Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Kimsuky. Show all posts
Spearphishing Campaigns
Cloud Identity Security Credential Theft Cyber Attacks FBI cyber alert Kimsuky MFA Bypass North Korea APT QR Code Phishing Quishing Attacks Spearphishing Campaigns

FBI Flags Kimsuky’s Role in Sophisticated Quishing Attacks


 

A new warning from the US Federal Bureau of Investigation indicates that spearphishing tactics are being advanced by a cyber espionage group linked to North Korea known as Kimsuky, also known as APT43, in recent months. 

As the threat actor has increasingly turned to QR code-based attacks as a means of infiltrating organizational networks, the threat actor is increasingly using QR code-based attacks. 

There is an alert on the group's use of a technique referred to as "quishing," in which carefully crafted spearphishing emails include malicious URLs within QR codes, as opposed to links that are clickable directly in the emails.

By using mobile devices to scan the QR codes, recipients can bypass traditional email security gateways that are designed to identify and block suspicious URLs, thereby circumventing the problem. 

As a result of this gap between enterprise email defenses and personal mobile use, Kimsuky exploits the resulting gap in security to stealthily harvest user credentials and session tokens, which increases the probability of unauthorized access while reducing the chance of early detection by the security team. 

As a result of this campaign, concerns about the increasingly sophisticated sophistication of state-sponsored cyber operations have been reinforced. This is an indication that a broader shift toward more evasive and socially engineered attack methods is taking place. 

The FBI has determined Kimsuky has been using this technique actively since at least 2025, with campaigns observing that he targeted think tanks, academic institutions and both US and international government entities using spear phishing emails embedded with malicious Quick Response codes (QR codes). 

In describing the method, the bureau referred to it as "quishing," a deliberate strategy based on the notion of pushing victims away from enterprise-managed desktop systems towards networks governed by mobile devices, whose security controls are often more lax or unclear.

The Kimsuky attacker, known by various aliases, such as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, Velvet Chollima, and Emerald Sleet, is widely believed to be a North Korean intelligence agency. 

Kimsuky's phishing campaigns are documented to have been honed over the years in order to bypass email authentication measures. According to an official US government bulletin published in May 2024, the group has successfully exploited misconfigured Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies to deliver emails that falsely impersonated trusted domains to send emails that convincingly impersonated trusted domains.

In this way, they enabled their malicious campaigns to blend seamlessly into legitimate communications, enabling them to achieve their objectives. The attack chain is initiated once a target scans a malicious QR code to initiate the attack chain, that then quickly moves to infrastructure controlled by the threat actors, where preliminary reconnaissance is conducted to understand the victim's device in order to conduct the attack. 

Moreover, based on the FBI's findings, these intermediary domains are able to harvest technical information, including operating system details, browser identifiers, screen resolutions, IP addresses, and geographical indications, which allows attackers to tailor follow-up activity with greater precision. 

Thereafter, victims are presented with mobile-optimized phishing pages that resemble trusted authentication portals such as Microsoft 365, Okta, and corporate VPN login pages that appear convincingly. 

It is believed that by stealing session cookies and executing replay attacks, the operators have been able to circumvent multi-factor authentication controls and seized control of cloud-based identities. Having initially compromised an organization, the group establishes persistence and utilizes the hijacked accounts to launch secondary spear-phishing campaigns. This further extends the intrusion across trust networks by extending the malware laterally. 

As described by the FBI, this approach demonstrates a high level of confidence, an identity intrusion vector that is MFA-resilient, and it originates on unmanaged mobile devices that sit outside the traditional lines of endpoint detection and network monitoring. 

A number of attacks by Kimsuky were observed during May and June 2025, including campaigns that impersonated foreign advisors, embassy employees, and think tank employees to lure victims into a fictitious conference, as demonstrated by investigators. 

Since being active for more than a decade now, North Korea-aligned espionage groups like APT43 and Emerald Sleet have been gathering information on organizations in the United States, Japan, and South Korea. These groups, also known as Velvet Chollima, Emerald Sleet, TA406, and Black Banshee, have traditionally targeted these organizations with information. 

As a result of activities related to sanctions evasion and support for Pyongyang's weapons of mass destruction programs in 2023, the U.S. government sanctioned the group.

