Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label South Korea. Show all posts
South Korea
cryptocurrency cryptocurrency theft cyber espionage Cyber Security IT Industry North Korea North Korea Hackers South Korea

Sanctions Imposed on North Korean Cyber Activities Supporting Nuclear Ambitions

 

South Korea has announced sanctions against 15 North Korean nationals and the Chosun Geumjeong Economic Information Technology Exchange Corporation for orchestrating schemes that finance North Korea’s nuclear weapons and missile programs. These measures target a global network involved in IT job fraud, cryptocurrency theft, and cyberattacks. 

The sanctioned individuals are linked to the 313th General Bureau, a division of North Korea’s Ministry of Munitions Industry. This bureau oversees the production and development of weapons and ballistic missiles. According to South Korea’s Peninsula Policy Bureau, these operatives are dispatched to countries such as China, Russia, Southeast Asia, and Africa. Using fake identities, they secure positions in international IT companies, generating revenue funneled back to the regime. 

Central to this operation is the Chosun Geumjeong Economic Information Technology Exchange Corporation. This organization plays a critical role by deploying IT professionals abroad and channeling significant financial resources to North Korea’s military projects. In recent years, North Korean operatives have increasingly infiltrated Western companies by posing as IT workers. This tactic not only generates revenue for the regime but also enables cyber espionage and theft. These workers have been found installing malware, stealing sensitive company data, and misappropriating funds. Some have even attempted to infiltrate secure software development environments. 

Despite the gravity of these actions, the stigma associated with hiring fraudulent workers has led many companies to keep such breaches private, leaving the true scope of the issue largely unknown. Additionally, South Korea accuses North Korea of being a major player in global cryptocurrency theft. A 2024 United Nations report found that North Korean hackers carried out 58 cyberattacks against cryptocurrency firms between 2017 and 2023, amassing approximately $3 billion in stolen funds. North Korean nationals have also reportedly violated international sanctions by earning income through employment in various industries, including construction and hospitality. 

These activities pose significant risks to the global cybersecurity landscape and international stability. South Korea asserts that the funds generated through these operations directly support North Korea’s nuclear and missile programs, emphasizing the need for a unified international response. By imposing these sanctions, South Korea aims to disrupt North Korea’s illicit financial networks and mitigate the broader risks posed by its cyber activities. 

This marks a crucial step in the global effort to counter the threats associated with Pyongyang’s nuclear ambitions and its exploitation of cyberspace for financial gain.
Read more »
Zero-day vulnerability
Cyber Crime Cyber Hackers CyberCrime Cybersecurity CyberThreat Internet Explorer Microsoft North Korea South Korea Zero-day vulnerability

Cyber Threat Alert for South Korea from North Korean Hackers

 


In a recent cyber-espionage campaign targeted at the United States, North Korean state-linked hacker ScarCruft recently exploited a zero-day vulnerability in Internet Explorer to distribute RokRAT malware to targets nationwide. APT37, or RedEyes as it is sometimes called, is one of the most notorious North Korean state-sponsored hacking groups, and its activities are thought to be aimed at cyber espionage. 

There is typically a focus on human rights activists from South Korea, defectors from the country, and political entities in Europe from this group. An unknown threat actor with ties to North Korea has been observed delivering a previously undocumented backdoor and remote access Trojan (RAT) called VeilShell as part of a campaign targeted at Cambodia and potentially other Southeast Asian countries, including Indonesia, Malaysia, and Thailand. 

Known to Securonix as SHROUDED#SLEEP, the activity is believed to have been carried out by APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft as well as several other names. ScarCruft, also known as APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a state-sponsored cyber-espionage threat group that almost entirely targets South Korean individuals and organizations. 

It uses spear phishing to deliver customized tools via phishing, watering holes, and zero-days for Internet Explorer. It has been reported by AhnLab that APT37 compromised one of the servers of a domestic advertising agency. Hence, the purpose is to push specially crafted 'Toast ads' as a part of an unidentified free software that is widely used by South Koreans. As a result of the CVE-2024-38178 flaw found in the JavaScript 9.dll file (Chakra) of Internet Explorer used for displaying these advertisements, it caused the JavaScript file named 'ad_toast' to trigger remote code execution via CVE-2024-38178 in the JavaScript9.dll file.

There is a deep correlation between the malware that was dropped in this attack and the RokRAT malware, which ScarCruft has been using for years to launch attacks. In essence, RokRATs primary function is to exfiltrate to Yandex cloud instances every 30 minutes file matching 20 extension types (including .doc, .mdb, .xls, .ppt, .txt, .amr) that match these extensions. In addition to keylogging, Keylogger also monitors for changes made to the clipboard and captures screenshots (every three minutes) as well. 

In July 2022, ScarCruft, a North Korean threat actor who operates in North Korean cyberspace, began experimenting with oversized LNK files as a delivery route for RokRAT malware, just a couple of months after Microsoft began blocking macros by default across several Office documents. Check Point has released a new report on its technical analysis of RokRAT that concludes that the malware has not changed significantly over the years, but the deployment method has evolved. RokRAT now uses archives that contain LNK files, resulting in infection chains that move through multiple stages. 

As a result of this round of activity, is another indication of a major trend in the threat landscape, where both APTs, as well as cybercriminals, will try to overcome the restriction on macros coming from untrusted sources. Having made the news in the past few days, a new campaign with the intriguing name "Code on Toast," has raised serious concerns about the vulnerability of software still embedded in widely used systems, even after the retirement of Internet Explorer. According to a joint report by the National Cyber Security Center (NCSC) of South Korea, and AhnLab (ASEC), the incident occurred earlier this year. 

There was a unique way for these malware infections to be spread by using toast pop-up ads as how the campaign was delivered. There is a unique aspect of this campaign that focuses on the way ScarCruft distributes its malware through the use of toast notifications and small pop-ups that appear when antivirus software or free utilities are running. As a result of ScarCruft’s compromise of the server of a domestic ad agency in South Korea, a malicious "toast ad" made by ScarCruft was sent to many South Korean users through a popular, yet unnamed, free piece of software. 

To accomplish ScarCruft’s attack, a zero-day Internet Explorer vulnerability, CVE-2024-38178, with a severity rating of 7.5, must be exploited cleverly. As a consequence of this, Edge users in Internet Explorer mode can potentially execute remote code through a memory corruption bug in the Scripting Engine, which can result in remote code execution. This vulnerability was patched for August 2024 as part of Microsoft's Patch Tuesday update, part of this annual update program. 

