one of their customers. In the course of their investigation, they discovered evidence indicating that the Lazarus crew had committed an OpSec oversight that led to a key operational security (OpSec) slip-up, which provided them with proof that the event was part of a wider state-sponsored intelligence gathering campaign already being carried out by North Korea. 

Sami Ruohonen, the senior threat intelligence researcher for WithSecure, says his initial suspicion was that it was an attempted BianLian ransomware attack. 

Even though WithSecure had collected evidence in one direction, it quickly pointed in a different direction. Throughout the process of gathering more information, they became more and more confident that the attack had been perpetrated by a group associated with the North Korean government. Having discovered this, WithSecure concluded that it was indeed the Lazarus Group that had posed as the attack. 

The Path to Cyberespionage Begins With Ransomware 

It was the initial compromise and privilege escalation of the system that led them to the conclusion that they were engaged in this activity. In August, the Zimbra mail server was exploited using a known vulnerability that existed in an unpatched version of Zimbra. In one week, the threat actors had already accessed many gigabytes of data from the mailboxes on the server. The attacker used live-off-the-land (LotL) strategies along the way as he moved horizontally across the network by the end of October. The compromised assets began becoming connected to Cobalt Strike's command-and-control (C2) infrastructure in November, beginning the process of infiltrating almost 100GB of data from the network during the period between November and December.  

It is believed that the researchers dubbed this incident "No Pineapple" because it referred to an error message that was used in a backdoor that was used by the bad guys that replied > No Pineapple! > When the data size exceeds the segmented byte size, the operation fails. 

Based on the malware, the TTP, and a couple of unique findings, the researchers feel that there is a high degree of confidence in their identification of Lazarus group activity. Data exfiltration involves several key actions, one of which is critical. Several suspicious web pages appeared to be connected to a North Korean IP address for a short time, as a result of an attacker-controlled Web shell. Even though the country only has fewer than a thousand of these addresses, at first the researchers wondered if they had made a mistake. However, they later confirmed that they had not. 

The attacker showed exemplary tradecraft and still managed to carry out considered actions on carefully selected endpoints despite this OpSec failure, Tim West, head of WithSecure’s threat intelligence unit, commented on the actor’s performance. 

Upon digging deeper into the incident, the researchers discovered that additional victims were also identified as a result of the attack as the investigation proceeded. The victims were identified based on their connections to a C2 server that was controlled by threat actors during the attack. There are many espionage motives involved in this process, which points to a much larger effort than was first suspected as being the target. 

Among the hundreds of victims, several companies in the healthcare sector suffered losses including a company that researches healthcare. In addition, a company that manufactures technology utilized in the energy, defense, research, and healthcare sectors. 

During the third quarter of 2022, most of the breaches that have been reported occurred because of the infrastructure that researchers noticed in May. According to the victimology of the campaign, analysts consider the threat actor to have intentionally targeted the supply chain of the industry verticals of medical research and energy. This is based on the victimology of the campaign. 

Lazarus Never Remained Down for Long 

It is widely believed that the Foreign Intelligence and Reconnaissance Bureau of North Korea is responsible for the long-running Lazarus threat group that has been operating for over a decade. Researchers have confirmed that the group has been involved in hacking activities at least as far back as 2009. It has been responsible for an increasing number of attacks since then. It has only been a matter of short intervals where the man has been thrown to the ground between periods of standing. 

This anti-terrorist operation serves both a financial purpose - it is an extremely valuable source of revenue for the regime - as well as a spying purpose. As early as 2022, there were many reports of Lazarus providing sophisticated attacks against Apple of their M1 chip as well as fake job posting scams using Apple's M1. It should be noted that a similar attack took place last April. Computers were used to upload malicious files, disguised as job offers for highly attractive dream jobs, to targets in the chemical sector and information technology. 

As of last week, the FBI confirmed that the Lazarus Group, a group of cyber threat actors from the United States, was implicated in the theft of $100 million worth of virtual currency last June from the cross-chain technology created by Harmony to exchange data across blockchains, termed Horizon Bridge, owned by the blockchain company Harmony. According to estimates provided by the FBI, because of the actions of the group in the Horizon Bridge heist, the group was able to launder more than $60 million worth of Ethereum by using the Railgun privacy protocol in January. There has been a report that authorities were able to freeze "some of these funds."