The current spear phishing campaign relies on QR codes embedded within carefully crafted spear-phishing emails to be it's primary infection vector, as the codes run through a victim's mobile device and thereby direct them to an attacker-controlled infrastructure that the attacker controls. 

There are a number of websites host phishing pages crafted to look like legitimate authentication portals, like the Microsoft 365, the Google Workspace, Okta and a wide range of services such as VPNs and single sign-ons. 

As a general rule, investigators report that the operation typically begins with detailed open-source reconnaissance in order to identify high-value individuals, followed by tailored email messages that impersonate trusted contacts or refer to timely events in order to lend credibility to the operation. 

The malicious site either collects login credentials or delivers malware payloads, such as BabyShark or AppleSeed, to the user when they scan the QR code, enabling attackers to establish persistence, move laterally within compromised environments, and exfiltrate sensitive data as soon as it is scanned.

There are many MITER ATT&CK techniques that are aligned with the activity, which reflects an organized and methodical tradecraft, which includes credentials harvesting, command-and-control communications at the application layer, and data exfiltration via web services. 

Furthermore, the group collects data on victim devices by collecting information about the browser and geolocation of the device, which enables the phishing content to be optimized for mobile use, as well as, in some cases, facilitates session token theft, which allows multi-factor authentication to be bypassed. 

Many researchers, academic institutions, government bodies, and strategic advisory organizations have been targeted for their sensitive information, including senior analysts, diplomats, and executives.

It has been observed that while the campaign has gained a global presence covering the United States, South Korea, Europe, Russia, and Japan  it has also demonstrated an increased effectiveness because it is based on personalized lures that exploit professional trust networks and QR codes are routinely used for accessing events and sharing documents, which highlights the growing threat of mobile-centric phishing. 

In a timely manner, the FBI's advisory serves as a reminder that organizations' attack surfaces are no longer limited to conventional desktops and email gateways, but are increasingly extending into mobile devices which are operating outside of the standard visibility of enterprises. 

As malicious actors like Kimsuky develop social engineering techniques that exploit trust, convenience, and routine user behavior in order to gain access to sensitive information, organizations are being forced to reassess how their identity protection strategies intersect with their mobile access policies and their user awareness practices. 

There is an urgent need for information security leaders to place greater emphasis on maintaining phishing-resistant authentication, monitoring anomalous sign-in activity continuously, and establishing stronger governance over mobile device usage, including for those employees who are handling sensitive policy, research, or advisory matters. 

Additionally, it is imperative that users are educated on how to discern QR codes from suspicious links and attachments so that they can treat QR codes with the same amount of attention and scrutiny. 

A combined campaign of this kind illustrates a shift in state-sponsored cyber operations towards low friction, high-impact intrusion paths, which emphasize stealth over scale, pointing to the necessity for adaptive defenses that can evolve as rapidly as the tactics being used to defeat them, which emphasizes the need for a more adaptive defense system.
Read more »
State-Sponsored Espionage
AI Misuse Cybersecurity Data Theft Deepfake Attacks Generative AI Kimsuky malware North Korean Hackers Phishing Campaigns State-Sponsored Espionage

North Korean Threat Actors Leverage ChatGPT in Deepfake Identity Scheme


North Korean hackers Kimsuky are using ChatGPT to create convincing deepfake South Korean military identification cards in a troubling instance of how artificial intelligence can be weaponised in state-backed cyber warfare, indicating that artificial intelligence is becoming increasingly useful in cyber warfare. 

As part of their cyber-espionage campaign, the group used falsified documents embedded in phishing emails targeting defence institutions and individuals, adding an additional layer of credibility to their espionage activities. 

A series of attacks aimed at deceiving recipients, delivering malicious software, and exfiltrating sensitive data were made more effective by the use of AI-generated IDs. Security monitors have categorised this incident as an AI-related hazard, indicating that by using ChatGPT for the wrong purpose, the breach of confidential information and the violation of personal rights directly caused harm. 

Using generative AI is becoming increasingly common in sophisticated state-sponsored operations. The case highlights the growing concerns about the use of generative AI in sophisticated operations. As a result of the combination of deepfake technology and phishing tactics, these attacks are harder to detect and much more damaging. 