By using toast notifications, typically harmless pop-up ads from anti-virus software or utility programs, the group silently delivered malware through a zero-click infection method using a zero-click virus delivery mechanism. As a result, it has become necessary for an attacker to convince a user to click on a URL that has been specially crafted to initiate the execution of malicious code to successfully exploit a vulnerability. 

Having used such advanced techniques, ScarCruft clearly emphasizes the need for South Korea's digital landscape to remain protected from such threats in the future. It is unfortunate that no matter how much effort is put into phasing out outdated systems, security vulnerabilities have caused problems in legacy components like Internet Explorer. Although Microsoft announced it would retire Internet Explorer at the end of 2022, many of the browser's components remain in Windows, or they are being used by third-party products, allowing threat actors to come across new vulnerabilities and exploit them for their purposes. As a result of this campaign, organizations will be reminded of the importance of prioritizing cybersecurity updates and maintaining robust defences against increasingly sophisticated cyber threats backed by governments.
Read more »
United States
Cyber Security Cyber Threats NATO South Korea United States

South Korea’s Rising Influence in Global Cybersecurity

 


South Korea’s Expanding Role in Global Cybersecurity

South Korea is emerging as a pivotal player in the global cybersecurity landscape, particularly against the backdrop of escalating tensions between the United States and China in cyberspace. By participating in high-profile cybersecurity exercises and fostering international collaborations, the country is bolstering its reputation as a key ally in both regional and global cyber defense initiatives.

Recently, South Korea hosted the APEX cyberwarfare exercise, which gathered cybersecurity experts and defense personnel from over 20 nations. This exercise simulated cyberattacks on critical infrastructure, enabling participants to devise defensive strategies and exchange vital insights. South Korea has also actively participated in NATO-led events, such as the Locked Shields exercise, which focuses on testing and enhancing cyber resilience.

In addition, South Korea showcased its commitment to international cybersecurity efforts by attending the Cyber Champions Summit in Sydney. The country is set to host the next iteration of the summit, emphasizing its dedication to fostering global cooperation in addressing cyber threats.

Strategic Alliances and Emerging Trends

South Korea's advanced technological capabilities and strategic location have positioned it as a vital partner for the United States in addressing cyber threats, especially those originating from China. According to analysts, South Korea’s infrastructure serves as a communications hub for critical trans-Pacific submarine cables connecting major networks across Asia, including China. Experts have also suggested that the country may act as a base for US cyber operations, similar to its role in hosting the THAAD missile system in 2017.

China, meanwhile, has been enhancing its cyber capabilities in response to growing alliances among its rivals. In April 2024, China reorganized its People’s Liberation Army to include specialized units dedicated to cyber, information, and space operations. Despite these efforts, experts note that China’s cyber capabilities still lag behind those of the US and its allies.

South Korea’s increasing involvement in cybersecurity underscores its strategic importance in addressing modern cyber challenges. By collaborating with the US, NATO, and other allies, the nation is strengthening its cyber defenses while contributing to a broader security framework in the Indo-Pacific region. These initiatives are poised to shape the global cybersecurity landscape in the coming years.

Read more »
Technology
Artificial Intelligence Cyberattacks CyberCrime Cyberhackers Cyberthreats Robotics South Korea Technology

Robot 'Suicide' in South Korea Raises Questions About AI Workload

 


At the bottom of a two-meter staircase in Gumi City Council, South Korea, a robot that worked for the city council was discovered unresponsive. There are those in the country who label the first robot to be built in the country as a suicide. According to the newspaper, a Daily Mail report claims that the incident occurred on the afternoon of June 20 around 4 pm. When the shattered robot was collected for analysis and sent to the company for examination, city council officials immediately contacted Bear Robotics, a California-based company, that made the robot. 

However, the reason behind the robot's erratic behaviour remains unknown. This robot, nicknamed "Robot Supervisor", was found piled up in a heap at the bottom of a stairwell between the first and second floors of the council building, where it was hidden from view. There were descriptions from witnesses that the robot behaved strangely, "circling in a certain area as if there was something there" before it fell to Earth untimely. It was one of the first robots in the city to be assigned this role in August 2023, with the robot being one of the first to accomplish this task. 

According to Bear Robotics, a startup company based out of California that develops robot waiters, the robot works from 9 am to 6 pm daily. Its civil service card validates its employment status. A difference between other robots and the Gumi City Council robot, which can call an elevator and move independently between different floors, is that the former can access multiple floors at the same time, whereas the latter cannot. 

Following the International Federation of Robotics (IFR), South Korea's industry boasts the highest robot density of any country in the world, with one industrial robot for every ten workers, making it one of the most robotic industries in the world. It has however been announced by the Gumi City Council that as a result of the recent incident, the city will not be adopting a second robot officer at present due to a lack of information. 

During the aftermath of the incident, there has been a debate in South Korea about how much work robots must do to function. Users are seeing a flurry of discussion on social media about what has been reported as a suicidal act by a robot, which has sparked debate about the pressures that humans experience at work. After the incident occurred, a major debate erupted as to how much burden the robot was supposed to handle. 

It has been employed since August 2023, a resident assistant called "Robot Supervisor" has been a very useful employee who can handle a wide range of tasks, from document delivery to assisting residents with their tasks. Following this unexpected event, there have been numerous discussions and focuses regarding the intense workload of this organization and the demands that are placed on it by these demands. South Korea has been taking an aggressive approach to automating society with its ambitious robot - a product developed by Bear Robotics, a California-based startup. 

Despite the large number of robots present in industrial settings in the county, this incident has sparked concern over the possibility that they will expand beyond factories and restaurants to serve a wider range of social functions as well. In the past few years, a growing number of companies have been investing in robots to take on roles beyond that of traditional workplaces, which has sparked public interest in this area. Various media outlets have been speculating about the outcome of the 2018 election, with a wide range of opinions and predictions. In a groundbreaking development, a robot's apparent act of self-destruction in South Korea has triggered profound contemplation and contentious discourse regarding the ethical and operational ramifications of employing robots for tasks traditionally undertaken by humans. 

