Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label North Korea. Show all posts
North Korea Hackers
ATM Hacking Cyber Attacks Hidden Cobra Linux Malware Malware Attack North Korea North Korea Hackers

North Korean Hackers Develop Linux Variant of FASTCash Malware Targeting Financial Systems

 

A new Linux variant of FASTCash malware has surfaced, targeting the payment switch systems of financial institutions. North Korean hackers, linked to the Hidden Cobra group, have expanded their cyber arsenal to now include Ubuntu 22.04 LTS distributions. Previously, the malware targeted Windows and IBM AIX systems. These payment switches route transactions between ATMs and banks, and the malware intercepts ISO8583 messages, modifying transaction responses from “decline” to “approve.” This manipulation authorizes fraudulent cash withdrawals through money mules. The discovery, made by security researcher HaxRob, revealed the Linux variant’s ability to bypass security tools, as it was first submitted to VirusTotal in June 2023 with no detection. 

It operates by injecting a shared library into a running process on the payment switch server using the ‘ptrace’ system call. FASTCash’s history of ATM cash-out attacks dates back to 2016, with incidents stealing tens of millions of dollars across multiple countries. The U.S. Cyber Command in 2020 attributed these schemes to APT38, part of the Lazarus Group. North Korea’s involvement in global financial theft is well-documented, with the theft of over $1.3 billion linked to this malware and other campaigns. The Linux variant’s ability to evade standard defenses puts financial institutions at heightened risk. Its discovery emphasizes the evolving tactics of North Korean cyber actors, who are continually refining malware to expand their reach. 

HaxRob also noted a new Windows version of FASTCash, submitted in September 2024, demonstrating the ongoing development of this malware. To mitigate this growing threat, financial institutions must strengthen security around payment switch systems, implement real-time monitoring of unusual transaction patterns, and upgrade defenses to detect advanced attack techniques like FASTCash. 

As North Korean hackers continue to develop sophisticated malware variants, financial organizations must prioritize protecting against this persistent threat to prevent unauthorized cash withdrawals and financial losses.
Read more »
VPN
crypto industry Cyber Crime Cypto North Korea VPN

How North Korea is Exploiting the Crypto Industry

How North Korea is Exploiting the Crypto Industry

North Korean operatives have penetrated the blockchain world, and the covert operation has significant implications for global cybersecurity and the integrity of the crypto market.

Recent warnings from U.S. authorities highlight that North Korean IT workers are infiltrating tech and crypto companies, channeling their earnings to support the state's nuclear weapons program. A 2024 UN report states these workers generate up to $600 million annually for Kim Jong Un's regime. 

Hiring these workers, even unintentionally, violates U.N. sanctions and is illegal in the U.S. and many other countries. It also poses a significant security risk, as North Korean hackers often use covert workers to target companies.

North Korea's Cyber Arsenal

North Korea's cyber operations are nothing new, but their infiltration into the crypto industry represents a new frontier. Using fake identities and fabricated work histories, North Korean IT workers managed to secure positions in over a dozen blockchain firms. These operatives, often disguised as freelancers from countries like South Korea, Japan, or China, have leveraged the decentralized nature of the crypto industry to mask their origins and intentions.

The Crypto Industry's Blind Spot

The crypto industry's decentralized and often anonymous nature makes it an attractive target for cybercriminals. The article reveals how North Korean operatives exploited this blind spot, slipping through the cracks of standard vetting procedures. They infiltrated companies by providing fake credentials and using VPNs to obfuscate their actual locations. This tactic allowed them to access sensitive information and potentially manipulate blockchain networks.

Economic Warfare

North Korea's entry into the crypto industry is part of a broader strategy to circumvent international sanctions. By infiltrating blockchain firms, North Korean operatives can siphon off funds, conduct illicit transactions, and launder money. The stolen assets are then funneled back to the regime, bolstering its finances and supporting its nuclear ambitions.

Consequences and Countermeasures

The infiltration severely affects the targeted firms, exposing them to legal risks and undermining their credibility. It also raises broader concerns about the security of the crypto industry. To combat this threat, companies must adopt more stringent vetting processes, enhance cybersecurity measures, and collaborate with international agencies to identify and neutralize such threats.

Read more »
North Korea
Andariel APT45 Cyber Attacks Dark Web North Korea

Inside the Dark Web: How Andariel Targets U.S. Organizations

Inside the Dark Web: How Andariel Targets U.S. Organizations

The Andariel hacking group, a notorious entity linked to North Korea, has recently shifted its focus towards financially motivated attacks on U.S. organizations. This pivot, observed in August 2024, marks a significant change in the group's operational strategy, raising concerns among cybersecurity experts and organizations alike.

Background of Andariel

Andariel, considered a sub-cluster of the notorious Lazarus Group, is also known as APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (previously Plutonium), Operation Troy, Silent Chollima, and Stonefly. They’ve been active since at least 2009. 

Operating under North Korea's Reconnaissance General Bureau (RGB), Andariel is notorious for deploying ransomware strains like SHATTEREDGLASS and Maui, and developing custom backdoors such as Dtrack (aka Valefor and Preft), TigerRAT, Black RAT (aka ValidAlpha), Dora RAT, and LightHand.

They also use lesser-known tools like a data wiper called Jokra and an advanced implant named Prioxer for exchanging commands and data with a command-and-control (C2) server. 

In July 2024, a North Korean military intelligence operative from Andariel was indicted by the U.S. Department of Justice (DoJ) for ransomware attacks on healthcare facilities, using the proceeds to conduct further intrusions into defense, technology, and government sectors worldwide.

The Shift in Focus

Symantec, a leading cybersecurity firm, reported that Andariel's recent campaigns have targeted U.S. organizations across various sectors, including finance, healthcare, and retail. 

The group's tactics have evolved to include sophisticated phishing attacks, ransomware deployments, and exploitation of known vulnerabilities in widely used software. This shift is indicative of a broader trend where state-sponsored groups diversify their objectives to include financial motivations alongside traditional espionage.

Techniques and Tactics

Andariel's attack involves a combination of advanced persistent threats (APTs) and financially motivated cybercrime techniques. Some of the key tactics observed include:

1. Phishing Campaigns: Andariel has been leveraging highly targeted phishing emails to gain initial access to corporate networks. These emails often mimic legitimate communications and contain malicious attachments or links that deploy malware upon interaction.

2. Ransomware Attacks: The group has increasingly used ransomware to encrypt critical data and demand hefty ransoms in cryptocurrency. This tactic not only disrupts business operations but also provides a lucrative revenue stream.

3. Exploitation of Vulnerabilities: Andariel has been quick to exploit known vulnerabilities in popular software and systems. By targeting unpatched systems, they can gain unauthorized access and move laterally within networks to exfiltrate sensitive data.

4. Supply Chain Attacks: Another concerning tactic is the compromise of third-party vendors and suppliers to infiltrate larger organizations. This method allows Andariel to bypass direct defenses and gain access through trusted connections.

Read more »
Web3
Bitcoin Crypto Currency ETF Ether lazarus North Korea Web3

North Korean Hackers Attacking Crypto Industry, Billions at Risk

North Korean Hackers Attacking Crypto Industry, Billions at Risk

The United States Federal Bureau of Investigation (FBI) has recently highlighted a significant cybersecurity threat posed by North Korean cybercriminals targeting the web3 and cryptocurrency sectors. 

Why Hackers Target ETFs?