North Korean Cybercriminals Attempt to Steal $27M in ETH

Hacking organizations 'Lazarus' and 'APT38' supported by the North Korean government were responsible for the loss of $100 million worth of Ethereum from Harmony Horizon in June 2022. 

The funds and the seizure of stolen assets were reported to the authorities. The exploiters' activities closely resembled the attempt, which was undertaken on January 13, 2023, since more than $60 million was attempted to be laundered.

The Binance chain, Bitcoin, and Ethereum transfers are made possible through Harmony's Horizon Bridge. Numerous tokens worth $100,000,000  were taken from the network on June 23, 2022.

North Korean cybercriminals were actively shifting a portion of Harmony's Horizon bridge funds during the last weekend as the price of bitcoin approached $24,000. While several cryptocurrency exchanges instantly froze certain cash, Binance CEO Changpeng Zhao (CZ) claimed that some exchanges are not helpful in fighting crime, which made it easier to convert ETH to BTC.

According to reports, the APT38 was able to convert some of the $27 million in Ethers to Bitcoin and withdraw the money from exchanges. The Lazurus group has reportedly been shifting laundered money to a number of addresses in order to mask their true identity through multiple layers.

With the use of its Horizon Bridge, Harmony can transmit data to and from the Ethereum network, Binance Chain, and Bitcoin. On June 23, a number of tokens from the network valued at roughly $100 million were taken.

After the exploit, the Tornado Cash mixer processed 85,700 Ether, which was then deposited at various addresses. The hackers began transferring about $60 million of the stolen money via the Ethereum-based anonymity protocol RAILGUN on January 13. 350 addresses have been linked to the attack through numerous exchanges in an effort to escape detection, according to research by the cryptocurrency tracking tool MistTrack.

Cryptocurrency exchanges like Binance and Huobi have alerted authorities about stolen Harmony's Horizon Bridge funds by freezing them. This demonstrates how DeFi platforms and centralized exchanges are dependent on one another.





Lazarus Moves More than $60 Million from Harmony Bridge Hack


North Korean state-owned threat actors Lazarus Group has stolen around 41,000 ETH or more than $60 million of Ethereum to the crypto exchanges Binance, Huobi and OKX. While Binance and Huobi both froze the funds, Binance declared that an asset of 124 BTC was also recovered in the process. 

According to internet sleuth ZachXBT, the funds were stolen from the Harmony blockchain bridge hack from last year, which led to a whopping $100 million crypto compromise. Apparently, the same hacker group utilized Tornado Cash, a now banned crypto mixer that conceals names of people involved in the transaction, in order to carry out the attack. 

As per the analysis, conducted by token movements, the ETH was routed through the anonymity system Railgun before being collected in wallets and sent to three significant crypto exchanges, possibly to be exchanged for fiat currency. 

“A very busy weekend” for Lazarus Group 

ZachXBT shared details of this week’s token movements on Twitter, claiming Lazarus Group has had “a very busy weekend” moving funds. 

In the follow-tweets, ZachXBT also linked to the website Chainabuse.com where he shared a list of approximately 350,000 unique wallet addresses that were involved in the Friday’s operation. 

Binance’s Say on the Issue 

On Monday, Binanace CEO Changpeng Zhao, better known as CZ too, commented on the situation. CZ claims that the hackers used Huobi, a competing exchange, rather than Binance this time as one of their exchanges. The hacker's accounts were subsequently frozen with Binance's assistance, he says. 

CZ also disclosed that 124 BTC ($2.6m) had been seized from the hackers, indicating at least some of their ETH has been converted to BTC. 

“We detected Harmony One hacker fund movement. They previously tried to launder through Binance and we froze his accounts. This time he used Huobi. We assisted Huobi team to freeze his accounts. Together, 124 BTC have been recovered,” he wrote. 