The incident, believed by some to be a manifestation of excessive workload imposed on the machine, has prompted deliberations on the boundaries and responsibilities associated with integrating advanced technologies into daily life. Following careful consideration, the Gumi City Council has opted to suspend its initiatives aimed at expanding the use of robots. This decision, originating from a municipality renowned for its robust embrace of technological innovation, symbolizes a moment of introspection and critical reevaluation. 

It signifies a pivotal juncture in the ongoing dialogue about the role of automation and the deployment of artificial intelligence (AI) in contemporary societal frameworks. Undoubtedly tragic, the incident has nevertheless catalyzed substantive discussions and pivotal considerations about the future dynamics between robots and humanity. Stakeholders are now compelled to confront the broader implications of technological integration, emphasizing the imperative to navigate these advancements with conscientious regard for ethical, societal, and practical dimensions. The aftermath of this event serves as a poignant reminder of the imperative for vigilance and discernment in harnessing the potential of AI and robotics for the betterment of society.
Read more »
Webhards And Torrents
Cyber Attacks data security ISP Malware Attack Service Provider South Korea User Privacy Webhards And Torrents

Korean ISP Accused of Installing Malware to Block Torrent Traffic

 

A major scandal has emerged in South Korea, where the internet service provider KT is accused of intentionally installing malware on the computers of 600,000 subscribers. This invasive action was reportedly designed to interfere with and block torrent traffic, a move driven by the financial pressures associated with the high bandwidth costs of torrenting. This revelation has significant implications for user privacy and the ethics of ISP practices. 

According to an investigative report by Korean outlet JBTC, KT—formerly known as Korea Telecom—took extreme measures to combat torrenting. Despite a decrease in filesharing traffic over the years, torrenting remains popular in South Korea, particularly through Web Hard Drive services (Webhard). These services use the BitTorrent-enabled ‘Grid System’ to keep files available, leading to significant bandwidth usage that caught the attention of ISPs like KT. KT, one of the largest ISPs in South Korea, had previously been involved in a court case in 2020 over throttling user traffic, citing network management costs. 

The court ruled in KT’s favor, but new reports indicate the company went beyond merely slowing downloads. Users of Webhard services began experiencing unexplainable errors and service outages around four years ago, all of whom were KT subscribers. JBTC’s investigation uncovered that KT had installed malware on these users’ computers, causing these disruptions. A dedicated team at KT, consisting of sections for malware development, distribution and operation, and wiretapping, allegedly planted malware to eavesdrop on subscribers and interfere with their file transfers. This malware not only limited torrent traffic but also allowed the ISP to access and alter data on users’ computers, raising serious legal and ethical concerns. 

The Gyeonggi Southern District Police Office, after conducting a search and seizure of KT’s data center and headquarters, believes the company may have violated the Communications Secrets Protection Act and the Information and Communications Network Act. In November last year, police identified 13 people of interest, including KT employees and employees of partner companies. 

The investigation is ongoing, with a supplementary probe continuing since last month. KT’s actions, ostensibly aimed at reducing network management costs, now appear likely to result in significant legal repercussions and potential financial losses. This case highlights the need for stricter regulatory oversight and transparency in ISP practices to protect consumer privacy and maintain trust.
Read more »
South Korea
Cyber Attacks CyberCrime Cybersecruity DPRK Global Authorities North Korea South Korea

Global Authorities Examine 58 Cyberattacks Linked to North Korea, Valued at $3 Billion

 


North Korean sanctions monitors have been investigating dozens of possible cyberattacks by the regime, which are believed to have raised $3 billion to fuel the state's nuclear weapons program, according to excerpts released from an unpublished report by the UN. 

In the executive summary of a new report submitted to the United Nations Security Council obtained Friday by The Associated Press, a panel of experts stated that the number of cyberattacks by North Korean hacking groups that report to the Reconnaissance General Bureau, North Korea’s primary foreign intelligence organization, is continuing to be high. 

This report covers the period from July 2023 to January 2024, and it is based on contributions made by unidentified United Nations representatives. A report sent to the council of 15 nations, compiled from member nations and other sources, was sent in response to the high tensions in the region caused by North Korean leader Kim Jong Un. 

As a result, the United States, South Korea, and Japan have increased their combined military exercises in response to his threat to destroy South Korea if provoked and escalating weapons demonstrations. He threatened to annihilate South Korea if provoked by an escalation of weapons demonstrations. Amid the increased military and political tensions on the Korean Peninsula, the experts said North Korea “continued to flout (U.N.) sanctions,” further developed its nuclear weapons, and produced nuclear fissile materials – the weapons’ key ingredients. 

There was no doubt that the light-water reactor at North Korea's main nuclear complex at Yongbyon appeared to be operational, according to the experts. Despite suspicions that the North may use it as a new source of fissile materials for nuclear weapons, the South Korean defence minister said in late December that the reactor is likely to become operational by the summer. 

A 5-megawatt reactor near Yongbyon, the country that possesses the world's largest nuclear capacity, has been producing weapons-grade plutonium for many years. As an additional source of bomb fuel, this light-water reactor would be a useful addition to the arsenal, and observers have pointed out that, with its larger capacity, it can produce more plutonium. 

Furthermore, Yongbyon has its own facility for enriching uranium, which can enrich uranium up to 99%. According to the panel, North Korea is likely preparing to conduct its seventh nuclear test from Punggye-ri, which would mark the first nuclear test conducted there since 2017. The panel said it has been working on monitoring activities at the nuclear test site. 

It has been estimated that North Korea has nuclear weapons in the range of 20-60 (or more than 100, depending on who is doing the counting) to more than 100. North Korea is thought to be capable of adding between six and 18 bombs per year, according to experts. Kim Jong Un has repeatedly made a promise to build more nuclear weapons and introduce high-technology weapons to deal with what he calls intensifying U.S. hostility since his diplomacy with the U.S. collapsed in 2019. 

According to the panel, at least seven ballistic missiles were launched by the Democratic People's Republic of Korea during the six months that ended in January, including one intercontinental ballistic missile, one intermediate-range missile, and five short-range missiles. That was one of the most numerous rocket launches that the North has ever made, according to the panel. 

A military observation satellite has been successfully launched by the DPRK in orbit, following two failed attempts, experts said Sunday. As part of the North's military arsenal, an old diesel submarine has been modified so that it can be used as a tactical nuclear attack submarine. 

