Kimsuky, a North Korean APT outfit, has been discovered deploying a piece of bespoke malware named RandomQuery as part of a reconnaissance and information exfiltration operation.

"Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," Aleksandar Milenkoski and Tom Hegel of SentinelOne noted in a report published.

According to the cybersecurity firm, the current targeted campaign is particularly aimed at information services as well as organizations supporting human rights advocates and North Korean defectors.

Kimsuky, who has been active since 2012, has demonstrated targeting patterns that correspond to North Korea's operational directives and priorities.

As SentinelOne disclosed earlier this month, the information collection missions have featured the employment of a broad assortment of malware, including another reconnaissance program named ReconShark.

The group's most recent activity cluster began on May 5, 2023, and employs a form of RandomQuery that is specially tailored to enumerate files and siphon sensitive data.

RandomQuery, along with FlowerPower and AppleSeed, are among the most widely disseminated tools in Kimsuky's arsenal, with the former acting as an information stealer and a conduit for the distribution of remote access trojans such as TutRAT and xRAT.

The attacks begin with phishing emails purporting to be from Daily NK, a famous Seoul-based online daily covering North Korean events, in order to convince potential targets to open a Microsoft Compiled HTML Help (CHM) file.

It's worth noting at this point that CHM files have also been used as a lure by ScarCruft, another North Korean nation-state actor. When the CHM file is launched, a Visual Basic Script is executed, which sends an HTTP GET request to a remote server to receive the second-stage payload, a VBScript flavor of RandomQuery.

The virus then proceeds to collect system metadata, running processes, installed apps, and files from various folders, which are all sent back to the command-and-control (C2) server.

"This campaign also demonstrates the group's consistent approach of delivering malware through CHM files," the researchers said.

"These incidents underscore the ever-changing landscape of North Korean threat groups, whose remit not only encompasses political espionage but also sabotage and financial threats."

The discoveries come only days after the AhnLab Security Emergency Response Centre (ASEC) discovered Kimsuky's watering hole assault, which comprises putting up a mimic webmail system used by national policy research organizations to capture credentials entered by victims.

Kimsuky has also been linked to attacks that weaponize vulnerable Windows Internet Information Services (IIS) servers in order to drop the Metasploit Meterpreter post-exploitation framework, which is then used to spread Go-based proxy malware.

Cyberattacks are actively guarded against by all responsible firms. However, one security concern that many firms ignore is industrial espionage. Industrial espionage and cyberattacks are frequently carried out for the same reason: to steal confidential information. 

Industrial espionage, on the other hand, is carried out by a corporate competitor rather than a random hacker. Industrial espionage is the theft of confidential information from a company in order to gain a competitive edge. It can take many forms, but the most sophisticated attacks include an employee of the company being targeted. A rival may try to hire someone at the target company, or they may approach an existing employee and offer them money in exchange for information.

Industrial espionage targets any information that could be profitable, such as upcoming product details, financial information, client lists, and marketing strategies. Obtaining such information can provide a competitive edge by allowing a business to improve its own products, offer better deals to providers and employees, undercut prices, damage reputation, or copy and release similar marketing strategies. Client information can also be used to identify potential customers and pricing strategies and marketing information can be used to promote similar products or compete with effective strategies.

In its takedown of Genesis Market, a site famous in the cybercriminal realm for selling access to user accounts, the FBI gathered information on possibly tens of thousands of hackers. Senior FBI and Justice Department officials stated in a Wednesday briefing that law enforcement found and duplicated the backend servers for Genesis Market's main site. These servers store stolen victim passwords and session cookies, as well as information on customers of the infamous hacking site. 

According to a US official, the server copies contain information about around 59,000 individual user accounts, including usernames, passwords, email addresses, and secure messenger accounts, as well as a history of user activity.

“Each takedown is yet another blow to the cybercrime ecosystem,” US Deputy Attorney General Lisa Monaco said in today’s announcement.

An ALPHV/BlackCat ransomware affiliate was spotted gaining early access to the target network by abusing three flaws in the Veritas Backup product. The ALPHV ransomware operation first appeared in December 2021, and it is thought to be controlled by former members of the Darkside and Blackmatter programs, which shut down abruptly to avoid law enforcement scrutiny. 