Palo Alto Networks' Unit 42 has observed a disturbing increase in the use of real-time deepfakes for job interviews, in which candidates disguise their true identities from potential employers using this technology. In their view, the deepfake tactic is alarmingly accessible because it can be done in a matter of hours, with just minimal technical know-how, and with inexpensive consumer-grade hardware, so it is alarmingly accessible and easy to implement. 

The investigation was prompted by a report that was published in the Pragmatic Engineer newsletter that described how two fake applicants who were almost hired by a Polish artificial intelligence company raised suspicions that the candidates were being controlled by the same individual as deepfake personas. 

As a result of Unit 42’s analysis, these practices represent a logical progression from a long-standing North Korean cyber threat scheme, one in which North Korean IT operatives attempt to infiltrate organisations under false pretences, a strategy well documented in previous cyber threat reports. 

It has been repeatedly alleged that the hacking group known as Kimsuky, which operated under the direction of the North Korean state, was involved in espionage operations against South Korean targets for many years. In a 2020 advisory issued by the U.S. Department of Homeland Security, it was suggested that this group might be responsible for obtaining global intelligence on Pyongyang's behalf. 

Recent research from a South Korean security firm called Genians illustrates how artificial intelligence is increasingly augmented into such operations. There was a report published in July about North Korean actors manipulating ChatGPT to create fake ID cards, while further experiments revealed that simple prompt adjustments could be made to override the platform's built-in limitations by North Korean actors. 

 It follows a pattern that a lot of people have experienced in the past: Anthropic disclosed in August that its Claude Code software was misused by North Korean operatives to create sophisticated fake personas, pass coding assessments, and secure remote positions at multinational companies. 

In February, OpenAI confirmed that it had suspended accounts tied to North Korea for generating fraudulent resumes, cover letters, and social media content intended to assist with recruitment efforts. These activities, according to Genians director Mun Chong-hyun, highlight the growing role AI has in the development and execution of cyber operations at many stages, from the creation of attack scenarios, the development of malware, as well as the impersonation of recruiters and targets. 

A phishing campaign impersonating an official South Korean military account (.mil.kr) has been launched in an attempt to compromise journalists, researchers, and human rights activists within this latest campaign. To date, it has been unclear how extensive the breach was or to what extent the hackers prevented it. 

Officially, the United States assert that such cyber activities are a part of a larger North Korea strategy, along with cryptocurrency theft and IT contracting schemes, that seeks to provide intelligence as well as generate revenue to circumvent sanctions and fund the nuclear weapons program of the country. 

According to Washington and its allies, Kimsuky, also known as APT43, a North Korean state-backed cyber unit that is suspected of being responsible for the July campaign, was already sanctioned by Washington and its allies for its role in promoting Pyongyang's foreign policy and sanction evasion. 

It was reported by researchers at South Korean cybersecurity firm Genians that the group used ChatGPT to create samples of government and military identification cards, which they then incorporated into phishing emails disguised as official correspondence from a South Korean defense agency that managed ID services, which was then used as phishing emails. 

Besides delivering a fraudulent ID card with these messages, they also delivered malware designed to steal data as well as allow remote access to compromised systems. It has been confirmed by data analysis that these counterfeit IDs were created using ChatGPT, despite the tool's safeguards against replicating government documents, indicating that the attackers misinterpreted the prompts by presenting them as mock-up designs. 

There is no doubt that Kimsuky has introduced deepfake technology into its operations in such a way that this is a clear indication that this is a significant step toward making convincing forgeries easier by using generative AI, which significantly lowers the barrier to creating them. 

It is known that Kimsuky has been active since at least 2012, with a focus on government officials, academics, think tanks, journalists, and activists in South Korea, Japan, the United States, Europe, and Russia, as well as those affected by North Korea's policy and human rights issues. 

As research has shown, the regime is highly reliant on artificial intelligence to create fake summaries and online personas. This enables North Korean IT operatives to secure overseas employment as well as perform technical tasks once they are embedded. There is no doubt that such operatives are using a variety of deceptive practices to obscure their origins and evade detection, including artificial intelligence-powered identity fabrication and collaboration with foreign intermediaries. 