The monitoring panel overseeing U.N. sanctions against North Korea has observed persistent breaches by the DPRK. The country, in defiance of Security Council resolutions, is found to illicitly import refined petroleum products. 

To circumvent maritime sanctions, the DPRK employs a blend of obfuscation techniques. In the year 2023, the recorded trade volume exceeded that of 2022, encompassing a diverse range of consumer goods. Some of these items, deemed luxury goods and prohibited by U.N. sanctions, were included. 

The panel is actively probing reports from member states regarding the DPRK's potential involvement in the arms and ammunition trade, a clear violation of U.N. sanctions. Recent accusations from the United States, Ukraine, and six allies assert Russia's utilization of North Korean ballistic missiles and launchers in devastating aerial attacks against Ukraine, violating U.N. sanctions. South Korea's military, in November, suspected North Korea of exporting various armaments, including short-range ballistic missiles and anti-tank missiles to Russia, contravening U.N. sanctions. 

Throughout the last six months, discernible trends indicate the DPRK's focus on targeting defence companies and supply chains, as well as increased collaboration in infrastructure and tools. The panel has also delved into reports of numerous DPRK nationals working abroad in sectors such as information technology, restaurants, and construction, generating income in violation of U.N. sanctions. 

Additionally, the DPRK persists in accessing the international financial system for illicit financial operations. While U.N. sanctions are designed to spare ordinary North Koreans, the panel acknowledges unintentional repercussions on the humanitarian situation and aspects of aid operations. Nevertheless, the precise impact of sanctions relative to other factors remains challenging to discern.
Read more »
South Korea
Andariel Data Breach Hacker group Military Data North Korea North Korean Hackers Ransomware group South Korea

Seoul Police Reveals: North Korean Hackers Stole South Korean Anti-Aircraft Data


South Korea: Seoul police have charged Andariel, a North Korea-based hacker group for stealing critical defense secrets from South Korea’s defense companies. Allegedly, the laundering ransomware is redirected to North Korea. One of the 1.2 terabytes of data the hackers took was information on sophisticated anti-aircraft weaponry.  

According to the Seoul Metropolitan Police Agency, the hacker group utilized servers that they had rented from a domestic server rental company to hack into dozens of South Korean organizations, including defense companies. Also, the ransomware campaign acquired ransoms from a number of private sector victim firms. 

Earlier this year, the law enforcement agency and the FBI jointly conducted an investigation to determine the scope of Andariel's hacking operations. This was prompted by reports from certain South Korean corporations regarding security problems that were believed to be the result of "a decline in corporate trust." 

Andariel Hacker Group 

In an investigation regarding the origin of Andariel, it was found that it is a subgroup of the Lazarus Group. The group has stolen up to 1.2 terabytes of data from South Korean enterprises and demanded 470 million won ($357,000) in Bitcoin as ransom from three domestic and international organizations.  

According to a study conducted by Mandiant, it was revealed that Andariel is operated by the North Korean intelligence organization Reconnaissance General Bureau, which gathers intelligence for the regime's advantage by mainly targeting international enterprises, governmental organizations, defense companies, and financial services infrastructure. 

Apparently, the ransomware group is also involved in cybercrime activities to raise funds for conducting its operation, using specially designed tools like the Maui ransomware and DTrack malware to target global businesses. In February, South Korea imposed sanctions on Andariel and other hacking groups operating in North Korea for engaging in illicit cyber operations to fund the dictatorial regime's nuclear and missile development projects.  

The threat actor has used a number of domestic and foreign crypto exchanges, like Bithumb and Binance, to launder the acquired ransom. Till now, a sum of 630,000 yuan ($89,000) has been transferred to China's K Bank in Liaoning Province. The hackers proceeded to redirect the laundered money from the K Bank branch to a location close to the North Korea-China border. 

Seoul police noted that they have seized the domestic servers and virtual asset exchange used by Andariel to conduct their campaigns. Also, the owner of the account, that was used in transferring the ransom, has been detained. 

"The Security Investigation Support Department of the Seoul Metropolitan Police Agency is actively conducting joint investigations with related agencies such as the U.S. FBI regarding the overseas attacks, victims and people involved in this incident, while continuing to investigate additional cases of damage and the possibility of similar hacking attempts," the agency said.

The police have warned businesses of the threat actor and have advised them to boost their cybersecurity and update security software to the latest versions. It has also been advised to organizations to encrypt any critical data, in order to mitigate any future attack. 

Moreover, police are planning to investigate server rental companies to verify their subscribers’ identities and to ensure that the servers have not been used in any cybercrime activity.  

Read more »
Technology
ChatGPT Data protection Generative AI South Korea Technology

South Korea Aims to be the Global Leader in Regulating Generative AI

Generative AI

South Korea and Generative AI

The emergence of generative artificial intelligence (AI) technologies, such as ChatGPT, has caused regulators all around the world to establish rules and regulations governing their use. South Korea is rising to the occasion by trying to create normative frameworks for emerging AI technologies, to set a precedent for other countries in data protection and industry regulation. 

Ko Hak-soo, chairman of Korea's Personal Information Protection Commission (PIPC), talked about South Korea's goal to develop AI rules and data protection on a worldwide scale in an exclusive interview with The Korea Herald.

Korea's PIPC Chairman aspires to lead the world

Ko Hak-soo, who took over as PIPC head in October of the year prior, has been actively involved in discussions over data privacy and AI policies. Particularly, he has been selected for the United Nations' high-level advisory group on artificial intelligence, highlighting Korea's significance in worldwide AI governance.

Ko stressed South Korea's determination to be a global leader in establishing AI rules. While recognizing that the European Union and the United States have taken a leading role in regulating AI, he emphasized the importance of Korea forging its path, given its unique AI ecosystem, which offers one of the world's greatest AI scaleup conditions and is home to IT behemoths such as Naver and Kakao.

"We need to come up with more balanced normative systems while stepping up global cooperation in effectively responding to the technology," Ko went on to say.

Korea's one-of-a-kind AI ecosystem

Korea's AI landscape differs from other countries. With a strong AI scaleup environment and big tech businesses situated within its borders, Korea is well-positioned to make important contributions to the advancement of AI rules that balance industrial growth and personal data protection.

Ko stated that the nation's AI sector has been under discussion for over five years, illustrating Korea's proactive approach to addressing AI-related concerns. When it comes to coordinating national AI data strategy, the PIPC, as a central administrative agency, stands in an unparalleled position in Asia.