Mandiant identifies the ALPHV affiliate as 'UNC4466,' noting that the method differs from the conventional breach, which depends on stolen credentials. Mandiant reports that on October 22, 2022, it spotted the first occurrences of Veritas flaw exploitation in the field. UNC4466 focuses on the following high-severity flaws:

Raising children in the digital age is becoming particularly complex. Many young people are growingly reliant on screens for social interaction. They experiment with new media sharing platforms such as TikTok, Snapchat, and BeReal, but without necessarily considering long-term consequences. 

This is normal because children's prefrontal cortex, the part of the brain responsible for reasoning, decision-making, and impulse control, is still underdeveloped. Parents who are responsible for anticipating the outcomes of digital interactions are overwhelmed. Many parents may lack the digital literacy to guide their children through today's plethora of social media platforms, messaging apps, and other online platforms. This situation may expose children to online sexual exploitation. 

They collected data from a diverse group of experts in the United States and the United Kingdom for our study. Interviews were conducted with internet safety non-profits, safeguarding teams, cybercrime police officers, digital forensics staff, and intelligence directors. The ability to share explicit content online is a major reason for the rapid escalation of online child sexual exploitation. The research unveiled four distinct stages used by perpetrators.

Readers should beware of clicking links in a McAfee invoice scam email that claims to be a "confirmation receipt" for the subscription renewal of the company's products. This email does not come from McAfee Corp. Email scams that use the names of antivirus and security companies are probably as old as the internet, but this particular one for McAfee apparently tried to combine two different threats into one: malware and phishing. 

Snopes reviewed one of the McAfee invoice scam emails. The subject line read, "Confirmation Receipt ID.6030955553." The following message came from an email address associated with uilsducoach.com, not the official company website mcafee.com:

It's recommended, "if you accidentally enter data in a webpage linked to a suspicious email, perform a full malware scan on your device. Once the scan is complete, backup all of your files and change your passwords. Even if you only provided a phishing scammer with the data from one account, you may have also opened the door to other personal data, so it's important to change all the passwords you use online in the wake of a suspected phishing attack."

The US government is taking steps to enhance the country's cybersecurity capabilities and improve its overall technology governance strategy. President Joe Biden recently unveiled a new National Cybersecurity Strategy aimed at securing cyberspace and building a resilient digital ecosystem that is easier to defend than to attack. 

"When we pick up our smartphones to keep in touch with loved ones, log on to social media to share our ideas with one another, or connect to the internet to run a business or take care of any of our basic needs, we need to be able to trust that the underlying digital ecosystem is safe, reliable and secure," Biden wrote in the framework's preface.

The strategy is part of a broader effort by the Biden administration to reinforce cyber and technology governance, which includes increasing accountability for tech firms, strengthening privacy protections, and ensuring fair competition online.

1. Defend critical infrastructure

2. Disrupt and dismantle threat actors

3. Shape market forces to drive security and resilience

4. Invest in a resilient future

5. Forge international partnerships to pursue shared goals

The LockBit ransomware operation has asserted responsibility for the cyberattack on Royal Mail, the UK's leading mail delivery service, which forced the company to stop its international shipping services due to "severe service disruption." 

This emerges after LockBitSupport, the public-facing representative of the ransomware group, earlier told BleepingComputer that the LockBit cybercrime group did not target Royal Mail. They instead blamed the attack on other threat actors who used the LockBit 3.0 ransomware builder, which was leaked on Twitter in September 2022. LockBitSupp did not clarify why printed Royal Mail ransom notes seen by BleepingComputer included links to LockBit's Tor negotiation and data leak sites rather than those operated by a different threat actor.

The Royal Mail's recurring IT problems come at a time when its mailing services are already under strain due to planned national strikes and ongoing talks with the Communication Workers Union.     

Ukraine's government has been compromised as part of a new campaign that used trojanized versions of Windows 10 installer files to conduct post-exploitation activities. The malicious ISO files were distributed via Ukrainian and Russian-language Torrent websites, according to Mandiant, which discovered the "socially engineered supply chain" attack around mid-July 2022. The threat cluster is identified as UNC4166. 

"Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it," the cybersecurity company said in a technical deep dive published Thursday.

Even though the origin of the adversarial collective is unknown, the disruptions are said to have targeted organisations that had previously been victims of disruptive wiper attacks blamed on APT28, a Russian state-sponsored actor. According to the Google-owned threat intelligence firm, the ISO file was designed to disable telemetry data transmission from the infected computer to Microsoft, install PowerShell backdoors, and block automatic updates and licence verification.

SPAREPART, as the name suggests, is considered to be redundant malware that is used to uphold remote access to the system if the other methods fail. It also has the same functionality as the PowerShell backdoors that were dropped early in the attack chain.

"The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant stated.

Cybersecurity threats have become pervasive for police departments, first responders, and other public-safety organizations, with 93% of organizations reporting a cybersecurity incident in the previous year. According to a report published on December 8 by cloud platform provider Mark43, which was based on a survey of 343 first responders. 

Based on the 2023 U.S. Public Safety Trends Report, 76% of first responders are concerned about the vulnerability of their IT systems to ransomware attacks and data breaches. Simultaneously, the vast majority of first responders must deal with outdated technology and disconnected systems, with 68% of public-safety officers required to file paperwork from the office rather than in the field, and 67% of first responders experiencing issues with inefficient technology, according to the report.

"These agencies in many cases do not have a dedicated security staff who can worry about these issues all day, ensuring that data is backed up and running vulnerability scans," he says. "To the the [cybersecurity] community, these are table stakes — you need to be doing patching, you need to be doing vulnerability scanning ... but these agencies are realizing that they cannot protect themselves from these risks on their own."

"I don't feel that officers, who are trying to serve our communities, the fact that they are worried about that every day is definitely a concern," he says. "The industry in general needs to help them where we can, because it is not their job to worry about cybersecurity."

Based on the survey, cybersecurity issues include both malicious cybercriminal attacks and availability issues caused by attacks.

One month after a cyber-attack brought down Vanuatu's government servers and websites, frustrated officials were still using private Gmail accounts, personal laptops, pen and paper, and typewriters to run the government of Prime Minister Ishmael Kalsakau, who took office just a few days after the crash.

Malware attacks on state networks have slowed communication and coordination in the Pacific island nation of 314,000 people spread across 80 islands. To find government phone numbers, people turned to the online Yellow Pages or the hard copy phone directory. Some offices were operating solely through their Facebook and Twitter pages.

Software as a Service (SaaS) applications from Microsoft that combine artificial intelligence, collaboration, low-code, security, and supply chain management have been launched as the Microsoft Supply Chain Platform.

Following a cyberattack on Saturday, October 29, 2022, the Atacama Large Millimeter Array (ALMA) Observatory in Chile has suspended all astronomical observation operations and taken its public website offline. 

CERT-In, India's computer, and emergency response team released new guidelines on Thursday that mandate that service providers, intermediaries, data centres, and government institutions disclose cybersecurity incidents, including data breaches, within six hours.

The government said in a release, "Any service provider, intermediary, data center, body corporate and Government organization shall mandatorily report cyber incidents [...] to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents."

Compromise of critical systems, targeting scanning, unauthorised access to computers and social media accounts, website defacements, malware deployments, identity theft, DDoS attacks, data breaches and leaks, rogue mobile apps, and attacks against servers and network appliances such as routers and IoT devices are among the types of incidents covered.

The government stated  it was taking these steps to ensure that the required indicators of compromise (IoC) associated with security events are easily accessible to "carry out the analysis, investigation, and coordination as per the process of the law”

Concerned organisations are also required to synchronise ICT system clocks to the National Informatics Centre (NIC) or National Physical Laboratory (NPL) Network Time Protocol (NTP) Server, maintain ICT system logs for a rolling period of 180 days, and necessitate VPN service providers to maintain data such as names, addresses, phone numbers, emails, and IP addresses of subscribers for a minimum of five years, according to the guidelines.

The guidelines also require virtual asset service, exchange, and custodian wallet providers to preserve records on Know Your Customer (KYC) and financial transactions for a period of five years, starting in 60 days.