The South Korean foreign ministry has endorsed that claim. It is becoming more and more evident that generative AI is increasingly being used in cyber-espionage, which poses a major challenge for global cybersecurity frameworks: assisting citizens in identifying and protecting themselves against threats not solely based on technical sophistication but based on trust. 

Although platforms like ChatGPT and other large language models may have guardrails in place to protect them from attacks, experts warn that adversaries will continue to seek out weaknesses in the systems and adapt their tactics through prompt manipulation, social engineering, and deepfake augmentation in an effort to defeat the system. 

Kimsuky is an excellent example of how disruptive technologies such as artificial intelligence and cybercrime erode traditional detection methods, as counterfeit identities, forged credentials, and distorted personas blur the line between legitimate interaction and malicious deception, as a result of artificial intelligence and cybercrime. 

The security experts are urging the public to take action by using a multi-layered approach that combines AI-driven detection tools, robust digital identity verification, cross-border intelligence sharing, and better awareness within targeted sectors such as defence, academia, and human rights industries. 

Developing AI technologies together with governments and private enterprises will be critical to ensuring they are harnessed responsibly while minimising misuse of these technologies. It is clear from this campaign that as adversaries continue to use artificial intelligence to sharpen their attacks, defenders must adapt just as fast to maintain trust, privacy, and global security as they do against adversaries.
Read more »
record $1 billion
blockchain analytics crypto assets theft cryptocurrency hacks Cyber Attacks cybersecurity trends Kimsuky Lazarus Group North Korean cyber attacks record $1 billion

Cyber Attacks by North Korean Hackers on Cryptocurrency Platforms Reach $1 Billion in 2023

 

A recent study by Chainalysis, a blockchain analytics firm, has revealed a surge in cyber attacks on cryptocurrency platforms linked to North Korea. The data, covering the period from 2016 to 2023, indicates that 20 crypto platforms were targeted by North Korean hackers in 2023 alone, marking the highest level in the recorded period.

According to the report, North Korean hackers managed to steal just over $1 billion in crypto assets in the past year. While this amount is slightly less than the record $1.7 billion stolen in 2022, the increasing trend is a cause for concern among cybersecurity experts.

Chainalysis highlighted the growing threat from cyber-espionage groups like Kimsuky and Lazarus Group, employing various malicious tactics to accumulate significant amounts of crypto assets. This aligns with the Federal Bureau of Investigation's (FBI) previous attribution of a $100 million crypto heist on the Horizon Bridge in 2022 to North Korea-linked hackers.

Supporting these findings, TRM Labs, a blockchain intelligence firm, reported that North Korea-affiliated hackers stole at least $600 million in crypto assets in 2023. The frequency and success of these attacks underscore the sophistication and persistence of North Korea's cyber capabilities.

The report cited a notable incident in September, where the FBI confirmed that North Korea's Lazarus Group was responsible for stealing around $41 million in crypto assets from the online casino and betting platform Stake.com. Investigations led to the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioning Sinbad.io, a virtual currency mixer identified as a key money-laundering tool for Lazarus Group.

Global efforts to counter the threat include sanctions, particularly as previous research indicated that North Korea-affiliated hackers used stolen crypto funds to finance nuclear weapons programs. The UN has imposed sanctions to limit the regime's access to funding sources supporting its nuclear activities.

TRM Labs emphasized the need for ongoing vigilance and innovation from businesses and governments, stating, "With nearly $1.5 billion stolen in the past two years alone, North Korea’s hacking prowess demands continuous vigilance and innovation from business and governments."

Despite advancements in cybersecurity and increased international collaboration, the report predicts that 2024 is likely to see further disruptions from North Korea, posing a challenge for the global community to strengthen defenses against the relentless digital attacks. The report was released by CNBC.
Read more »
US Government
Data Breach Hacker group Kimsuky Kimsuky North Korea Hackers OFAC US Government

US Govt’s OFAC Sanctions North Korea-based Kimsuky Hacking Group


The Treasury Department’s Office of Foreign Assets Control (OFAC) has recently confirmed the involvement of Kimsuky, a North-Korea sponsored hacking group, in a cyber breach attempt that resulted in the compromise of intel in support of the country’s strategic aims. 

Eight North Korean agents have also been sanctioned by the agency for aiding in the evasion of sanctions and promoting their nation's WMD development.