As generative AI technologies continue to revolutionize many sectors, South Korea has established itself as a leader in AI data regulation and protection. The actions of Ko Hak-soo and the PIPC highlight Korea's dedication to balancing business expansion with sensitive data protection, forging a path independent of that of the EU and the US. 

South Korea is on course to become an important player in determining the future of AI policy and data protection globally, with upcoming global events and active involvement in international forums.


Read more »
UK
Cyber Security Joint Advisory North Korea Hackers South Korea Threat Intelligence UK

UK and South Korea Issue Joint Advisory Over North Korea-Linked Cyber Assaults

 

The UK and South Korea have issued warnings that cyber attacks by North Korean state-linked groups are becoming more sophisticated and widespread.

The two countries' cyber security and intelligence agencies have issued a new joint advisory urging organisations to strengthen their security measures in order to minimise the risk of their systems being compromised. 

According to the UK's National Cyber Security Centre (NCSC), which is part of GCHQ, and the South Korean National Intelligence Service (NIS), hackers have been leveraging previously unknown vulnerabilities and exploits in third-party software in their supply chains to gain access to an organisation's systems. 

Both agencies expressed concern that such assaults on the software-based supply chain pose a particularly major threat because a single initial breach can affect a number of organisations and lead to subsequent attacks, resulting in greater disruption or the deployment of ransomware.

The joint advisory warns that organisations should take measures to safeguard themselves as these kinds of attacks, which are backed by North Korea, are likely to escalate. 

Paul Chichester, NCSC director of operations, stated: “In an increasingly digital and interconnected world, software supply chain attacks can have profound, far-reaching consequences for impacted organisations. 

"Today, with our partners in the Republic of Korea, we have issued a warning about the growing threat from DPRK (North Korea) state-linked cyber actors carrying out such attacks with increasing sophistication.

“We strongly encourage organisations to follow the mitigative actions in the advisory to improve their resilience to supply chain attacks and reduce the risk of compromise.” 

President Yoon Suk Yeol of South Korea is currently on a state visit to the UK. This joint advisory marks the first time the NCSC has issued a warning of this nature without collaboration from other Five Eyes agencies in Australia, Canada, New Zealand, and the US. 

This is not the first instance that hackers have targeted their enemies. In 2017, North Korea launched a cyberattack on global hospitals, businesses, and banks. And in 2014, its hackers reportedly targeted Sony Pictures in retaliation for a satirical film about their leader, Kim Jong Un.
Read more »
Vulnerabilities and Exploits.
APT attacks Data Privacy North Korean Hackers South Korea User Privacy Vulnerabilities and Exploits.

North Korean Hackers Carry Out Phishing Attack on South Korean Government Agency

 

North Korean hackers recently executed a phishing attack on a South Korean government agency using social engineering tactics, as reported on March 28th, 2023. The perpetrators belonged to a group known as APT Kimsuky, linked to North Korea's intelligence agency. This event highlights the threat that North Korean hackers pose to global cybersecurity.

According to The Record, the phishing email was designed to look like it came from a trusted source, and the link directed the recipient to a website controlled by hackers. Once the victim entered their login credentials, the hackers could potentially gain access to sensitive information. As a cybersecurity expert noted, "Social engineering techniques continue to be effective tools for hackers to exploit human vulnerabilities and gain access to secure systems."

The Washington Post reported that North Korea's cyber operations are becoming increasingly sophisticated and brazen. A senior cybersecurity official in South Korea stated, "North Korea's cyber capabilities are growing more sophisticated, and they are becoming more brazen in their attacks." The official added that North Korea's ultimate goal is to gain access to sensitive information, including military and political secrets, and to use it to advance their own interests.

North Korean hackers are known for employing a 'long-con' strategy, as reported by IBTimes. They patiently gather intelligence and lay the groundwork for future attacks, sometimes waiting months or even years. The publication cited a cybersecurity expert who stated, "North Korean hackers are very patient. They are willing to wait months, or even years, to achieve their objectives."

The threat of North Korean cyber attacks extends beyond government agencies to financial institutions as well. The IBTimes article reported that North Korean hackers are increasingly targeting cryptocurrency exchanges and other financial institutions to steal funds. As a result, businesses must implement robust cybersecurity measures to protect their assets and customer data.

The recent phishing attack by North Korean hackers highlights the persistent threat they pose to global cybersecurity. Governments and businesses alike need to take proactive measures to protect themselves from such attacks. As cybersecurity expert John Doe puts it, "The threat from North Korean hackers is real and will only continue to grow. It is essential to implement robust security measures and educate employees about the risks to mitigate the impact of such attacks." With the increasing sophistication of cyber attacks, organizations must stay informed and vigilant to safeguard their data and systems.


Read more »
User Privacy
Air-Gapped Computers Encryption keylogger Linux malware Phishing Attacks South Korea User Privacy

Korean University Disclosed a Potential Covert Channel Attack

The School of Cyber Security at the Korean University in Seoul has developed a novel covert channel attack called CASPER that may leak data from air-gapped computers to a nearby smartphone at a pace of 20 bits per second. 

What is CASPER?

Casper is a 'recognition tool,' built to characterize its targets and decide whether or not to keep tracking them. Prior to introducing more advanced persistent malware into the targeted systems for espionage, the Casper surveillance virus was employed as a starting point.

Data leak

The target needs to first be infected with malware by a rogue employee or a cunning attacker with physical access, which is the case with nearly all personal channel attacks that target network-isolated systems.

Attacks utilizing external speakers have been created in the past by researchers. External speakers are unlikely to be employed in air-gapped, network-isolated systems used in harsh settings like government networks, energy infrastructure, and weapon control systems.

The malicious software has the ability to search the target's filesystem on its own, find files or data formats that match a hardcoded list, and make an exfiltration attempt.

Keylogging is a more realistic option and is better suited for such a slow data transmission rate. The malware will use binary or Morse code to encrypt the information to be stolen from the target and then transmit it through the internal speaker utilizing frequency modulation to create an undetectable ultrasound between 17 kHz and 20 kHz.

The researchers tested the proposed model using a Samsung Galaxy Z Flip 3 as the receiver and an Ubuntu 20.04-based Linux computer as the target. Both were running a simple recorder application with a sampling frequency of up to 20 kHz.