India's Ministry of Electronics and Information Technology (MeitY) said in a statement, "These directions shall enhance overall cyber security posture and ensure safe and trusted Internet in the country."

McMenamins, a Portland hotel and brewpub chain, was struck by a ransomware attack on Wednesday that may have stolen employees' personal information, but no customer payment information seems to have been compromised. 

The ransomware attack was discovered and stopped on December 12, according to McMenamins. The company stated it alerted the FBI and contacted a cybersecurity firm to figure out where the attack came from and how extensive it was. 

Employee data such as names, residences, dates of birth, Social Security numbers, direct deposit bank account information, and benefits records may have been acquired, according to the firm in a news release, but "it is not currently known whether that is the case." 

"To provide employees with peace of mind, McMenamins will be offering employees identity and credit protection services, as well as a dedicated helpline through Experian," the company stated. "A payment processing service manages the collection of such information. Further, this information is not stored on company computer systems impacted by the attack."  

Many operational systems have been taken offline, including credit card scanners, necessitating temporary alterations in payment procedures at some McMenamins sites. There is "no indication" that consumer payment data has been hacked, according to the firm. 

The co-owner, Brian McMenamin stated, “What makes this breach especially disheartening is that it further adds to the strain and hardship our employees have been through in the past two years.” 

“We ask that our customers give our employees extra grace as we make temporary adjustments in the way we process transactions and reservations, given the impacts to our systems by this breach.” 

The company stated that it is unclear when the problem would be rectified and systems restored. There are a few things firms can do to assist mitigate these attacks, according to Kerry Tomlinson, a cyber news reporter with Ampere News. 

"As a business, you need to have backups," Tomlinson said. "If ransomware hits and they're demanding ransom for you to get your files back, you can say thanks a lot but I already have backups." 

"It will happen more and more and it's only going to get bigger. If you're not paying attention now, you need to pay attention." 

Employees should be especially cautious to help prevent cyber assaults, according to Tomlinson, by avoiding questionable emails, setting unique passwords for each website visited, and adding a multi-factor authentication process to offer an extra layer of security. It is worth noting that despite the breach, all McMenamins locations are open.

The Securities and Exchange Commission (SEC) is alerting investors about scammers posing as SEC officials and attempting to mislead them. 

Fraudsters are contacting investors via phone calls, voicemails, emаils, and letters, according to the SEC's Office of Investor Educаtion and Advocаcy (OIE). 

The alert stated, “We аre аwаre thаt severаl individuаls recently received phone cаlls or voicemаil messаges thаt аppeаred to be from аn SEC phone number. The cаlls аnd messаges rаised purported concerns аbout unаuthorized trаnsаctions or other suspicious аctivity in the recipients’ checking or cryptocurrency аccounts. These phone cаlls аnd voicemаil messаges аre in no wаy connected to the Securities аnd Exchаnge Commission.” 

The SEC warned it never asks for payments linked to enforcement activities, offer to confirm trades, or seek sensitive personal and financial information in unsolicited communication, including emails and letters. It further stated that SEC officials will not inquire about shareholdings, account numbers, PINs, passwords, or other personal information. 

Scammers appear to be employing a growing number of strategies in order to boost their chances of success. Investors should not disclose any personal information if they get communication that seems to be from the Securities and Exchange Commission, as per the notice. They are encouraged to contact the commission directly.

Investors can use the SEC's personnel locаtor at (202) 551-6000, call (800) SEC-0330, or emаil help@SEC.gov to confirm the identity of people behind calls or messages. Investors can also register a complaint with the Securities and Exchange Commission's Office of Inspector General by visiting www.sec.gov/oig or calling (833) SEC-OIG1 (732-6441). 

Further, the alert stated, “Bewаre of government impersonаtor schemes. Con аrtists hаve used the nаmes of reаl SEC employees аnd emаil messаges thаt fаlsely аppeаr to be from the Securities аnd Exchаnge Commission to trick victims into sending the frаudster’s money. Impersonаtion of US Government аgencies аnd employees (аs well аs of legitimаte finаnciаl services entities) is one common feаture of аdvаnce fee solicitаtions аnd other frаudulent schemes. Even where the frаudsters do not request thаt funds be sent directly to them, they mаy use personаl informаtion they obtаin to steаl аn individuаl’s identity or misаppropriаte their finаnciаl аssets.”