The current measures are apparently a direct response to the Democratic People's Republic of Korea's (DPRK) purported launch of a military reconnaissance satellite on November 21 in an attempt to hinder the DPRK's ability to produce revenue, obtain resources, and obtain intelligence to further its WMD program.

"Active since 2012, Kimsuky is subordinate to the UN- and U.S. designated Reconnaissance General Bureau (RGB), the DPRK's primary foreign intelligence service," the Department of Treasury stated. "Malicious cyber activity associated with the Kimsuky advanced persistent threat is also known in the cybersecurity industry as APT43, Emerald Sleet, Velvet Chollima, TA406, and Black Banshee."

The OFAC, in August 2010, linked Kimsuky to North Korea's primary foreign intelligence agency, the Reconnaissance General Bureau. 

Kimsuky’s operations mostly consist of stealing intelligence, focusing on foreign policies and national security concerns regarding the Korean peninsula and nuclear policy. 

High-Profile Targets of Kimsuky

One of the most notable high-profile targets of the North Korea-based cyberespionage group includes the compromise of South Korea’s nuclear reactor operator in 2018, Operation STOLEN PENCIL against academic institutions in 2018, Operation Kabar Cobra against South Korean government organizations and defense-related agencies in 2019, and Operation Smoke Screen the same year.

Kimsuky was responsible for targeting at least 28 UN officials and several UN Security Council officials in their spear-phishing campaign conducted in August 2020. The cyberespionage group also infiltrated infiltrated South Korea's Atomic Energy Research Institute in June 2021. 

In September 2019, the US Treasury Department imposed sanctions on the North Korean hacker groups Lazarus, Bluenoroff, and Andariel for transferring money to the government of the nation through financial assets pilfered from global cyberattacks against targets.

In May, OFAC also declared sanctions against four North Korean companies engaged in cyberattacks and illegal IT worker schemes intended to raise money for the DPRK's weapons of mass destruction (WMD) programs.  

Read more »
TTP
bOOKcOVE Cyber Fraud Cyberattacks Kimsuky NIS Software Updates Spear-Phishing Emails TTP

Kimsuky's Attacks Alerted German and South Korean Agencies

 


In a joint warning issued by the German and South Korean intelligence agencies, it has been noted that a North Korean hacker group named Kimsuky has been increasing cyber-attack tactics against the South Korean network. With sophisticated phishing campaigns and malware attacks, the group has been suspected of being behind the attacks. It is believed that the North Korean government is behind them. Cyberattacks continue to pose a major threat to businesses and governments throughout the world as a result of increasing cyberattacks. 

Kimsuky (aka Thallium and SmokeScreen) is a North Korean threat group that has developed a reputation for utilizing cutting-edge tools and tactics in its operations. There have been two upcoming attack tactics developed by the group that enhances the espionage capabilities of the organization. These tactics raise no red flags on security radars. There are several malicious Android apps and YouTube extensions being abused as well as Google Chrome extensions.   

Kimsuky is believed to have expanded its tactics to attack a wide range of organizations in both countries, according to the German Office for Information Security (BSI) and South Korea's National Intelligence Service (NIS). Initially targeting U.S. government agencies, research institutions, and think tanks, the group has now spread to businesses in the technology and defense sectors as well. 

Kimsuky appears to be using a new malware called "BookCove" to steal sensitive information from its targets, according to a statement issued by the company. A spear-phishing email is designed to appear like it has been sent from a reputable source, but in reality, the message contains malware. Upon clicking the link or attachment in an email that contains malware, the user's computer is infected with the malware. The hacker can have access to the victim's data and can monitor the activities of the victim as a result of this. \

Various South Korean and German agencies suggest that organizations should implement the necessary precautions to safeguard themselves against these threats. Security measures must be taken, such as multi-factor authentication and regular updates, and employees must be educated on the risks associated with phishing. 

North Korean hacking group, Kimsuky, has been operating since 2013, providing malware for PCs. Several sources claim that the group is linked to the Reconnaissance General Bureau of the North Korean government. This Bureau gathers intelligence and conducts covert operations on behalf of the government. 