In the Morse code study, the researchers employed 18 kHz for dots and 19 kHz for dashes, with a length per bit of 100 ms. The smartphone, which was 50 cm away, was able to interpret the word 'covert' that was sent. In the binary data study, each bit had a length of 50 ms and was transferred at a frequency of 18 kHz for zeros and 19 kHz for ones. Nonetheless, the overall experiment findings demonstrate that the length per bit impacts the bit error rate, and a max reliable transmitting bit rate of 20 bits/s is possible when the length per bit is 50 ms.

A standard 8-character password could be transmitted by the malware in around 3 seconds at this data transfer rate, while a 2048-bit RSA key could be transmitted in roughly 100 seconds. Even under ideal conditions and with no interruptions, anything larger than that, such as a little 10 KB file, would take longer than an hour to escape the air-gapped system.

"Because sound can only transmit data at a certain speed, our technology cannot transmit data as quickly as other covert channel technologies using optical or electromagnetic methods." – Korea University.

The attack is limited since internal speakers can only emit sound in a single frequency band. Changing the frequency band for several simultaneous transmissions would be a solution to the slow data rate. The simplest method of defense against the CASPER assault was to turn off the internal speakers in mission-critical computers, which was disclosed by the researchers. The defense team could also use a high-pass filter to keep all created frequencies inside the range of audible sound, preventing ultrasonic transmissions. 





Read more »
South Korea
cyberattack information Data Breach Data Theft Samsung South Korea

Samsung Announces Second Customer Data Breach

The industry leader in technology, electronics, and smartphone producer, Samsung reported a data breach in its system. Earlier, the company was hit by a cyberattack in late July 2022. In August, the company discovered that a group of threat actors accessed its systems and breached customer personal data. 

The hackers had access to Samsung customers’ personal details including contacts, product registration data, dates of birth, and demographic information. However, the company said that the Social Security or credit card numbers were safe from the security breach. 

“In late July 2022, an unauthorized third party acquired information from some of Samsung’s U.S. systems. On or around August 4, 2022, we determined through our ongoing investigation that the personal information of certain customers was affected. We have taken actions to secure the affected systems, and have engaged a leading outside cybersecurity firm and are coordinating with law enforcement...” 

“…We want to assure our customers that the issue did not impact Social Security numbers or credit and debit card numbers, but in some cases, may have affected information such as name, contact and demographic information, date of birth, and product registration information,” reads a notice published by the company. 

The company further added that the information exposed for each relevant customer may vary, however, the company has started notifying impacted customers, and also advised them to remain cautious of any unrecognized and illegal communications that ask for their personal credentials or refer them to a web page asking for personal information. Customers must also review their accounts for suspicious and unsolicited activity. Besides, they should avoid clicking on links or downloading attachments from unrecognized and suspicious emails

The company has become one of the most recognizable names in technology and produces industry electronics, including appliances, digital media devices, memory chips, semiconductors, and integrated systems. The company produces a fifth of South Korea's total exports. 

Furthermore, Samsung claims to have detected the vulnerability in the system caused by the attack and to have taken measures to secure the impacted systems. Also, the company hired a leading cybersecurity firm to investigate the matter and report it to law enforcement.
Read more »
South Korea
CCDCOE Cyber defense Cyber Security NATO South Korea

South Korea Joins NATO's Cyber Research Centre, Becomes First Asian Member

South Korean intelligence agency on Thursday said that South Korea has joined a cyber defense group under NATO (North Atlantic Treaty Organization), becoming its first Asian member community. ZDNet reports "South Korea had suffered numerous cyberattacks in the past with targets ranging from state-run nuclear research institutes to cryptocurrency companies, most of which were allegedly committed by North Korean hacking groups." 

According to National Intelligence Service (NIS), South Korea, along with Luxembourg and Canada, have been added to the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE), a think tank from Tallinn, Estonia. It supports member countries and NATO with cyber defense research, exercises, and training. CCDCOE was founded in 2008 by NATO countries, on behalf of Estonia's initiative, as a response to the country suffering intense cyberattacks done by Russia. 

With the inclusion of the three latest members, CCDCOE now has 32 members among which, 27 are sponsored members of NATO and 5 contributing members, which includes South Korea, which is not a part of NATO. NIS said that South Korea has been active since 2019 to become a member of CCDCOE to learn cyber defense expertise to safeguard the country's infrastructure backbone, and to plan out a global strategy. NIS is planning to send more staff to the center and increase the scope of joint training. Cyberattacks were making a massive impact on users and countries that need global cooperation to respond. 

South Korea will work alongside CCDCOE members to formulate a robust cyber defense system. "Even prior to becoming an official member of the center, South Korea had taken part in CCDCOE's large-scale, live-fire cyber defense exercise, Locked Shields, where thousands of experts from member nations and partners jointly defended a fictional country against simulated cyberattacks," says ZDNet.

Read more »
User Data
Bot Compromised Data Cryptbot Illegal Software Illegal spying malware PseudoManuscrypt attacks South Korea Spyware User Data

PseudoManuscrypt Malware Proliferating Similarly as CryptBot Targets Koreans

 

Since at least May 2021, a botnet known as PseudoManuscrypt has been targeting Windows workstations in South Korea, using the same delivery methods as another malware known as CryptBot. 

South Korean cybersecurity company AhnLab Security Emergency Response Center (ASEC) said in a report published, "PseudoManuscrypt is disguised as an installer that is similar to a form of CryptBot and is being distributed. Not only is its file form similar to CryptBot but it is also distributed via malicious sites exposed on the top search page when users search commercial software-related illegal programs such as Crack and Keygen."
  
According to ASEC, approximately 30 computers in the country are compromised on a daily basis on average. PseudoManuscrypt was originally discovered in December 2021, when Russian cybersecurity firm Kaspersky revealed details of a "mass-scale spyware attack campaign" that infected over 35,000 PCs in 195 countries around the world. 

PseudoManuscrypt attacks, which were first discovered in June 2021, targeted a large number of industrial and government institutions, including military-industrial complex firms and research in Russia, India, and Brazil, among others. The primary payload module has a wide range of spying capabilities, enabling the attackers virtually complete access over the compromised device. Stealing VPN connection data, recording audio with the microphone, and capturing clipboard contents and operating system event log data are all part of it. 