The cryptocurrency industry has witnessed tremendous growth, Ether and Bitcoin are game changers. The rise has led to financial instruments like ETFs (Exchange-traded funds) that allow investors access without owning them directly. But, with the increase of crypto technologies, security questions have also surfaced. 

The United States FBI recently warned about a major cybersecurity threat from North Korean hackers targeting cryptocurrency and web3 sectors. Billions of dollars go into these crypto ETFs, but investors shouldn’t be hasty to think their assets are secure. 

Lazarus Behind Attacks

Lazarus (a North Korean state-sponsored group) is no stranger to the cryptocurrency market and is allegedly responsible for various attacks against famous exchanges and blockchain protocols. Officials are concerned about hackers attacking crypto-backed ETFs by targeting the underlying assets. 

North Korean hackers are using advanced engineering methods to fool employees at decentralized finance (DeFi) and cryptocurrency firms. The hackers impersonate high-profile figures within an organization and or make specific scenarios based on the target’s position, business interests, or skills to get in their good books. 

“The actors may also impersonate recruiting firms or technology companies backed by professional websites designed to make the fake entities appear legitimate. Examples of fake North Korean websites can be found in affidavits to seize 17 North Korean domains, as announced by the Department of Justice in October 2023,” the FBI warned.

The FBI Warning

The FBI has warned against storing private cryptocurrency wallet data on web-connected devices as they may be victims of hacking attacks. If these requests come from unfamiliar sources, organizations should be careful when using non-standard software or applications on their network.

North Korean hackers have already stolen sensitive data from Bitcoin companies by using fake job ads. The FBI’s warning is a wake-up call for web3 and cryptocurrency firms to advance their cybersecurity systems and be careful against these rising attacks. 

“The actors usually attempt to initiate prolonged conversations with prospective victims to build rapport and deliver malware in situations that may appear natural and non-alerting. If successful in establishing bidirectional contact, the initial actor, or another member of the actor’s team, may spend considerable time engaging with the victim to increase the sense of legitimacy and engender familiarity and trust,” the FBI reports.

Read more »
Reddit
Cyber Attacks Digital Infrastructure Hacker attack Hacking Tools North Korea Online Security Reddit

Hacker Who Took Down North Korea’s Internet Reveals Key Insight

 

Alejandro Caceres, known online as P4x, recently revealed himself as the hacker who managed to take down North Korea’s internet for over a week. This feat, conducted entirely from his home in Florida, has drawn significant attention, and Caceres recently took to Reddit to allow people to “ask him anything” about his experience hacking into one of the world’s most secretive and isolated nations. 

Caceres, a 38-year-old Colombian-American cybersecurity entrepreneur, was unmasked as the hacker behind this attack by Wired magazine. He explained that his actions were in retaliation after he was targeted by North Korean spies attempting to steal his hacking tools. In response, he decided to hit back by attacking North Korea’s internet infrastructure, a move that kept the country’s limited public websites offline for over a week. He told Wired, “It felt like the right thing to do here. If they don’t see we have teeth, it’s just going to keep coming.” In his Reddit thread, Caceres discussed the simplicity of his attack, saying, “Honestly, I’ve been asked this a lot. And I can’t really tell haha. I used to say nah it wasn’t that hard.” 

He later clarified, “People told me it wasn’t hard only because I’m trained in this.” Caceres took advantage of North Korea’s outdated and minimal internet infrastructure, which he described as “little sticks and glue.” He noted that North Korea has only two routers for internet ingress and egress, making it easier for a skilled hacker to disrupt the system. When asked about the possible consequences of his actions, Caceres admitted he had faced little to no backlash. “Everyone seems to sort of like it but cannot say that officially. Honestly, I expected a LOT more negativity just because that’s the natural order of things,” he remarked. 

The only attention he has received so far has been from intelligence agencies interested in learning how he managed the hack. He recounted how these meetings sometimes took place in basements, joking, “It was super X-Files type s**t but also like any normal meeting. Weird dissonance…” Reddit users also asked about the possible risks and repercussions of his actions. Caceres expressed surprise at not having faced any direct threats or legal actions. “I have not yet been murdered or arrested, so that’s pretty good,” he joked. 

As of now, Caceres has not faced any significant consequences beyond curiosity from intelligence agencies wanting to understand his methods. Caceres’s hack on North Korea serves as a reminder of how vulnerable even the most secretive and controlled nations can be to cyberattacks, especially when dealing with experienced hackers. While his actions have garnered admiration and a certain level of respect in online communities, they also raise questions about the potential consequences for international relations and cybersecurity norms. 

As the world increasingly relies on digital infrastructure, incidents like this highlight both the possibilities and the dangers of hacking in a hyperconnected world. Caceres, for his part, remains unrepentant and open about his motivations, positioning his actions as a form of digital self-defense and a warning against further provocations from hostile entities.
Read more »
Windows zero-day exploit
cybersecurity threat Fudmodule malware Hacking Group Microsoft vulnerability North Korea Vulnerabilities and Exploits Windows zero-day exploit

North Korea Exploited Windows Zero-Day Vulnerability to Install Fudmodule

 

North Korea's Lazarus hacking group has once again exploited a zero-day vulnerability in Microsoft Windows to deploy malware on targeted devices. On August 13, Microsoft addressed this issue with its monthly Patch Tuesday updates, fixing a flaw in the Windows Ancillary Function Driver (Afd.sys) for WinSock, identified as CVE-2024-38193. Security experts strongly recommend applying this update promptly, as Microsoft has confirmed that the vulnerability is actively being exploited.

The flaw allows attackers to escalate system privileges through a use-after-free memory management issue, potentially granting them elevated system access, according to Rapid7. The advisory underscores the urgency of this patch, highlighting the low complexity of attacks, lack of required user interaction, and minimal privileges needed for exploitation.

The warning proved accurate, as Avast researchers Luigino Camastra and Martin Milanek, who initially discovered and reported the flaw to Microsoft in June, revealed that Lazarus had been exploiting this vulnerability before the fix was issued. Their primary aim was to install a rootkit named Fudmodule on the affected systems, utilizing the zero-day vulnerability to remain undetected by security software.

Details on the specific organizations targeted and their industries have not been disclosed. However, Lazarus is known for its focus on stealing cryptocurrency to support North Korea’s financially strained regime. The regime also uses its hacking teams to gather intelligence on Western nuclear facilities and defense systems.

This incident is part of a broader pattern of North Korean hacking activities targeting Windows drivers. In February, Microsoft patched another vulnerability, CVE-2024-21338, which Lazarus had used to gain system-level access. This flaw was in the appid.sys AppLocker driver, crucial for controlling application execution on Windows systems. Avast had previously reported this vulnerability, which was actively being exploited by Lazarus to install Fudmodule. The updated version of Fudmodule included enhancements, such as disabling antivirus protections like Microsoft Defender and CrowdStrike Falcon.

The rise of "Bring Your Own Vulnerable Driver" (BYOVD) attacks, where attackers use legitimate but vulnerable drivers to bypass security measures, has been noted. Lazarus has employed this tactic since at least October 2021, using it to infiltrate systems by loading drivers with known vulnerabilities. Other groups have also utilized similar methods, such as Sophos reporting on RansomHub's use of outdated drivers to disable endpoint detection and response tools, and deploying ransomware.

