Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label hacking groups. Show all posts

DPRK Hackers Compromise South Korean Defense Contractors

 


It was reported on Tuesday that the North Korean hacking groups have been mounting "all-out" cyberattacks against South Korean defence companies, infiltrating their internal networks and stealing their technical data over the past year, South Korean police said. 

According to the police, a group of hackers, known as Lazarus, Kimsuky, and Andariel, who work directly or through contractors, planted malicious codes directly in the data systems of the defence companies, according to the authorities.

During the hacking process, state-sponsored hackers exploited vulnerabilities in the targeted systems of defence companies and installed malware to compromise their subcontractors. Even though the campaign lasted over a year, local reports claim that they managed to steal sensitive information from 10 of the 83 defence contractors and subcontractors that they targeted between October 2022 and July 2023. 

According to KPNA, many of these companies were completely unaware that they were breached when they were contacted by the police, as it has been revealed that they were completely unaware that they were. A special inspection was conducted between January 15th and February 16th by the National Police Agency and the Defense Acquisition Program Administration, and protective measures were implemented to secure critical networks as a result of the inspection.

A special investigation of the company discovered that multiple companies had been compromised since late 2022, but they weren't aware until authorities informed them of the breach. Lazarus targeted a contractor, for example, in November 2022, who was cyber-aware enough to operate separate internal and external networks. 

However, the hackers took advantage of their negligence when it came to managing the system linking the two. The hackers were able to breach an external network server, which was then infected by the hackers. As the network connection system was down for a network test, they tunnelled through it and got inside the innards of the network while the defences were down. 

To steal important information from the six employee computers, they began harvesting and exfiltrating data. It was not until police came along during the investigation that the defence companies were aware that they had been hacked. While North Korea is a country that is isolated from the rest of the world, the country has extremely strong cybersecurity capabilities and has a history of launching successful attacks against global targets over the past few decades. 

An attack on a Bangladesh central bank caused the loss of £64.6 million ($81 million) in addition to the detailed designs for a supersonic jet and a submarine, both of which would weigh three tons. In several South Korean firms, weak cybersecurity practices have enabled North Koreans to succeed in attacking their employees’ systems, with employees using the same password to access both their professional and personal accounts. 

Additionally, Andariel obtained login information, starting around October 2022, from an employee of a company which was responsible for the remote maintenance of the defence contractor in question. Infecting the company's servers with malware and exfiltrating data regarding defence technology, infected the company's servers using the hijacked account.

A police investigation also revealed an incident that took place between April and July 2023, when Kimsuky exploited the groupware email server of a partner company of a defence firm. By exploiting a vulnerability, an attacker could download large files that were sent internally via email, allowing an unauthorized attacker to download them. 

 A security breach committed by subcontractor employees who used the same password for their official and personal email accounts, as well as the hacker's ability to gain access to defence business networks and extract sensitive technical data, was utilized by the hackers. Police officers have not disclosed the nature of the compromised data and the names of the companies responsible. 

Since the signing of contracts worth billions of dollars to supply mechanized howitzers, tanks, and fighter jets in the last few years, South Korea has gained a significant place as a leading global defence supplier. It has been reported that North Korean hacking gangs gained access to global defence corporations' networks, in addition to those of South Korean financial institutions, news outlets, as well as South Korea's nuclear power operator in 2014, as a result of a significant security breach. 

There has been widespread speculation that North Korean hackers have been responsible for large-scale thefts of Bitcoin, which subsequently allowed them to finance their weapons development with the proceeds. The North Korean government denies any involvement with cyberattacks or cryptocurrency thefts carried out by other countries.

Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers

 

Researchers have provided a detailed look at a system called DoubleFeature, which is dedicated to logging the various stages of post-exploitation resulting from the Equation Group's deployment of DanderSpritz, a full-featured malware architecture. 

DanderSpritz was discovered on April 14, 2017, when a hacker group known as the Shadow Brokers published a report titled "Lost in Translation" that included the exploit tool and others. EternalBlue, a cyberattack exploit created by the US National Security Agency (NSA) that allowed threat actors to carry out the NotPetya ransomware attack on unpatched Windows PCs, was also included in the leaks. 

The tool is a modular, covert, and fully functioning framework for post-exploitation activities on Windows and Linux that depends on dozens of plugins. One of them is DoubleFeature, which serves as a "diagnostic tool for victim machines carrying DanderSpritz," according to Check Point researchers in a new paper released Monday. 

The Israeli cybersecurity firm added, "DoubleFeature could be used as a sort of Rosetta Stone for better understanding DanderSpritz modules, and systems compromised by them. It's an incident response team's pipe dream." 

DoubleFeature is a Python-based dashboard that doubles as a reporting utility to exfiltrate logging information from an infected system to an attacker-controlled server. It's designed to keep track of the types of tools that could be deployed on a target machine. A specific executable named "DoubleFeatureReader.exe" is used to interpret the output. 