A new phishing campaign is targeting financial sector employees by using links to download a ‘weaponized’ Excel document.

MirrorBlast, a phishing effort, was discovered in early September by security firm ET Labs. Morphisec, a fellow security firm, has now studied the malware and warns that the malicious Excel files might escape malware-detection systems due to "extremely lightweight" embedded macros, making it especially risky for businesses that rely on detection-based protection and sandboxing. 

Macros, or scripts for automating activities, have grown in popularity among cybercriminals. Despite the fact that macros are disabled by default in Excel, attackers employ social engineering to deceive potential victims into allowing macros. Despite appearing to be a simple approach, macros have been employed by state-sponsored hackers because they frequently work. 

Microsoft earlier this year extended its Antimalware Scan Interface (AMSI) for antivirus to combat the rise in macro malware and a recent phenomenon by attackers to utilise outdated Excel 4.0 XLM macros (rather than newer VBA macros) to circumvent anti-malware systems. 

As per Morphisec, the MirrorBlast attack chain is similar to tactics used by TA505, a well-established, financially focused Russia-based cybercriminal group. The group has been active since at least 2014 and is well-known for its usage of a wide range of tools. 

Morphisec researcher Arnold Osipov stated in a blog post, "TA505 is most known for frequently changing the malware they use as well as driving global trends in malware distribution." 

While the MirrorBlast attack begins with a document attached to an email, it afterwards uses a Google feed proxy URL with a SharePoint and OneDrive trap that masquerades as a file-sharing request. When the user clicks the URL, they are sent to a hacked SharePoint site or a bogus OneDrive site. Both versions will take to the malicious Excel document. 

The sample MirrorBlast email demonstrates how the attackers are capitalising on company-issued data on COVID-related modifications to working conditions. Morphisec points out that due to compatibility issues with ActiveX components, the macro code can only be run on a 32-bit version of Office. The macro itself runs a JavaScript script meant to avoid sandboxing by determining if the computer is in administrator mode. The msiexec.exe process is then launched, which downloads and instals an MSI package. 

Morphisec discovered two MIS installation versions that employed legal scripting tools named KiXtart and REBOL. The KiXtart script transmits information about the victim's workstation to the attacker's command and control server, including the domain, computer name, user name, and process list. It then answers with a number indicating whether the Rebol version should be used. Morphisec states that the Rebol script leads to a remote access tool called FlawedGrace, which the group has previously utilised. 

Osipov added, "TA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most creative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals." 

Some days back Google has announced that the company is about to launch its Google Play ‘Safety Section’ feature that will provide information regarding the data collected and used by an Android app. Now Google has announced more details about the upcoming feature. 

Under the new policy app developers have to share the details — what information apps collect, how collected data is used, and what privacy/security features the apps utilize. The upcoming feature can be used in the first quarter of 2022, this feature will display on the app itself. 

With the feature, customers will be able to see all security-privacy relating information including what data is shared with third parties, whether an app uses data encryption, follows Google's Families policies, or whether it has been independently audited against global security standards. Following the announcement, Google will also provide the timeline to App developers — when they will be able to submit information, and when customers can see the Safety section, and it has also given the deadline for App developers to provide the info data. 

What is the timeline for App Developers? 

According to Google, the policy will take place in the first week of October 2021, the "App privacy & security" will display on an app's content page on Play Console. Then Developers will be able to attempt a questionnaire on data collection, security features, and the app's privacy policy. However, the whole procedure will complete in April 2022. 

What must be disclosed under this feature? 

• Encryption in transit 

• Deletion mechanism 

• Families policy 

• Independent security review and How data collected 

Some of the data types that app developers must disclose include personal information like user name, phone number, and email address, location data like users' approximate or precise location, financial info like user credit card number and bank account number, Health and fitness information, Storage like files and docs, emails or texts, audio files like sound recordings and music files, calendar information, App performance like crash logs and performance diagnostics, and Identifiers like device id.