Overall, as Lazarus and similar groups continue to adapt their strategies, the need for vigilance and timely updates is crucial to protect systems from these sophisticated attacks.
Read more »
VPN
Bug Exploit malware North Korea Organization security VPN

How North Korean Attackers Deployed Malware Via VPN Bug Exploit

How North Korean Attackers Deployed Malware Via VPN Bug Exploit

In a concerning event, North Korean state-sponsored have again displayed their advanced cyber capabilities by abusing flaws in VPN software updates to plant malware. The incident highlights the rising threats from state-sponsored actors in the cybersecurity sector. "The Information Community attributes these hacking activities to the Kimsuky and Andariel hacking organizations under the North Korean Reconnaissance General Bureau, noting the unprecedented nature of both organizations targeting the same sector simultaneously for specific policy objectives," NCSC said.

Attack Vector Details

The NCSC (National Cyber Security Center) recently detected two infamous North Korean hacking groups named Kimsuky (APT43) and Andariel (APT45) as the masterminds of these attacks. The groups have a past of attacking South Korean companies and have set their eyes on exploiting bugs in VPN software updates. Threat actors leveraged these flaws, gained access to networks, deployed malware, and stole sensitive data, including trade secrets.

How the attack works

The actors used a multi-dimensional approach to attack their targets. First, they identified and compromised vulnerabilities in the VPN software update mechanisms. Once the update started, the attackers secretly installed malware on the victim's system. The malware then set up a backdoor, letting the hackers build persistent access to the compromised network.

A key tactic used by attackers was to disguise the malware as a genuine software update. Not only did it help escape detection, but it also ensured that the dangerous malware was planted successfully. The malware was built to extract sensitive information, including intellectual property and secret business info that can be used for economic espionage purposes or can be sold on the dark web.

Learnings for the Cybersecurity Sector

The incident underscores important issues in cybersecurity, the main being the importance of strengthening software update mechanisms. Software updates are a routine part of keeping the system secure, and users trust them easily. This trust gives threat actors leverage and allows them to attack, as shown in this case.

The second issue, the attack highlights an urgent need for strong threat intelligence and monitoring. Organizations must stay on alert and constantly look out for signs of attacks. A sophisticated threat detection system and frequent security audits can help detect and mitigate possible threats before they can cause major damage.

Tips on Staying Safe

Here are some key strategies organizations can adopt for multi-layered security:

Regular patching and updates ensure all software like VPNs, are updated with the latest security patches, reducing the risk of flaws being abused.

Implementing a "Zero Trust Framework" which assumes internal and external threats, the model requires strict authorization for each user and device trying to access the network.

Using advanced endpoint protection solutions that can identify and respond to suspicious activities on individual systems.

Read more »
threat report
Cyber Crime Microsoft Moonstone North Korea threat report

Unmasking Moonstone Sleet: A Deep Dive into North Korea’s Latest Cyber Threat

Moonstone Sleet: A New North Korean Threat Actor

Moonstone Sleet: A New North Korean Threat Actor

Microsoft discovered a new North Korean threat actor, Moonstone Sleet (formerly Storm-1789), who targets companies with a combination of tried-and-true techniques used by other North Korean threat actors as well as unique attack methodologies for financial and cyber espionage purposes. 

Moonstone Sleet has been detected setting up phony firms and job chances to engage with potential targets, using trojanized copies of legitimate tools, developing a fully complete malicious game, and delivering a new unique ransomware.

About Moonstone Sleet 

Moonstone Sleet is a threat actor behind a series of malicious acts that Microsoft believes is North Korean state-aligned. It employs tried-and-true techniques other North Korean threat actors utilize and novel attack methodologies. 

When Microsoft first discovered Moonstone Sleet activity, the actor showed strong similarities to Diamond Sleet, reusing code from known Diamond Sleet malware such as Comebacker and employing well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software. 

However, Moonstone Sleet swiftly adopted its own unique infrastructure and attacks. Microsoft has since observed Moonstone Sleet and Diamond Sleet operating concurrently, with Diamond Sleet continuing to use much of its well-known, established tradecraft.

Moonstone Sleet has a diverse collection of operations that serve its financial and cyberespionage goals. These include delivering proprietary ransomware, building a malicious game, establishing bogus firms, and employing IT personnel.

Why should organizations be concerned?

Moonstone Sleet’s emergence highlights the need for organizations to remain vigilant. Here’s why:

  • Financial Gain: Moonstone Sleet primarily targets financial institutions, seeking monetary gains through cybercrime. Their deceptive tactics make it challenging to detect their presence until it’s too late.
  • Cyberespionage: Beyond financial motives, Moonstone Sleet engages in cyber espionage. They aim to steal sensitive data, trade secrets, and intellectual property, posing a significant risk to organizations.
  • Overlapping TTPs: Moonstone Sleet’s TTPs overlap with other North Korean threat actors. Organizations must recognize these patterns and enhance their defenses accordingly.

Defending against Moonstone Sleet

  • User Awareness: Educate employees about the risks of downloading files from unverified sources. Encourage skepticism when encountering job offers or software downloads.
  • Network Segmentation: Implement network segmentation to limit lateral movement within the organization. Isolate critical systems from less secure areas.
  • Behavioral Analytics: Leverage behavioral analytics to detect unusual activity. Monitor for signs of trojanized tools or suspicious game downloads.
  • Threat Intelligence Sharing: Collaborate with industry peers and share threat intelligence. Stay informed about emerging threat actors and their TTPs.

Read more »
Threat Intelligence
Cyber Attacks ESET Global Security North Korea Threat Intelligence

Defending Digital Frontiers: Strategies for Organizations in an Unstable World

Global Stability Issues Alter Cyber Threat Landscape

An overview

  • Geopolitical Tensions: Regional stability issues, such as political conflicts and economic tensions, have a direct impact on cyber threats. As geopolitical events unfold, threat actors adapt their strategies to exploit vulnerabilities.
  • Attack Trends: While no groundbreaking attack methods have emerged, existing techniques continue to evolve. Advanced Persistent Threat (APT) groups remain active, targeting government entities, critical infrastructure, and private organizations.
  • Leading Actors: ESET’s research identifies Russia-aligned APT groups as the most prolific attackers. Their sophisticated campaigns target various sectors, including energy, finance, and defense. China-aligned actors follow closely, focusing on espionage and intellectual property theft.

The current landscape

A recent analysis from threat intelligence analysts ESET claims that threat actors are increasing their attacks worldwide, with geographic events determining which locations are most heavily targeted. The principal author of the research recommends that CISOs to intensify their protection plans in light of the activity, even if he claims that no new attack techniques have been discovered.

The director of threat research at ESET, Jean-Ian Boutin said  that current attack methods "still work well." Thus, attackers don't always need to use innovative vectors. According to Boutin, CISOs are defending against these attacks properly; they only need to fortify themselves even more.

Impact on regional stability

The researchers claim that because the primary worldwide assault trends that ESET has identified have been directly impacted by regional stability difficulties, these challenges are also affecting the cyber sphere. The report focuses on activities of specific advanced persistent threat (APT) groups from October 2023 to March 2024, the experts said in the report.

Researchers from ESET also observed that organizations connected with Russia were concentrating on espionage activities throughout the European Union in addition to assaults against Ukraine.

Along with operations against Ukraine, ESET researchers also saw that entities connected with Russia were concentrating on espionage across the European Union. However, the researchers noted that several threat actors with ties to China took use of flaws in software and public-facing hardware, including firewalls and VPNs, as well as Confluence and Microsoft Exchange Server, to gain first access to targets across a variety of sectors.