Data Breach Prevention 

Some of the plugins monitored by DoubleFeature include remote access tools called UnitedRake (aka EquationDrug) and PeddleCheap, a stealthy data exfiltration backdoor dubbed StraitBizarre, an espionage platform called KillSuit (aka GrayFish), a persistence toolset named DiveBar, a covert network access driver called FlewAvenue, and a validator implant named MistyVeal that verifies if the compromised system is indeed an authentic victim machine and not a research environment. 

The researchers stated, "Sometimes, the world of high-tier APT tools and the world of ordinary malware can seem like two parallel universes." 

"Nation-state actors tend to [maintain] clandestine, gigantic codebases, sporting a huge gamut of features that have been cultivated over decades due to practical need. It turns out we too are still slowly chewing on the 4-year-old leak that revealed DanderSpritz to us, and gaining new insights."

Threat Actors Targeting Vaccine Manufacturing Facility with Tardigrade Malware

 

Biomanufacturing facilities in the US are being actively targeted by an anonymous hacking group leveraging a new custom malware called ‘Tardigrade’. 

In a new threat advisory, the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) claimed this week that the first attack was launched using this new malware in spring 2021, followed by the second assault in October.

 New malware strain

According to BIO-ISAC, Tardigrade possesses advanced features and is supposedly the work of an advanced threat detection group or a nation-state intelligence service. The malware is primarily used for espionage though it can also cause other issues including network outages. The recent assaults are also believed to be linked to Covid-19 research as the pandemic has shown just how crucial biomanufacturing research is when creating vaccines and other drugs. 

Tardigrade’s functionality includes a Trojan, keylogger, data theft, and also establishes a backdoor into targeted systems. There is some debate regarding the origins of the code used in Tardigrade as BIO-ISAC believes the malware is based on Smoke Loader, a Windows-based backdoor operated by a hacking group called Smoky Spider. However, security researchers that spoke with Bleeping Computer believe that it is a form of the Cobalt Strike HTTP. 

“The biomanufacturing industry along with other verticals are so far behind in cybersecurity, making them a prime target for bad actors. Cyberattacks mostly happen to those that provide easy access or least path of resistance,” George Gerchow, chief security officer of machine data analytics company Sumo Logic Inc., told SiliconANGLE. 

“This is a blatant example of how attackers are focusing on human health during a time of high anxiety, and bioscience is an easy target. The industry is going to have to move quickly to put proper cyber security controls in place. It is going to be a huge mountain for them to climb as some of the companies in the industry have antiquated technology, lacked the proper skill sets, and relied too much on legacy security tools,” Gerchow added. 

The BIO-ISAC report recommends the following steps for biomanufacturing sites that will enhance the security and response postures (i) Scan your biomanufacturing network segmentation, (ii)  Collaborate with biologists and automation experts to design a full-proof analysis for your firm, (iii) Employ antivirus with behavioral analysis capabilities, (iv) Participate in phishing detection training (v) Stay vigilant.

German Election Authority Confirms Probable Cyber Attack

 

Suspected hackers momentarily impacted the website of the authority managing Germany's September 26 federal election, a spokesperson for the agency told AFP on Wednesday. 

The news was originally reported by Business Insider, and it comes as German federal prosecutors investigate suspected cyber assaults on legislators during the election campaign for a new parliament and a successor to Chancellor Angela Merkel's successor. 

In the context of the hacking report, the spokesperson stated, "At the end of August the website of the Federal Returning Officer only had limited accessibility for a few minutes due to a malfunction." 

"The problem was analysed and the technical concepts were further developed accordingly. The information for the public through the website of the Federal Returning Officer was and is ensured." 

According to Business Insider, the website that publishes the official election results was swamped with data requests in a so-called distributed denial of service assault, causing the servers to collapse. 

As per the official sources, IT systems essential for the smooth running of the election were unaffected, presumably due to enhanced safeguards in place. 

Last week, the German government accused Russian intelligence of conducting "phishing" assaults against German lawmakers, prompting the federal prosecutor's office to start an investigation on suspicion of espionage. 

Berlin has accused Russian hackers from the "Ghostwriter" gang, which is said to specialize in propagating disinformation. German intelligence believes they were attempting to obtain entry to the private email accounts of federal and regional MPs, and that the assaults were carried out by Russia's military intelligence organisation GRU. 

The European Union and the United States have frequently accused Moscow of interfering in democratic elections, a charge that Moscow rejects. 

The Russian Foreign Ministry spokesman, Maria Zakharova, stated at a briefing on Thursday, "Despite our repeated appeals through diplomatic channels, our partners in Germany have not provided any evidence of Russia's involvement in these attacks". 

Germany’s Foreign Ministry spokesperson Andrea Sasse said on Wednesday, “The German government regards this unacceptable action as a threat to the security of the Federal Republic of Germany and to the democratic decision-making process, and as a serious burden on bilateral relations. The federal government strongly urges the Russian government to cease these unlawful cyber activities with immediate effect."