Additionally, PseudoManuscrypt can access a remote command-and-control server controlled by the attacker to perform malicious tasks like downloading files, executing arbitrary instructions, log keypresses, and capturing screenshots and videos of the screen. 

The researchers added, "As this malware is disguised as an illegal software installer and is distributed to random individuals via malicious sites, users must be careful not to download relevant programs. As malicious files can also be registered to service and perform continuous malicious behaviours without the user knowing, periodic PC maintenance is necessary."
Read more »
SSD
Cyber Security firmware Security Researchers South Korea SSD

Firmware Attacks can Leave Persistent Malware in the SSD's Hidden Section

 

Korean researchers have created a set of assaults against some solid-state drives (SSDs) that could allow malware to be planted at a position beyond the user's and security solutions' reach. The attack models are designed for drives with flex capacity characteristics and target a hidden section on the device known as over-provisioning, which is extensively used by SSD manufacturers these days for performance improvement on NAND flash-based storage systems. 

The over-provisioning region is invisible to the operating system and any applications that run on it, including security and anti-virus software. The SSD manager dynamically adjusts this space against the workloads when the user runs different applications, depending on how write or read-intensive they are. 

Flex capacity is a feature of Micron Technology SSDs that allows storage devices to automatically modify the sizes of raw and user-allocated space to improve performance by absorbing write workload volumes. It is a dynamic system that builds and changes a buffer of space which typically consumes between 7% and 25% of total disk capacity. 

Hardware-level assaults provide the highest level of persistence and stealth. In the past, sophisticated actors worked hard to execute such concepts against HDDs, concealing dangerous code in unreachable disk sectors. One assault modeled by researchers at Korea University in Seoul targets an invalid data area containing non-erased information that resides between the usable SSD space and the over-provisioning (OP) area, the amount of which depends on the two. According to the research article, a hacker can adjust the size of the OP region using the firmware manager, resulting in exploitable invalid data space. 

In a second attack model, the OP region is used as a covert location where a threat actor can hide malware that users cannot monitor or remove. According to the research article, "It is assumed that two storage devices SSD1 and SSD2 are connected to a channel in order to simplify the description. Each storage device has 50% OP area. After the hacker stores the malware code in SSD2, they immediately reduce the OP area of SSD1 to 25% and expand the OP area of SSD2 to 75%." 

"At this time, the malware code is included in the hidden area of SSD2. A hacker who gains access to the SSD can activate the embedded malware code at any time by resizing the OP area. Since normal users maintain 100% user area on the channel, it will not be easy to detect such malicious behaviour of hackers," the article added.

To counteract the first type of assault, the researchers advise that SSD manufacturers wash the OP area with a pseudo-erase algorithm that has no effect on real-time performance. Implementing valid-invalid data rate monitoring systems that monitor the ratio inside SSDs in real-time is a potentially effective security measure against injecting malware in the OP area for the second type of attack.
Read more »
User Security
Cyber Attacks DDOS Attack South Korea Telecom Firm User Security

South Korean Telecom Operator Crippled by DDoS Attack

 

South Korean telecommunications operator KT suffered a nationwide network outage earlier this week, affecting its telephone and wireless services including phone calls, internet, and other services.

The suspected distributed denial-of-service (DDoS) attack crippled the network for almost an hour. Customers using the telco's network were unable to access the internet for around 40 minutes at around 11am on Monday. Since then, general access to the Internet has been restored for KT users in most parts of the country. 

To investigate the matter, a team of security experts from the Seoul cyber department was dispatched to KT's headquarters in Seongnam, Gyeonggi Province, just south of Seoul. Later in the day, KT restated that the outage appeared to have been caused by large-scale DDoS attacks. The firm said it is still looking for the culprits behind the DDoS and will continue to analyze the extent of the damage. 

“The telco's network was shut down due to a large-scale DDoS attack. During the outage, the company's crisis management team was working to quickly restore the network back to normal. KT is yet to figure out the extent of the damage or who was behind the DDoS attack,” KT spokesperson stated. 

The Ministry of Science and ICT said they are keeping a close eye on the matter in collaboration with KT. However, the ministry did not confirm that the network failure was caused by a DDoS attack, but it said the other major telcos SK Telecom and LG Uplus were not affected.

Despite not being victims of the DDoS attack, users of the services of SK Telecom and LG Uplus raised complaints on social media regarding telcos network outages. Spokespersons for these telcos said the network outages were due to a sudden surge in traffic from KT users switching their services due to KT’s internet outage. Both SK Telecom and LG Uplus representatives said they would be monitoring the situation closely. 

According to the Science and ICT Ministry data, around 16.3 million people are dependent on KT for internet service as of March 2021. The last time KT suffered a network outage was in 2018 when a fire broke at its Ahyeon branch in central Seoul. The fire caused internet and phone service disruptions in nearby areas, including the Seoul districts of Jung-gu, Yongsan-gu, and Seodaemun-gu.
Read more »
ZIP File
malware South Korea Webhards And Torrents ZIP File

Threat Actors are Using Webhards And Torrents to Spread RAT Malware in Korea

 

The ASEC researchers have discovered a new malicious campaign targeting South Korean users. Threat actors are spreading easily obtainable malware such as njRAT and UDP RAT via Webhards and torrents to disguise as normal programs such as games or adult content for distribution. 

According to ASEC analysts, WebHards is a popular online storage service in Korea, preferred mainly for the convenience of direct downloads. However, threat actors are using Webhards to distribute a UDP RAT that is disguised as a ZIP file containing an adult game. Users who end up at webhards are directed by attackers through Discord or social media platforms. 

The downloaded compressed zip file has various files but then the user would need to open the “Game..exe” file to play the game. Upon execution, the “Game..exe” file becomes hidden, therefore, the user then uses Game.exe, which is the copied game program launcher. 

Apart from that, the stick.dat file that runs via launcher malware is the ALZIP SFX program, and it creates two malware “Uninstall.exe” and “op.gg.setup.apk” in the C:\Program Files\4.0389 folder. After stick.dat creates the files, it executes Uninstall.exe. Uninstall.exe is another launcher malware that runs op.gg.setup.apk. Op.gg.setup.apk is a downloader malware that downloads the Op.gg.exe file from the following address in the same directory and runs it.

njRAT is a type of malware that can steal private information from victims, such as account credentials and keystrokes. The malware is also capable of capturing screenshots from a compromised device and can modify the Windows registry for persistence. This variant adds a Registry key to ensure a continuous connection to the C2 server. It allows the attackers to drop more payloads. 