Analysis of attacks

Using emotions to keep the assault from being disclosed is one of the more recent strategies ESET is witnessing in North Korea; this will probably increase the tactic's usefulness and duration. According to Boutin, the method has been used for years, but North Korean APT organizations are making a small adjustment.

Under the guise of a job application, the hack targets programmers and other technical talent at numerous significant US corporations. The victim is exposed to the malware and the trap is set when the attacker poses as a recruiter for such companies and requests that the victims complete an online test to demonstrate their technical proficiency.

Implications for CISOs

  • Defense Strategies: Organizations must strengthen their defense mechanisms. Proactive threat intelligence, robust network security, and employee training are essential. Zero-day vulnerabilities and supply chain attacks require constant vigilance.
  • Threat Attribution: Understanding threat actors’ motivations and affiliations is crucial. Attribution helps tailor defenses and prioritize resources effectively. Collaboration among security professionals and law enforcement agencies is vital.
  • Risk Assessment: Organizations should assess their risk exposure based on geopolitical events. Consider the impact of regional instability on critical assets and operations. Regular risk assessments inform decision-making.

Read more »
Vulnerabilities and Exploits
CISA cyber threat DLL hijacking North Korea North Korea Hackers Security Breach Vulnerabilities and Exploits

Navigating the Complex Landscape of Cyber Threats: Insights from the Sisense Breach and North Korean Tactics

 

In the intricate tapestry of cybersecurity, recent events have thrust vulnerabilities and threats into the spotlight once again. The breach of data analytics powerhouse Sisense, coupled with the emergence of novel sub-techniques utilized by North Korean threat actors, underscores the dynamic and relentless nature of cyber warfare. Let's delve deeper into these incidents and glean valuable insights for bolstering our defenses against evolving cyber threats. 

Sisense, a formidable player in the realm of business intelligence software, recently found itself ensnared in a security breach that rippled through critical infrastructure organizations. With offices sprawled across strategic locations such as New York City, London, and Tel Aviv, and a prestigious clientele including Nasdaq, ZoomInfo, Verizon, and Air Canada, Sisense's allure to cyber adversaries is palpable. 

The breach, currently under scrutiny by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), serves as a stark reminder of the precarious balance between innovation and security in today's digital landscape. At the heart of the Sisense breach lie two sub-techniques that have become favoured tools in the arsenal of North Korean threat actors. The first involves the manipulation of Transparency, Consent, and Control (TCC), a foundational security protocol governing application permissions on Apple's macOS. 

Despite the robustness of security measures such as Full Disk Access (FDA) and System Integrity Protection (SIP), attackers have exhibited a remarkable ability to circumvent these controls, gaining unfettered access to macOS environments. This tactic underscores the imperative of continuous monitoring and adaptive security strategies to thwart the nefarious designs of cyber adversaries. 

The second sub-technique, colloquially known as "phantom" Dynamic Link Library (DLL) hijacking, sets its sights on Windows environments, leveraging nonexistent DLL files referenced by the operating system. By capitalizing on this loophole, threat actors such as the Lazarus Group and APT 41 can inject malicious code undetected, posing a grave threat to system integrity. 

The clandestine nature of this tactic exemplifies the ingenuity and adaptability of cyber adversaries in navigating the labyrinthine landscape of cybersecurity defenses. Mitigating these sophisticated threats necessitates a multifaceted approach that encompasses both technical fortifications and user awareness initiatives. For macOS users, safeguarding the integrity of System Integrity Protection (SIP) and exercising caution with app permissions are imperative steps in mitigating the risk of TCC manipulation. 

In Windows environments, proactive monitoring, robust application controls, and preemptive measures to block remote DLL loading are indispensable in thwarting phantom DLL attacks. Moreover, fostering a culture of collaboration and information sharing between industry stakeholders and government agencies is paramount in confronting the ever-evolving threat landscape. 

By pooling resources, sharing threat intelligence, and adopting a unified front against cyber adversaries, organizations can amplify their collective resilience and fortify their defenses against emerging threats. 

In conclusion, the Sisense breach and the intricate tactics employed by North Korean threat actors serve as poignant reminders of the relentless onslaught of cyber threats. By remaining vigilant, proactive, and collaborative, organizations can navigate the turbulent waters of cybersecurity with resilience and fortitude, safeguarding their digital assets and preserving the integrity of our interconnected world.
Read more »
North Korea
Cyber Security Digital Vigilante Geopolitical Intrigue Hacker North Korea

Alejandro Caceres: The Vigilante Hacker Who Took Down North Korea’s Internet

Alejandro Caceres: The Vigilante Hacker Who Took Down North Korea’s Internet

In the shadowy world of cybersecurity, where nation-states and rogue actors engage in digital warfare, one man stood out—a vigilante hacker named Alejandro Caceres. His audacious mission: was to take down North Korea’s internet infrastructure. 

Caceres launched a one-man cyberwar that disrupted every publicly visible website in North Korea, keeping them offline for over a week. But who was this mysterious figure, and what drove him to such extreme measures?

The Unlikely Hero

Alejandro Caceres, a 38-year-old Colombian-American cybersecurity entrepreneur, hardly fits the profile of a cyberwarrior. Yet, his personal vendetta against North Korean spies pushed him to the brink. 

Having been targeted by North Korean agents earlier, Caceres reported the incidents to the FBI, only to receive no government support. Frustrated and disillusioned, he decided to take matters into his own hands. His mission: to send a message to Kim Jong Un’s regime that messing with American hackers would have consequences.

The Pseudonym: P4x

As Caceres executed his attack, he adopted the pseudonym “P4x.” The name was a clever nod to his intention: to force peace with North Korea through the threat of his own punitive measures. 

By hiding behind this moniker, he hoped to evade both North Korean retaliation and potential criminal hacking charges from his own government. P4x became the faceless avenger, a digital vigilante with a singular purpose.

The Tools of the Trade

Armed with custom-built programs and cloud-based servers, Caceres disrupted North Korea’s internet infrastructure. His attacks were intermittent, calculated, and relentless. Publicly visible websites blinked out of existence, leaving the regime scrambling for answers. 

Caceres provided screen-capture videos and real-time evidence of his disruption, all while remaining hidden in his coastal Florida home. 

The Power of One

Caceres’ story underscores the power of a single individual in the vast digital landscape. In a world dominated by nation-states and cyber armies, he stood alone against North Korea. His actions were audacious, risky, and morally ambiguous. Was he a hero or a rogue? The answer, perhaps, lies in the gray areas of cyberwarfare.

The Message

As North Korea’s internet flickered and faltered, Caceres sent a message: No one is untouchable. Even the most secretive regime could be disrupted by a determined hacker. His personal vendetta had transformed into a geopolitical statement. The world watched as North Korea’s cyber defenses crumbled, and P4x became a legend.

Read more »
South Korea
Cyber Attacks CyberCrime Cybersecruity DPRK Global Authorities North Korea South Korea

Global Authorities Examine 58 Cyberattacks Linked to North Korea, Valued at $3 Billion

 


North Korean sanctions monitors have been investigating dozens of possible cyberattacks by the regime, which are believed to have raised $3 billion to fuel the state's nuclear weapons program, according to excerpts released from an unpublished report by the UN. 

In the executive summary of a new report submitted to the United Nations Security Council obtained Friday by The Associated Press, a panel of experts stated that the number of cyberattacks by North Korean hacking groups that report to the Reconnaissance General Bureau, North Korea’s primary foreign intelligence organization, is continuing to be high. 