Although, Huobi did not comment on the matter other than retweeting an article claiming that the exchange had frozen accounts containing money connected to the hack. 

According to a report from South Korea's National Intelligence Service from December of last year, North Korean hackers have stolen more than $1 billion in digital assets since 2017. 

Moreover, the report claims that around $626 million, or more than half of that estimated tally, was taken in 2022. It also stated that it is suspected that the North Korean government uses the money obtained from the theft to advance Pyongyang’s nuclear weapons program.  

$3.7B Stolen in Crypto Hacks Targeting DeFi in 2022

 


It has been revealed by TRM Labs that a record $3.7 billion worth of crypto funds have been stolen the past year. Of this, 80% have been traced back to attacks against DeFi, as per the research report published by the company. The ten mega hacks identified in the analysis represent 75% of the total amount of funds stolen over the past few years.

A Hacker Stole $3 Billion in Crypto Funds from DeFi

In the findings of a recent study by TRM Labs, it was found that 3.7 billion dollars worth of crypto funds were fraudulently obtained by cybercriminals in 2022. According to the analysis, 80% of the stolen amount, or $3 billion, was obtained through decentralized finance (DeFi) attacks, which constitute a large amount of the stolen amount.

The ten "mega hacks" in the last year refer to exploits of more than $100 million. A total of $3.7 billion was stolen throughout 2022 — nearly 75% of that amount being attributed to these mega hacks. 

More than $540 million was stolen from Ronin Bridge, an Ethereum sidechain developed for the play-to-earn game Axie Infinity, during the Lazarus Group's attack on Ronin Bridge, the largest hack of the year. In the world of cybercrime, the Lazarus Group is a known organization believed to be controlled by North Korea's government. 

Response of Regulators

With profound concern, regulators have been forced to act fiercely in the last couple of months to protect crypto consumers. This is due to the unprecedented rise in attacks on Defi. To illustrate, after the Ronin exploit was uncovered, the U.S. Treasury Department's Foreign Asset Control took action, identifying and tracking the stolen funds using blockchain intelligence. In addition to sanctions on the wallet addresses to which the funds were transferred, OFAC also sanctioned crypto mixers, such as blender.io and Tornado Cash. Hackers used these mixers to launder money and transfer it to these wallet addresses. 

The crypto ecosystem is also targeted by a large army of cyber criminals, with other global regulators adopting specific measures to fight this threat. There have been several proposals by the central bank of Singapore concerning the ban on debt-financed and leveraged crypto trading, including trades made with credit cards by retail users. There has also been a troubling trend in stablecoins, particularly after the colossal collapse of the algorithmic stablecoins TerraUSD and LUNA. These coins have been the focus of global regulators in recent months. Many crypto projects, such as Celsius Network and Voyager Digital, suffered a knock-on effect following the collapse of the market in recent months.   

In November, when the crypto exchange FTX fell to its knees, it was possibly the most significant collapse of the year. Over $8 billion of its users' money got missing from this exchange, a sum that is unlikely to ever be recouped. FTX's contagion spread rapidly over the past month, with many experts predicting the devastation will be even more severe shortly.    

North Korean Lazarus Group Targeting Crypto Market via Telegram & Excel File


DEV-0139 uses targeted attacks to steal cryptocurrency investments 

Microsoft has identified a threat actor that has been targeting cryptocurrency investment startups. An entity that Microsoft has termed as DEV-0139 posed as a cryptocurrency investment firm on Telegram and used an Excel file deployed with malicious "well-crafted" malware to attack systems and access them remotely. 

The threat is part of a trend in cyberattacks showing a high degree of sophistication. In our case, the threat actor made a fake OKX employee profile and joined Telegram groups used for facilitating communication between VIP clients and cryptocurrency exchange platforms. 

In recent years, the cryptocurrency market has grown exponentially, getting the attention of investors as well as threat actors. Cybercriminals have used cryptocurrency for their attacks and campaigns, especially for ransom payment in ransomware attacks. 