According to research, the apps, which embed FastFire and FastViewer, are distributed through Google Play's "internal testing" feature. This gives third-party developers the ability to send apps to a "small set of trusted testers." 

Nevertheless, it bears mentioning that these internal app testing exercises cannot exceed 100 users per app, regardless of the number of users. This is regardless of when the app is released into production. There is no doubt that this campaign has a very targeted nature, which indicates its focus. 

Two malware-laced apps use Android's accessibility services to steal sensitive information ranging from financial to personal information. APK packages for each app are listed below with their respective names in APK format:

  • Com. viewer. fast secure (FastFi) 
  • Com.tf.thinkdroid.secviewer (FastViewer) 
Organizations can take the following measures to protect themselves against Kimsuky's attacks 

A multi-factor authentication system protects the network and system from unauthorized access since it requires the attacker to possess at least two factors, such as a password and a physical device, such as a mobile phone. 

Even if cyber criminals could get past some existing security measures, this would make it far harder for them to access private data. In addition to the above-mentioned measures, organizations may also wish to consider taking the following measures to protect themselves: 
  • Maintaining a regular software update schedule is important. 
  • The best practices for protecting your company's information are taught to your employees. 
  • It is essential to use tools and techniques to detect and respond to advanced threats. 
A robust incident response plan is a crucial tool for organizations to develop to be prepared in case of an incident. If cyberattacks occur, they should be able to respond rapidly and effectively to mitigate their impact.

A growing number of companies are attacked by state-sponsored groups like Kimsuky due to cyberattacks. To reduce their risk of falling victim to these sophisticated cyber-espionage tactics, businesses and governments in Germany need to take proactive steps to protect themselves, including improving their security systems. 

Operating silently, Kimsuky has continuously evolved its TTPs to keep up with changing threats, as well as developing efficient tactics. The majority of attacks are conducted using phishing or spear-phishing. The most significant priority that must be addressed against this threat is to protect the accounts of individuals or organizations and other critical assets. Those involved in organizations and individuals are advised to keep abreast of the latest tactics and adhere to relevant agencies' recommendations.
Read more »
Sharpext
email security Gmail Kimsuky Privacy Sharpext

Hackers Use Malware To Spy on Emails


Gmail users should keep a watch out for the recently found email spying software called SHARPEXT. The malware was found by Volexity, a cybersecurity firm. The spying malware targets AOL and Google account holders and can read/download their personal e-mails and attachments.

A hacking group that is believed to work from North Korea is loading harmful browser extensions for Edge and Chrome. It tries to steal email info from open AOL and Gmail sessions and interchange browser preference files. 

About SHARPEXT

Volexity experts found the malicious extension, known as SHARPEXT, it is active for almost a year by Kimsuky (aka SharpTongue). It uses the extension after the attack has been launched, for keeping its presence. 

"SharpTongue's toolset is well documented in public sources; the most recent English-language post covering this toolset was published by Huntress in 2021. The list of tools and techniques described in that post is consistent with what Volexity has commonly seen for years. However, in September 2021, Volexity began observing an interesting, undocumented malware family used by SharpTongue," reports Volexity.

Kimsuky's Attack

Unlike other harmful browser extensions, SHARPEXT isn't made for stealing user credentials. On the contrary, the extension steals information from the e-mail inboxes of the victims.

The hackers deploy the extension manually via a VBS script once the initial breach of the victim system has been done. 

How SHARPEXT is installed

To install SHARPEXT, the hackers replace the Preferences and Secure Preferences files, for the aimed Chromium-based browser, which is generally said to be a difficult task to execute. 

• To interchange the Secure Preferences file, the hackers obtain some details from the browser and make a new file running on browser start-up.

• After that, the attackers use a secondary script to conceal some of the extension's features and any other windows that can surface and alarm the users about suspicious activities. 

• Lastly, the extension uses a pair of listeners for a particular type of activity in the browser tabs. Installation is then modified for different respective targets. 

Volexity says "the purpose of the tabs listeners is to change the window title of the active tab in order to add the keyword used by dev.ps1, the PowerShell script described previously. The code appends the keyword to the existing title (“05101190” or “Tab+”, depending on the version). The keyword is removed when DevTools is enabled on the tab." 

Read more »
Subscribe to: Comments (Atom)