This report covers the period from July 2023 to January 2024, and it is based on contributions made by unidentified United Nations representatives. A report sent to the council of 15 nations, compiled from member nations and other sources, was sent in response to the high tensions in the region caused by North Korean leader Kim Jong Un. 

As a result, the United States, South Korea, and Japan have increased their combined military exercises in response to his threat to destroy South Korea if provoked and escalating weapons demonstrations. He threatened to annihilate South Korea if provoked by an escalation of weapons demonstrations. Amid the increased military and political tensions on the Korean Peninsula, the experts said North Korea “continued to flout (U.N.) sanctions,” further developed its nuclear weapons, and produced nuclear fissile materials – the weapons’ key ingredients. 

There was no doubt that the light-water reactor at North Korea's main nuclear complex at Yongbyon appeared to be operational, according to the experts. Despite suspicions that the North may use it as a new source of fissile materials for nuclear weapons, the South Korean defence minister said in late December that the reactor is likely to become operational by the summer. 

A 5-megawatt reactor near Yongbyon, the country that possesses the world's largest nuclear capacity, has been producing weapons-grade plutonium for many years. As an additional source of bomb fuel, this light-water reactor would be a useful addition to the arsenal, and observers have pointed out that, with its larger capacity, it can produce more plutonium. 

Furthermore, Yongbyon has its own facility for enriching uranium, which can enrich uranium up to 99%. According to the panel, North Korea is likely preparing to conduct its seventh nuclear test from Punggye-ri, which would mark the first nuclear test conducted there since 2017. The panel said it has been working on monitoring activities at the nuclear test site. 

It has been estimated that North Korea has nuclear weapons in the range of 20-60 (or more than 100, depending on who is doing the counting) to more than 100. North Korea is thought to be capable of adding between six and 18 bombs per year, according to experts. Kim Jong Un has repeatedly made a promise to build more nuclear weapons and introduce high-technology weapons to deal with what he calls intensifying U.S. hostility since his diplomacy with the U.S. collapsed in 2019. 

According to the panel, at least seven ballistic missiles were launched by the Democratic People's Republic of Korea during the six months that ended in January, including one intercontinental ballistic missile, one intermediate-range missile, and five short-range missiles. That was one of the most numerous rocket launches that the North has ever made, according to the panel. 

A military observation satellite has been successfully launched by the DPRK in orbit, following two failed attempts, experts said Sunday. As part of the North's military arsenal, an old diesel submarine has been modified so that it can be used as a tactical nuclear attack submarine. 

The monitoring panel overseeing U.N. sanctions against North Korea has observed persistent breaches by the DPRK. The country, in defiance of Security Council resolutions, is found to illicitly import refined petroleum products. 

To circumvent maritime sanctions, the DPRK employs a blend of obfuscation techniques. In the year 2023, the recorded trade volume exceeded that of 2022, encompassing a diverse range of consumer goods. Some of these items, deemed luxury goods and prohibited by U.N. sanctions, were included. 

The panel is actively probing reports from member states regarding the DPRK's potential involvement in the arms and ammunition trade, a clear violation of U.N. sanctions. Recent accusations from the United States, Ukraine, and six allies assert Russia's utilization of North Korean ballistic missiles and launchers in devastating aerial attacks against Ukraine, violating U.N. sanctions. South Korea's military, in November, suspected North Korea of exporting various armaments, including short-range ballistic missiles and anti-tank missiles to Russia, contravening U.N. sanctions. 

Throughout the last six months, discernible trends indicate the DPRK's focus on targeting defence companies and supply chains, as well as increased collaboration in infrastructure and tools. The panel has also delved into reports of numerous DPRK nationals working abroad in sectors such as information technology, restaurants, and construction, generating income in violation of U.N. sanctions. 

Additionally, the DPRK persists in accessing the international financial system for illicit financial operations. While U.N. sanctions are designed to spare ordinary North Koreans, the panel acknowledges unintentional repercussions on the humanitarian situation and aspects of aid operations. Nevertheless, the precise impact of sanctions relative to other factors remains challenging to discern.
Read more »
Ransomware
Block Chain Crypto Theft Cyber Security North Korea Ransomware

North Korean Actors Behind $600M in Crypto Thefts: TRM Labs


North Korean Hackers

According to a TRM Labs analysis, hackers with ties to North Korea were responsible for one-third of all cryptocurrency exploits and thefts last year, taking away about $600 million in cash.

The blockchain analytics company claimed on Friday that the amount takes the Democratic People's Republic of Korea's (DPRK) total revenue from cryptocurrency initiatives to about $3 billion over the previous six years.

Nevertheless, according to Ari Redbord, head of legal and government affairs at TRM, the amount is roughly 30% lower than in 2022. Actors with ties to the DPRK stole about $850 million that year, "a huge chunk" of which came from the Ronin Bridge exploit, Redbord said. 

Current Scenario

The latter few months of 2023 saw the majority of the stolen money seized.

"They're clearly attacking the crypto ecosystem at a really unprecedented speed and scale and continue to take advantage of sort of weak cyber controls," said Redbord. Many of the attacks continue to use so-called social engineering, allowing the perpetrators to acquire private keys for projects, he said.

TRM links around $200 M in stolen funds to North Korea last year. The fact that the earnings of North Korean attacks go toward the development of WMDs raises worries about national security and sets them apart from other attacks.

Stolen Money: 2023

In 2023, the total amount of money obtained through hacking was approximately $1.7 billion, as opposed to $4 billion, which was taken the year before.

Redbord gave multiple reasons for the decline. Less significant hacks, such as the Ronin theft in 2022, have occurred. Other contributing factors include stronger cybersecurity measures, effective law enforcement initiatives, and, to a lesser degree, price volatility in the previous year.

During a recent trilateral meeting over North Korea's WMD efforts, national security officials from the United States, the Republic of Korea, and Japan brought up these concerns directly.

"North Korean hackers are different, because it's not for greed or money or the typical hacker mentality; it's about taking those funds and using them for weapons proliferation and other types of destabilizing activity, which is a global threat," Redbord said. "And that's why there's such a focus on it from a national security perspective."
Read more »
South Korea
Andariel Data Breach Hacker group Military Data North Korea North Korean Hackers Ransomware group South Korea

Seoul Police Reveals: North Korean Hackers Stole South Korean Anti-Aircraft Data


South Korea: Seoul police have charged Andariel, a North Korea-based hacker group for stealing critical defense secrets from South Korea’s defense companies. Allegedly, the laundering ransomware is redirected to North Korea. One of the 1.2 terabytes of data the hackers took was information on sophisticated anti-aircraft weaponry.  

According to the Seoul Metropolitan Police Agency, the hacker group utilized servers that they had rented from a domestic server rental company to hack into dozens of South Korean organizations, including defense companies. Also, the ransomware campaign acquired ransoms from a number of private sector victim firms. 

Earlier this year, the law enforcement agency and the FBI jointly conducted an investigation to determine the scope of Andariel's hacking operations. This was prompted by reports from certain South Korean corporations regarding security problems that were believed to be the result of "a decline in corporate trust." 

Andariel Hacker Group 

In an investigation regarding the origin of Andariel, it was found that it is a subgroup of the Lazarus Group. The group has stolen up to 1.2 terabytes of data from South Korean enterprises and demanded 470 million won ($357,000) in Bitcoin as ransom from three domestic and international organizations.  