DEV-0139 uses Telegram and Excel files to target victim

There has also been a rise in threat actors directly attacking organizations in the cryptocurrency industry for monetary motives. Cyberattacks targeting the cryptocurrency market come in various forms, this includes fraud, vulnerability exploitation, fake apps, and use of info stealers, threat actors use these variables to steal cryptocurrency funds. 

In October, the victim was asked to join a new group and then asked to provide feedback on an Excel document that compared Binance, OKX, and Huobi VIP fee structures. 

The document offered correct information and high awareness of the ground reality of crypto trading, however, it also sideloaded an infected. DLL (Dynamic Link Library) file to make a backdoor into the user's system. The victim was then told to view the .dll file while discussing the course fees. 

According to Microsoft, the weaponized Excel file initiates the following series of activities:

  • A malicious macro in the weaponized Excel file abuses the UserForm of VBA to obfuscate the code and retrieve some data.
  • The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64 and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
  • The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR-encoded backdoor.
  • The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR-encoded backdoor that lets the threat actor remotely access the infected system.

The attack method is popular, Microsoft suggests the attacker was the same as the one running .dll files for the same reasons in June, and also behind other cyberattack instances as well. As per Microsoft, DEV-0139 is the same threat actor that cybersecurity agency Volexity associated with North Korea's state-sponsored Lazarus Group. 

It uses a malware strain called AppleJeus and an MSI (Microsoft installer). The United States federal Cybersecurity and Infrastructure Security Agency reported on AppleJeus last year and Kaspersky Labs documented it in 2020. 

To stay safe from such threats, Microsoft suggests:

1. Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.

2. Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing emails and watering holes, and reporting reconnaissance attempts and other suspicious activity.

3. Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.

4. Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.

5. Turn on attack surface reduction rules to prevent common attack techniques observed in this threat:

  • Block Office applications from creating executable content
  • Block Office communication application from creating child processes
  • Block Win32 API calls from Office macros
6. Ensure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.

The cryptocurrency market is a lucrative interest for cybercriminals. Targeted victims are identified via trusted channels to better the chance of attack. While hackers prefer targeting big organizations, smaller organizations can also become an easy target of interest. 






North Korean Hackers Exploit Systems via Deploying PuTTY SSH Tool

An attack using a new spear phishing tactic that makes use of trojanized variants of the PuTTY SSH and Telnet client has been discovered with a North Korea link.

The malicious actors identified by Mandiant as the source of such effort is 'UNC4034', also referred to as Temp.Hermit or Labyrinth Chollima. Mandiant asserted that the UNC4034 technique was currently changing.

UNC4034 made contact with the victim via WhatsApp and tricked them into downloading a malicious ISO package in the form of a bogus job offer. This caused the AIRDRY.V2 backdoor to be installed via a trojanized PuTTY instance. 

As part of a long-running operation called Operation Dream Job, North Korean state-sponsored hackers frequently use fake job lures as a means of spreading malware. One such group is the Lazarus Group. 

The ios file had a bogus amazon job offer which was the entry point for hackers to breach data. After making initial contact via email, the file was exchanged over WhatsApp. 

The archive itself contains a text file with an IP address and login information, as well as a modified version of PuTTY that loads a dropper named DAVESHELL that installs a newer version of a backdoor known as AIRDRY. 

The threat actor probably persuaded the victim to open a PuTTY session and connect to the remote host using the credentials listed in the TXT file, therefore initiating the infection. Once the program has been launched, it makes an effort to persist by adding a new, scheduled task every day at 10:30 a.m. local time.

After a target responds to a fake job lure, the criminals may use a variety of malware delivery methods, according to Mandiant. 

The most recent version of the virus has been found to forego the command-based method in favor of plugins which are downloaded and processed in memory, in contrast to prior versions of the malware that included roughly 30 commands for transferring files, file systems, and command execution.

Several technical indicators are also included in the Mandiant alert to aid businesses in identifying UNC4034-related activities. Days before its publication, US authorities confiscated $30 million in North Korean cryptocurrency that had been stolen.