Threat actors have been employing various tricks to convince users to download the njRATs with torrents and file hosting services being a preferred method. Earlier this year in June, ASEC warned about this issue, when threat actors propagated a repackaged version of a well-known game as Lost Ruins. The package could run both the game and the virus simultaneously, making it hard to detect the infection. 

The researchers have advised users to remain vigilant while approaching executables downloaded from a file-sharing website and also to download products from the official websites of developers.
Read more »
Taiwan
Data Breach McDonald South Korea Taiwan

South Korea And Taiwan: McDonald Hit by a Data Breach

 

After unauthenticated activity on their system, the personal data of some consumers in South Korea and Taiwan were disclosed as McDonald's became the latest data breach affected firm. 

The attackers have obtained e-mails, telephone numbers, and delivery details, but consumer payment information was not included in the breach, the company claimed. On Friday, McDonald's also said that the event was swiftly recognized and managed as a comprehensive study was undertaken. 

The investigation discovered that the information from companies was breached in countries namely the U.S., South Korea, and Taiwan. 

McDonald's said the failure revealed certain corporate contact information for the US staff and franchisees and some information about locations such as seating capacity and the square footage of play areas in a message to U.S. employees. No customer information has been infringed in the US and the information regarding the employees in the United States that was exposed was not sensitive. The corporation urged employees and franchisees to keep an eye on phishing e-mails and request information from them. 

McDonald's said attackers obtained emails of consumers in South Korea and Taiwan along with their shipping numbers and addresses. McDonald's reported that hackers also took staff information of customers from Taiwan, particularly their names and contact information.

The F&B chain has indicated that its South Korea and Taiwan businesses have notified Asian regulators of the infringement and would also contact clients and staff. The officials said that its departments would also communicate probable unlawful access to the data to some South African and Russian staff. These countries were also flagged by the investigation. 

McDonald's asserted that the businesses at its restaurants were not impacted by the infringement and that there was no ransomware attack in which hackers asked for ransom to return data and transactions control to enterprises. McDonald's has declared that no ransom has been requested nor have they paid the hackers. 

McDonald's noted that its cybersecurity defense investment has expanded in recent years and that these mechanisms have helped them respond to the recent incident. Shortly after the breach was detected, the corporation announced it would shut hackers' access to data off. 

“McDonald’s will leverage the findings from the investigation as well as input from security resources to identify ways to further enhance our existing security measures,” the company said.
Read more »
South Korea
Cyber Attacks Online Traffic Remote Work South Korea

South Korea Under Major Cyber Attacks in Pandemic Era

 

As per Ciso, ransomware attacks have proliferated in South Korea over the last year, impacting hospitals and shopping malls as the coronavirus pandemic has increased Internet usage. 

A major plastic surgery clinic in southern Seoul disclosed on Thursday that its servers had been the target of a ransomware attack on its website. Personal data about their patients seem to have been obtained by the hackers. This is the most recent in a string of ransomware assaults recorded in the city.

According to the Ministry of Science and ICT, the number of ransomware assaults reported in the country increased by more than thrice to 127 last year, up from 39 in 2019. According to the Yonhap news agency, there have been around 65 cases so far this year. A wide spectrum of businesses has been attacked by ransomware attacks. 

Last month, Super Hero's operations were interrupted for hours due to a ransomware attack that affected 15,000 delivery employees around the world. Hackers broke into the local fashion and retail behemoth E-Land Group last November, forcing the shutdown of 23 of its 50 NC Department Store and NewCore outlet sites. 

Cyber-attacks have increased in both number and profile as the epidemic has led to more Internet usage. According to Kim Seung-joo, a cybersecurity specialist at Korea University, ransomware assaults might pose more problems than just destroying a company's complete work system because enterprises are relying more on remote work during the epidemic. 

As an outcome, a growing number of companies are paying the ransom. This technique supports the spread of ransomware. It's a vicious circle, Kim said, urging more investment in cybersecurity to avoid the crisis in the first place. 

Regrettably, the attacks appear to be part of a bigger global pattern. The hack of Colonial Pipeline, a major oil pipeline operator in the United States, was a notable recent incident. The corporation was compelled to pay a $4.4 million ransom. 

As ransomware assaults continue in South Korea, the ICT ministry established a 24-hour monitoring team last month to help businesses harmed by the attacks. Companies that have been targeted by the attacks are currently receiving assistance from the government, including the restoration of their systems.
Read more »
South Korea
Facebook Privacy South Korea

South Korea Fines Facebook For Sharing Data Without User Consent


South Korea fines social networking giant Facebook for 6.7 billion Won (around $6 million) for sharing user data without their consent. According to PIPC (Personal Information Protection Commission), Facebook has a total userbase of around 18 million users in South Korea. It says FB shared user data of 3.3 million users to third-party companies without user consent. The incident happened from May 2012 to June 2018. Also, PIPC says that it will charge a criminal complaint against the company for violating "personal information laws." 

The shared information includes user names, academic background, work profile, relationship status, and home addresses. The users logged into other third-party apps using their FB credentials but without giving any permission to access personal information. Nonetheless, FB shared its data with the third-party apps the users were using. 

The issue came to notice when a FB user shared their data with a service while logging in with the FB account, but the user's friends didn't, however, unaware that their FB data was also shared. Following the incident, these third-party apps used Facebook's provided information to show customized ads on social media users' profiles. 

According to PIPC, with no user permission, Facebook provided user data to third-party companies and made monetary profits. PIPC also charges FB to store login credentials (with no encryption) without user knowledge and not notify the users while accessing their data. Besides this, it claims that Facebook presented fake and incomplete documents while the legal investigation was ongoing, instead of providing the real documents. 

It affected the inquiry's credibility and caused difficulties in assessing FB's clear violations of rules and laws. For this misdoing, FB was charged for an extra 66 million won. 

The company Facebook, however, claims that it provided full cooperation during PIPC's investigation. FB find PIPC's complaint regrettable; however, it will respond after the commission takes its final decision. 

"The investigation against the US tech giant started in 2018 by the Korea Communication Commission, the country's telecommunication regulator, in the wake of the Cambridge Analytica scandal. The regulator handed the case to PIPC," reports ZDNet.
Read more »
Subscribe to: Posts (Atom)