According to a study conducted by Mandiant, it was revealed that Andariel is operated by the North Korean intelligence organization Reconnaissance General Bureau, which gathers intelligence for the regime's advantage by mainly targeting international enterprises, governmental organizations, defense companies, and financial services infrastructure. 

Apparently, the ransomware group is also involved in cybercrime activities to raise funds for conducting its operation, using specially designed tools like the Maui ransomware and DTrack malware to target global businesses. In February, South Korea imposed sanctions on Andariel and other hacking groups operating in North Korea for engaging in illicit cyber operations to fund the dictatorial regime's nuclear and missile development projects.  

The threat actor has used a number of domestic and foreign crypto exchanges, like Bithumb and Binance, to launder the acquired ransom. Till now, a sum of 630,000 yuan ($89,000) has been transferred to China's K Bank in Liaoning Province. The hackers proceeded to redirect the laundered money from the K Bank branch to a location close to the North Korea-China border. 

Seoul police noted that they have seized the domestic servers and virtual asset exchange used by Andariel to conduct their campaigns. Also, the owner of the account, that was used in transferring the ransom, has been detained. 

"The Security Investigation Support Department of the Seoul Metropolitan Police Agency is actively conducting joint investigations with related agencies such as the U.S. FBI regarding the overseas attacks, victims and people involved in this incident, while continuing to investigate additional cases of damage and the possibility of similar hacking attempts," the agency said.

The police have warned businesses of the threat actor and have advised them to boost their cybersecurity and update security software to the latest versions. It has also been advised to organizations to encrypt any critical data, in order to mitigate any future attack. 

Moreover, police are planning to investigate server rental companies to verify their subscribers’ identities and to ensure that the servers have not been used in any cybercrime activity.  

Read more »
NPM
Cyber Attacks Cyber Hackers Cyberattack Threat CyberCrime Cybersecurity GDPR GitHub North Korea NPM

New Cyber Threat: North Korean Hackers Exploit npm for Malicious Intent

 


There has been an updated threat warning from GitHub regarding a new North Korean attack campaign that uses malicious dependencies on npm packages to compromise victims. An earlier blog post published by the development platform earlier this week claimed that the attacks were against employees of blockchain, cryptocurrency, online gambling, and cybersecurity companies.   

Alexis Wales, VP of GitHub security operations, said that attacks often begin when attackers pretend to be developers or recruiters, impersonating them with fake GitHub, LinkedIn, Slack, or Telegram profiles. There are cases in which legitimate accounts have been hijacked by attackers. 

Another highly targeted attack campaign has been launched against the NPM package registry, aimed at enticing developers into downloading immoral modules by enticing them to install malicious third-party software. There was a significant attack wave uncovered in June, and it has since been linked to North Korean threat actors by the supply chain security firm Phylum, according to Hacker News. This attack wave appears to exhibit similar behaviours as another that was discovered in June. 

During the period from August 9 to August 12, 2023, it was identified that nine packages were uploaded to NPM. Among the libraries that are included in this file are ws-paso-jssdk, pingan-vue-floating, srm-front-util, cloud-room-video, progress-player, ynf-core-loader, ynf-core-renderer, ynf-dx-scripts, and ynf-dx-webpack-plugins. A conversation is initiated with the target and attempts are made to move the conversation to another platform after contacting them. 

As the attacker begins to execute the attack chain, it is necessary to have a post-install hook in the package.json file to execute the index.js file which executes after the package has been installed. In this instance, a daemon process is called Android. The daemon is launched as a dependency on the legitimate pm2 module and, in turn, a JavaScript file named app.js is executed. 

A JavaScript script is crafted in a way that initiates encrypted two-way communications with a remote server 45 seconds after the package is installed by masquerading as RustDesk remote desktop software – "ql. rustdesk[.]net," a spoofed domain posing as the authentic RustDesk remote desktop software. This information entails the compromised host's details and information. 

The malware pings every 45 seconds to check for further instructions, which are decoded and executed in turn, after which the malware checks for new instructions every 45 seconds. As the Phylum Research Team explained, "It would seem to be that the attackers are monitoring the GUIDs of the machines in question and selectively sending additional payloads (which are encoded Javascript code) to the machines of interest in the direction of the GUID monitors," they added. 

In the past few months there have been several typosquat versions of popular Ethereum packages in the npm repository that attempts to make HTTP requests to Chinese servers to retrieve the encryption key from the wallet on the wallet.cba123[.]cn, which had been discovered. 

Additionally, the highly popular NuGet package, Moq, has come under fire since new versions of the package released last week included a dependency named SponsorLink, that extracted the SHA-256 hash of developers' email addresses from local Git configurations and sent them to a cloud service without their knowledge. In addition, Moq has been receiving criticism after new versions released last week came with the SponsorLink dependency. 

Version 4.20.2 of the app has been rolled back as a result of the controversial changes that raise GDPR compliance issues. Despite this, Bleeping Computer reported that Amazon Web Services (AWS) had withdrawn its support for the project, which may have done serious damage to the project's reputation. 

There are also reports that organizations are increasingly vulnerable to dependency confusion attacks, which could've led to developers unwittingly introducing malicious or vulnerable code into their projects, thus resulting in large-scale attacks on supply chains on a large scale. 

There are several mitigations that you can use to prevent dependency confusion attacks. For example, we recommend publishing internal packages under scopes assigned to organizations and setting aside internal package names as placeholders in the public registry to prevent misuse of those names.

Throughout the history of cybersecurity, the recent North Korean attack campaign exploiting npm packages has served as an unmistakable reminder that the threat landscape is transforming and that more sophisticated tactics are being implemented to defeat it. For sensitive data to be safeguarded and further breaches to be prevented, it is imperative that proactive measures are taken and vigilant measures are engaged. To reduce the risks posed by these intricate cyber tactics, organizations need to prioritize the verification of identity, the validation of packages, and the management of internal packages.
Read more »
North Korea
Cyber Attacks Cyber Data Hackers North Korea

Kimsuky Hackers from North Korea Back in Action with Advanced Reconnaissance Malware

 

Kimsuky, a North Korean APT outfit, has been discovered deploying a piece of bespoke malware named RandomQuery as part of a reconnaissance and information exfiltration operation.

"Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," Aleksandar Milenkoski and Tom Hegel of SentinelOne noted in a report published.

According to the cybersecurity firm, the current targeted campaign is particularly aimed at information services as well as organizations supporting human rights advocates and North Korean defectors.
Kimsuky, who has been active since 2012, has demonstrated targeting patterns that correspond to North Korea's operational directives and priorities.

As SentinelOne disclosed earlier this month, the information collection missions have featured the employment of a broad assortment of malware, including another reconnaissance program named ReconShark.

The group's most recent activity cluster began on May 5, 2023, and employs a form of RandomQuery that is specially tailored to enumerate files and siphon sensitive data.

RandomQuery, along with FlowerPower and AppleSeed, are among the most widely disseminated tools in Kimsuky's arsenal, with the former acting as an information stealer and a conduit for the distribution of remote access trojans such as TutRAT and xRAT.

The attacks begin with phishing emails purporting to be from Daily NK, a famous Seoul-based online daily covering North Korean events, in order to convince potential targets to open a Microsoft Compiled HTML Help (CHM) file.