US Government Seizes Cryptocurrency Worth $30 Million From Lazarus Hackers

The U.S. government in collaboration with blockchain analysts and FBI agents successfully seized $30 million worth of cryptocurrency stolen by the North Korean-linked hacker group 'Lazarus' from the popular token-based 'play-to-earn' game Axie Infinity earlier in the year. 

The government reported this news during the AxieCon event today, where the officials highlighted it as a big achievement. The officials further appreciated and encouraged large-scale collaboration between multiple law enforcement authorities and private entities against growing cyber threats. 

As per the statements made by blockchain analysts on Thursday, it's a momentous event for law enforcement agencies as it is the first time when the agencies have successfully seized crypto tokens from the infamous Lazarus Group. 

“I am proud to say that the Chainalysis Crypto Incident Response team played a role in these seizures, utilizing advanced tracing techniques to follow stolen funds to cash out points and liaising with law enforcement and industry players to quickly freeze funds”, the blog reads. 

Chainalysis talked about the laundering process of the group which involves the following five stages:  

• Stolen Ether sent to intermediary wallets 
• Ether mixed in batches using Tornado Cash 
• Ether swapped for bitcoin 
• Bitcoin mixed in batches 
• Bitcoin deposited to crypto-to-fiat services for cashout,  

However, following the incident, the US Office of Foreign Assets Control - Sanctions Programs and Information has sanctioned tornado cash for its role in the cryptocurrency laundering case. 

The total financial damage caused by Lazarus' Axie Infinity hack is around $620 million, thus, the amount that has been recovered represents only 5% of that value and 10% of the cryptocurrency amount. 

The analysts further stated they “have proven that with the right blockchain analysis tools, world-class investigators and compliance professionals can collaborate to stop even the most sophisticated hackers and launderers. There is still work to be done, but this is a milestone in our efforts to make the cryptocurrency ecosystem safer.” 

Hence, the US government and New York-based blockchain analysis firm are confident that in the future they will recover more damages from the past.

Proofpoint Analysis : APT Groups Target Journalists


APT organizations that are allegedly affiliated with China, North Korea, Iran, and Turkey are described in detail by researchers in a Proofpoint report released on Thursday. Attacks started in early 2021 and are still happening, according to researchers.

Targeted phishing attacks are linked to several threat actors who have independently focused on acquiring journalist credentials and sensitive data as well as tracking their locations. 

Targeting journalist

Proofpoint monitored the activities of the APT group TA412 also known as Zirconium, which attacked journalists based in the US. The nation-state hackers implanted a hyperlinked invisible item within an email body by using phishing emails that contained web beacons such as tracking pixels, tracking beacons, and web bugs.

Journalists based in the US who were being targeted were investigating matters of domestic politics and national security and writing about subjects that favored Beijing.
  • By February 2022, Zirconium had resumed its operations against journalists using the same tactics, with a particular emphasis on those who were reporting the Russia-Ukraine conflict.
  • Proofpoint discovered another Chinese APT organization known as TA459 in April 2022 that was targeting journalists with RTF files that, when viewed, released a copy of the Chinoxy malware. These hackers specifically targeted journalists covering Afghan foreign affairs.
  • Early in 2022, the TA404 group, also known as Lazarus, targeted a media company with a base in the United States. As lures, the attackers utilized phishing messages with job offers.
  • Finally, Turkish threat actors identified as TA482 planned campaigns to harvest credentials from journalists' social media accounts.
Not all hackers, however, are motivated to work hard to breach journalist data. This strategy has mostly been used by Iranian actors, like TA453 or Charming Kitten, who had sent emails to academics and Middle East policy experts while pretending to be reporters.

Finally, Proofpoint draws attention to the activities of Iranian hackers TA457, who initiated media-targeting efforts every 2 to 3 weeks between September 2021 and March 2022.

It's also essential to understand the wide attack surface—all the various web channels used for information and news sharing—that an APT attacker can exploit. Finally, exercising caution and confirming an email's identity or source can stop an APT campaign in its early stages.

Hackers Used Fake LinkedIn Job Offer to Steal $625M

 

Earlier this year, Ronin Network (RON), the blockchain network behind the popular crypto games Axie Infinity and Axie DAO, experienced the greatest crypto attack against a decentralised financial network ever reported. 