Updated Malware: Vietnamese Hacking Group Targeting MacOS Users

 

Researchers have discovered a new MacOS backdoor that steals credentials and confidential information. As cyber threats continue to rise, the newly discovered malware is believed to be operated by Vietnamese hacking group OceanLotus, colloquially known as APT 32. Other common names include APT-C-00, SeaLotus, and Cobalt Kitty. 
 
The nation-state backed hacking group has been operating across Asia and is known to target governments, media organizations, research institutes, human rights organizations, corporate sector, and political entities across the Philippines, Laos, Vietnam, and Cambodia. Other campaigns by the hacking group also focused on maritime construction companies. Notably, OceanLotus APT also made headlines for distributing malware through Apps on Google Play along with malicious websites. 
 
The attackers found the MacOS backdoor in a malicious Word document that supposedly came via an email. However, there is no information regarding the targets that the campaign is focusing on. In order to set the attack into motion, the victims are encouraged to run a Zip file appearing to be a Word document (disguised as a Word icon). Upon running the Zip file, the app bundled in it carrying the malware gets installed; there are two files in it, one is the shell script and another one is the Word file. The MacOS backdoor is designed by attackers to provide them with a window into the affected system, allowing them to steal sensitive data.

"Like older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating system information and submitting this to its malicious C&C servers and receiving additional C&C communication information, and another for the backdoor capabilities," TrendMicro explained in a blogpost. 

In an analysis, Researchers told, “When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder’s name shows ‘ALL tim nha Chi Ngoc Canada.doc’ (‘tìm nhà Chị Ngọc’ roughly translates to ‘find Mrs. Ngoc’s house’).”

“However, checking the original .zip file that contains the folder shows three unexpected bytes between ‘.’ and ‘doc’.”


Chinese Origin Threat Group Targets Hong Kong Universities with New Backdoor Variant




The Winnti, a China-linked threat group that has been active in the cyberspace since 2009 was found to be employing a new variant of the ShadowPad backdoor (group's new flagship tool) in the recent attacks where it compromised computer systems at two Hong Kong universities during the protests that began around March 2019 in Hong Kong.

The threat group of Chinese origins has largely targeted the gaming industry, while constantly expanding the scope of its targets. Various reports suggest Winnti being operated in link with some other groups including APT17, Ke3chang Axiom, Wicked Panda, BARIUM, LEAD, DeputyDog, Gref, and PlayfullDragon.

According to other sources available, Kaspersky was the first to identify the Winnti group but some researchers attribute its existence to the year 2007.

In October 2019, security researchers at ESET spotted two new backdoors used by the group – Microsoft SQL-targeting skip-2.0 and PortReuse. Later, the same year in November, ESET researchers discovered samples of ShadowPad Launcher Malware on various devices in the two universities. The Winnti was found to be present on these universities' systems a few weeks before the backdoor was confirmed.

“In November 2019, we discovered a new campaign run by the Winnti Group against two Hong Kong universities. We found a new variant of the ShadowPad backdoor, the group’s flagship backdoor, deployed using a new launcher and embedding numerous modules.” as per the analysis done by ESET.

“One can observe that the C&C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type][target_name].domain.tld:443 where [backdoor_type] is a single letter which is either “w” in the case of the Winnti malware or “b” in the case of ShadowPad.” reads the report.

“From this format, we were able to find several C&C URLs, including three additional Hong Kong universities’ names. The campaign identifiers found in the samples we’ve analyzed match the subdomain part of the C&C server, showing that these samples were really targeted against these universities.”

Another Chinese state-sponsored hacking groups discovered - would be the fourth one to be found


A group of cyber security analyst, Intrusion Truth have found their fourth Chinese state-sponsored hacking operation APT 40.
"APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer," the Intrusion Truth team said. "We know that multiple areas of China each have their own APT."
APT stands for Advanced Persistent Threat and is used to describe government supported and sponsored hacking groups. 

Intrusion Truth has previously exposed three government supported APTs, APT3 (believed to operate out of the Guangdong province), APT10 (Tianjin province), and APT17 (Jinan province),  they have now doxed APT40, China's cyber apparatus in the state of Hainan, an island in the South China Sea.

In a blog post, they said they've discovered 13 companies that serve as a front for APT activists. These companies use offline details, overlapping contacts and no online presence except to recruit cyber experts. 

"Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum," the Intrusion Truth team said.

"While the companies stress that they are committed to information security and cyber-defense, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks," they further said. 

APT40 RECRUITMENT MANAGED BY A PROFESSOR

Intrusion Truth was able to link all these companies mentioned above to a single person, a professor in the Information Security Department at the Hainan University.

One of the 13 companies was even headquartered at the university's library. This professor was also a former member of China's military. 

"[Name redacted by ZDNet] appeared to manage a network security competition at the university and was reportedly seeking novel ways of cracking passwords, offering large amounts of money to those able to do so," the anonymous researchers said.Intrusion Truth are pretty credible and have a good track record, US authorities have investigated  two of their three APT expose.