It's worth noting at this point that CHM files have also been used as a lure by ScarCruft, another North Korean nation-state actor. When the CHM file is launched, a Visual Basic Script is executed, which sends an HTTP GET request to a remote server to receive the second-stage payload, a VBScript flavor of RandomQuery.

The virus then proceeds to collect system metadata, running processes, installed apps, and files from various folders, which are all sent back to the command-and-control (C2) server.
"This campaign also demonstrates the group's consistent approach of delivering malware through CHM files," the researchers said.

"These incidents underscore the ever-changing landscape of North Korean threat groups, whose remit not only encompasses political espionage but also sabotage and financial threats."

The discoveries come only days after the AhnLab Security Emergency Response Centre (ASEC) discovered Kimsuky's watering hole assault, which comprises putting up a mimic webmail system used by national policy research organizations to capture credentials entered by victims.

Kimsuky has also been linked to attacks that weaponize vulnerable Windows Internet Information Services (IIS) servers in order to drop the Metasploit Meterpreter post-exploitation framework, which is then used to spread Go-based proxy malware.

Read more »
Technology Threats
Cyber Security Hacker group Kimsuky North Korea State-sponsored Hackers Technology Threats

Kimsuky Spear-Phishing Campaign Goes Global Using New Malware

On Thursday, security researchers from SentinelOne reported that the North Korean state-sponsored APT group, Kimsuky, has been observed utilizing a brand new malware component called ReconShark. The malware is disseminated through spear-phishing emails that are specifically targeted, containing OneDrive links that, when clicked, trigger the download of documents that subsequently activate malicious macros.  

Tom Hegel and Aleksandar Milenkoski from SentinelOne revealed that the spear-phishing emails used to distribute ReconShark are tailored to specific individuals, with a high level of design quality that increases the likelihood of the target opening them. These emails appear legitimate, using proper formatting, grammar, and visual clues that can deceive unsuspecting users. 

Moreover, the malicious documents and the links in the emails are disguised with the names of real individuals whose knowledge or expertise is relevant to the subject of the lure, for instance, political scientists. 

Furthermore, the researcher added that “The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses”.

The state-sponsored APT group Kimsuky, which has been operating since 2012, is also identified by other names such as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima. This notorious threat actor group has been involved in targeted attacks on numerous entities, including non-governmental organizations (NGOs), diplomatic agencies, military organizations, think tanks, research entities, and economic groups across Asia, North America, and Europe. 

In new developments, Kimsuky differs from its predecessors. It avoids storing collected data on the file system. Instead, the malware stores the information in string variables and transmits it to a command-and-control (C2) server via HTTP POST requests. Additionally, ReconShark can install supplementary payloads, such as DLL files or scripts, by examining the detection mechanisms present on the infected systems. 

Furthermore, the security researchers noted that Kimsuky's recent activities are designed to hit global issues. “For example, the latest Kimsuky campaigns have focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine,” reads the report. 

The discovery of ReconShark highlights the growing proof that Kimsuky is changing its techniques to secretly access and control computer systems, stay undetected, and collect information for prolonged periods.
Read more »
virus
APT Cyber Attacks Cybersecurity Linux Malware malware North Korea SET SimplexTea virus

Linux Malware Set to Be Deployed by North Korean APT Group

 


There is a shred of growing evidence that North Korean actors were responsible for the 3CX software supply chain hack, as found by ESET researchers. The newly discovered piece of malware extends the evidence that a North Korean group hacked the supply chain. 

In analyzing the backdoor, researchers from cybersecurity firm Eset found that it was tied to Pyongyang's latest fake job recruitment campaign, Operation Dream Job. This campaign recruits people for Pyongyang jobs. The Eset report indicates that North Korean hackers produce and use malware that works on all major desktop operating systems, including Windows, MacOS, and Linux. 

There is no connection between Linux malware and the 3CX supply-chain attack disclosed in late March by Lazarus Group. However, ESET researchers said they were confident that the 3CX attack was conducted by this company. This is even though it does not seem related to the Linux malware. As the name suggests, this is less a distinct organization than it is an umbrella term for a variety of North Korean hacking groups, some state-sponsored, and some criminal, that work for the Hermit Kingdom, and that are based in the country. 

A Trojan attack on 3CX's source code by North Korean hackers was publicly reported in late March, revealing their source code was stolen. A research team from Mandiant reported this week that they had traced the infection source to a previous attack on Trading Technologies' software supply chain. 

Trading Technologies develops software used in financial trading. Researchers from Symantec said on Friday that they had identified two more victims of the Trading Technologies hack that occurred earlier this week. 

There was no doubt throughout this whole investigation that the 3CX case had a North Korean connection from the very start. On March 29, a CrowdStrike engineer posted a message on a Reddit thread in which he reported that this had happened. 

It has also been confirmed that a North Korean nexus was involved in the attack by a preliminary report to be presented to 3CX by Mandiant - hired to investigate the breach. As well as Syphos, Check Point, Broadcom, Trend Micro, and other security companies have also provided summaries of the events. Most of them attribute the compromise to a group aligned with North Korea, citing various reasons. 

In addition to having more than 600,000 clients, 3CX according to their website, boasts several big names in the field. These include American Express, BMW, Air France, Toyota, IKEA, and many others. Shodan's search, conducted on March 30, found over 240,000 phone management systems exposed by 3CX. Huntress, a managed security service provider, reported on March 13, that it received 2,783 incident reports where the binary 3CXDesktopApp.exe matches known malicious hashes. In addition, it has a 3CX-certified certificate attached. 

HSBC, a British multinational bank with a presence in more than 155 countries, offered software development services involving Linux backdoors revealed by ESET researchers. It is believed that anyone who double-clicked on the PDF offer letter downloaded ESET's SimplexTea backdoor for Linux, an operating system known for its lack of security.

SimplexTea has similarities to Bluecall, a North Korean backdoor for Windows computers that had already been identified. This includes the use of domains to construct secure TLS connections similar to SimplexTea domains.  

It is also worth noting that the SimplexTea backdoor used the same core implementation of the A5/1 cipher used by North Korean hackers to sabotage Sony Pictures' release of the comedy "The Interview", which depicts Kim Jong Un's death by fiery helicopter as a camera pans through the company's offices. 

In addition to this direct connection, Eset also mentions that it shares the network infrastructure with the Trojanized VoIP software that serves as the backdoor for the 3CX hackers. As a command-and-control domain, each of these programs uses journalide.org as its point of control. There is also a similar method of loading the configuration files for SimplexTea malware and 3CX malware. 

In a statement released by ESET, the North Korean actors have been identified as the Lazarus Group. Despite this, Mandiant has identified the documents as likely associated with UNC4736, also known as AppleJeus, a Pyongyang hacking activity motivated by profit. 

According to Conversant Group's chief executive officer, John Anthony Smith, this Linux-based malware attack shows how threat actors are continuously expanding their arsenals, targets, tactics, and reach to circumvent security controls and practices in place. There is a growing trend among threat actors to expand the range of their malware variants to affect more systems, he added.
Read more »
Thallium
APT43 Archipelago Cyber Attacks Hacker group Kimsuky Mandiant Threat Intelligence North Korea security threat Spear Phishing Thallium

APT43: Cyberespionage Group Targets Strategic Intelligence


APT43, also known as Kimsuky or Thallium, recently exposed by the Mandiant researchers, is a cyberespionage threat group supporting the objectives of the North Korean regime. By conducting credential harvesting attacks and successfully compromising its targets using social engineering, ATP43 concentrates on gathering strategic intelligence. 