The United States issued advice in May 2022, stating that highly competent hackers from North Korea were attempting to get work by posing as IT freelancers. The Axie Infinity attack was socially engineered, with the North Korean government-backed hacker organisation Lazarus into Sky Mavis' network by giving one of the company's workers a PDF file carrying malware. Lazarus' participation in such a high-profile breach should come as no surprise. 

In January 2022, analysts from several crypto security organizations concluded that North Korean hackers had stolen $1.3 billion from cryptocurrency exchanges throughout the world, with the famed Lazarus group as their top suspect. 

Axie Infinity Hack 

The employee, an ex-senior engineer at the firm, fell for the trap and opened the PDF, believing it was a high-paying job offer from another company. However, this firm did not exist in reality.

During the recruitment process, the ex-employee disclosed sensitive personal information that attackers utilised to steal from the organisation. Sky Mavis' staff are regularly threatened by sophisticated spear-phishing attempts on multiple social networks, according to the company. In this case, one person, who does not even work at Sky Mavis, was duped. 

How was Ronin hacked? 

According to The Block, at the time of the attack, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin. 

“The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” Sky Mavis stated.

To get access to the company's networks, the attacker needed to seize five out of nine validators. The spyware-laced PDF allowed the attacker to gain control of four validators and get entry to the community-run Axie DAO (Decentralized Autonomous Organization), from which they gained control of the fifth validator. After breaching the network, the attackers took $25 million in USDC stablecoin and 173,600 ether (about $597 million) from Axie Infinity's treasury, totaling $625 million in crypto. 

Nonetheless, the Ronin sidechain upped the number of validators to 11 to improve security, and Sky Mavis is reimbursing Axie Players who lost crypto as a result of the hack. In April 2022, the company raised $150 million in funding. 

The US administration alleges that the assault was carried out by the renowned North Korean hacking organisation Lazarus. This organisation specialises in such attacks. This is hardly Lazarus' first foray into the blockchain sector. However, Lazarus using social engineering to infiltrate a company's networks is unusual. In reality, the Slovak internet security company ESET notified LinkedIn users in June 2020 about Lazarus' involvement in a complex LinkedIn recruiting fraud targeting military and aerospace industries.

Lazarus Group Responsible For $100M Crypto-Heist


Cyber security researchers have found Lazarus Group responsible for stealing $100m worth of crypto via Harmony's Horizon Bridge, a California-based company. Lazarus group is a popular North Korean state-sponsored hacking group that was also behind $620 million worth of crypto theft from the Ronin exchange in March. 

Following the incident, the Harmony cybersecurity team was warned of the attack last week by blockchain forensics company Elliptic that the institution has been attacked by a cross-chain bridge. 

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds,” Elliptic wrote. 

Additionally, Reuters reported that Chainalysis, a blockchain firm is also investigating with Harmony; it claims that the attack style is similar to previous attacks attributed to North Korea-linked actors.

“On Thursday, June 23, 2022, the Harmony Protocol team was notified of a malicious attack on our proprietary Horizon Ethereum Bridge. At 5:30 AM PST, multiple transactions occurred that compromised the bridge with 11 transactions that extracted tokens stored in the bridge,” the company said in its blog. 

As the name suggests, Blockchain bridges allow users to transfer their crypto assets from one blockchain to another. The malicious actors stole $100 million in crypto assets, including Ethereum (ETH), Binance Coin, Tether, USD Coin, EOS, and Dai. 

Elliptic said that the hack was carried out by compromising the cryptographic keys of a multi-signature wallet, a technique that is popularly used by the suspected groups. 

“Lazarus Group tends to focus on APAC-based targets, perhaps for language reasons referring to the Asia-Pacific region. Although Harmony is based in the US, many of the core team has links to the APAC region,” Elliptic added. 

Further, the report suggests that after two days of attack Harmony offered to pay a $1 million bounty to the group for the return of Horizon bridge funds. Also, researchers reported that they have found the offenders behind the $100 million hack.