Mandiant, which has been tracking APT43 since 2018, noted that the threat group supports the mission of the Reconnaissance General Bureau, North Korea's primary external intelligence agency. 

In terms of attribution indicators, APT43 shares infrastructure and tools with known North Korean operators and threat actors. Essentially, APT43 shares malware and tools with Lazarus. 

Targets of APT43 

Prior to 2021, the APT43 organization mostly targeted foreign policy and nuclear security challenges, but this changed in response to the global COVID-19 pandemic. 

APT43 primarily targets manufacturing products including fuel, machinery, metals, transportation vehicles, and weaponry whose sale to North Korea has been banned in South Korea, the U.S., Japan, and Europe. In addition to this, the group attacks business services, education, research and think tanks focusing on geopolitical and nuclear policy and government bodies. 

Spear Phishing and Social Engineering Techniques Used by APT 43 

Spear phishing is one of the primary methods used by APT43 to compromise its targets. The group frequently fabricates plausible personas, impersonating important figures. Ones they have succeeded in compromising one such individual, the threat group proceeds into using the person’s contact lists to aim further targets with spear phishing. 

In one such instance, exposed by Google, Archipelago (a subset of APT43) would send phishing emails where they portray themselves as a representative of a media outlet or think task asking the targeted victim for an interview. To view the questions, a link must be clicked, but doing so takes the victim to a phony Microsoft 365 or Google Drive login page. The victim is directed to a paper with questions after entering their credentials. 

According to the Google report, Archipelago tends to interact with the victim for several days in order to build trust before sending the malicious link or file. 

Another tactic used by Archipelago involves sending benign PDF files purportedly from a third party that alerts the recipient to fraudulent logins they should examine. 

Malware Families and Tools Used 

APT43 employs a variety of malware families and tools. Some of the public malware families used include Gh0st RAT, Quasar RAT, and Amadey. However, the threat group mostly uses a non-public malware called LATEOP or BabyShark, apparently developed by the group itself. 

How can you Protect Yourself from the APT43 Security Threat? 

Here, we have listed some measures that could ensure protection against  malicious APT43 attacks: 

  • Educate users about the social engineering techniques used by APT43 and Archipelago.  
  • Train users to detect phishing attempts and report them immediately to their security staff. 
  • Use security solutions to detect phishing emails or malware infection attempts. 
  • Keep operating systems and software up to date and patched. 

Moreover, professionals in the field of geopolitics and international politics are advised to be trained in detecting any approach from attackers or potential threat actors, posing as a journalist or a reporter. Careful identification and examination of such individuals approaching important figures must be taken into priority, prior to any exchange of information or intelligence.  

Read more »
WithSecure
Cyber Attacks Cyberespionage Cybersecurity Lazarus Group North Korea Ransomware WithSecure

Energy and Healthcare Firms Are The Focus of The Lazarus Group Once Again

 


The North Korean Lazarus Group, which was employed by the North Korean government to target medical research and energy organizations with cyberattack campaigns, was reported by security researchers on February 2.  

The campaign was discovered by threat intelligence analysts at WithSecure. They were trying to unravel a ransomware attack that they suspected had been launched against one of their customers. In the course of their investigation, they discovered evidence indicating that the Lazarus crew had committed an OpSec oversight that led to a key operational security (OpSec) slip-up, which provided them with proof that the event was part of a wider state-sponsored intelligence gathering campaign already being carried out by North Korea. 

Sami Ruohonen, the senior threat intelligence researcher for WithSecure, says his initial suspicion was that it was an attempted BianLian ransomware attack. 

Even though WithSecure had collected evidence in one direction, it quickly pointed in a different direction. Throughout the process of gathering more information, they became more and more confident that the attack had been perpetrated by a group associated with the North Korean government. Having discovered this, WithSecure concluded that it was indeed the Lazarus Group that had posed as the attack. 

The Path to Cyberespionage Begins With Ransomware 

It was the initial compromise and privilege escalation of the system that led them to the conclusion that they were engaged in this activity. In August, the Zimbra mail server was exploited using a known vulnerability that existed in an unpatched version of Zimbra. In one week, the threat actors had already accessed many gigabytes of data from the mailboxes on the server. The attacker used live-off-the-land (LotL) strategies along the way as he moved horizontally across the network by the end of October. The compromised assets began becoming connected to Cobalt Strike's command-and-control (C2) infrastructure in November, beginning the process of infiltrating almost 100GB of data from the network during the period between November and December.  

It is believed that the researchers dubbed this incident "No Pineapple" because it referred to an error message that was used in a backdoor that was used by the bad guys that replied > No Pineapple! > When the data size exceeds the segmented byte size, the operation fails. 

Based on the malware, the TTP, and a couple of unique findings, the researchers feel that there is a high degree of confidence in their identification of Lazarus group activity. Data exfiltration involves several key actions, one of which is critical. Several suspicious web pages appeared to be connected to a North Korean IP address for a short time, as a result of an attacker-controlled Web shell. Even though the country only has fewer than a thousand of these addresses, at first the researchers wondered if they had made a mistake. However, they later confirmed that they had not. 

The attacker showed exemplary tradecraft and still managed to carry out considered actions on carefully selected endpoints despite this OpSec failure, Tim West, head of WithSecure’s threat intelligence unit, commented on the actor’s performance. 

Upon digging deeper into the incident, the researchers discovered that additional victims were also identified as a result of the attack as the investigation proceeded. The victims were identified based on their connections to a C2 server that was controlled by threat actors during the attack. There are many espionage motives involved in this process, which points to a much larger effort than was first suspected as being the target. 

Among the hundreds of victims, several companies in the healthcare sector suffered losses including a company that researches healthcare. In addition, a company that manufactures technology utilized in the energy, defense, research, and healthcare sectors. 

During the third quarter of 2022, most of the breaches that have been reported occurred because of the infrastructure that researchers noticed in May. According to the victimology of the campaign, analysts consider the threat actor to have intentionally targeted the supply chain of the industry verticals of medical research and energy. This is based on the victimology of the campaign. 

Lazarus Never Remained Down for Long 

It is widely believed that the Foreign Intelligence and Reconnaissance Bureau of North Korea is responsible for the long-running Lazarus threat group that has been operating for over a decade. Researchers have confirmed that the group has been involved in hacking activities at least as far back as 2009. It has been responsible for an increasing number of attacks since then. It has only been a matter of short intervals where the man has been thrown to the ground between periods of standing. 

This anti-terrorist operation serves both a financial purpose - it is an extremely valuable source of revenue for the regime - as well as a spying purpose. As early as 2022, there were many reports of Lazarus providing sophisticated attacks against Apple of their M1 chip as well as fake job posting scams using Apple's M1. It should be noted that a similar attack took place last April. Computers were used to upload malicious files, disguised as job offers for highly attractive dream jobs, to targets in the chemical sector and information technology. 

As of last week, the FBI confirmed that the Lazarus Group, a group of cyber threat actors from the United States, was implicated in the theft of $100 million worth of virtual currency last June from the cross-chain technology created by Harmony to exchange data across blockchains, termed Horizon Bridge, owned by the blockchain company Harmony. According to estimates provided by the FBI, because of the actions of the group in the Horizon Bridge heist, the group was able to launder more than $60 million worth of Ethereum by using the Railgun privacy protocol in January. There has been a report that authorities were able to freeze "some of these funds."
Read more »
Subscribe to: Posts (Atom)