Search This Blog

Showing posts with label North Korea. Show all posts

A $100 Million Theft Has Been Attributed to the Lazarus Group by the FBI

 


A $100 million cryptocurrency heist was committed by the Lazarus Group last June, which has been blamed by the FBI for the crime. Known for stealing cryptocurrency to help support the military and weapons programs of the North Korean government, this team is associated with the North Korean government. 

A statement released by the FBI on Tuesday identified Lazarus Group, which is also known as APT38, as the perpetrators of the June 24 attack on the Harmony Horizon bridge. The FBI released this information. In the course of this attack, $100 million worth of Ethereum was lost. Harmony Horizon is a bridge that allows you to connect Ethereum, Bitcoin, Binance Chain, and Harmony with the aforementioned cryptocurrency systems. The Ethereum bridge was accessed by attackers in June of this year and the cryptocurrency was stolen. 

There has been a reported theft on the Horizon bridge this morning for approximately $100MM, which was discovered by the Harmony team. At the time of the incident, Harmony said that they had begun to work with national authorities and forensic specialists to identify the perpetrator. In addition, they had begun to regain the funds that had been stolen. 

As a team, the FBI and the Department of Justice's National Cryptocurrency Enforcement Team have combined to investigate the Harmony heist, as well as several United States attorneys' offices. Earlier this week, the FBI announced that the Lazarus Group had been responsible for the attack and used its malware tool TraderTraitor as part of its operation. This malware was one of the components of the attack. 

"During the June 2022 heist, North Korean cyber actors, who used an encryption protocol known as Railgun, a privacy protocol, gained access to over $60 million worth of Ethereum (ETH) that had been stolen. It is believed that a portion of the stolen Ethereum from this theft was sent to several virtual asset services for conversion into bitcoin (BTC)," the FBI said in a statement released by the bureau. 

Lazarus Group is a North Korean security firm that has been active for several years. It is closely associated with the North Korean government and typically pursues the interests of the government. A successful attack by this group on the Bank of Bangladesh in 2016 netted it $81 million. Since then, Lazarus has continued to operate against banks and crypto exchanges to fund its operations. 

Lazarus Group is a group of companies that specialize in penetrating cryptocurrency firms and exchanges, as well as other targets. This is done with the use of their tools that are integrated into TraderTraitor. Oftentimes, these tactics begin when hackers send phishing emails to employees at a target company. They entice them to download malicious files in the hopes that they will be able to decipher what they are downloading. 

Many of these messages are disguised as recruitment efforts and offer high-paying jobs to entice recipients to download cryptocurrency applications laced with malware, also known as TraderTraitor by the U.S. government, according to a CISA advisory released in April. 

TraderTraitor is the term used to describe a series of malicious applications that are written using cross-platform JavaScript and run on the Node.js runtime running on Electron using the Node.js runtime environment. Several malicious open-source applications have been downloaded into the system, posing as tools that can help traders or price forecasters trade cryptocurrencies. TraderTraitor campaigns promote the alleged features of the applications on websites with modern designs. 

Several intrusions carried out by the Lazarus Group have used TraderTraitor as part of their investigations, and they have been quite successful in doing so. There was also another tool they used, a macOS backdoor called AppleJeus, which they implemented along with more advanced ways. 

In addition to spreading cryptocurrency trading applications modified to contain malware that facilitates cryptocurrency theft, the Lazarus Group also distributed AppleJeus trojanized cryptocurrency applications targeting individuals and companies, including cryptocurrency exchanges and financial services firms. 

According to the advisory, the North Korean regime will likely continue to exploit the vulnerabilities of cryptocurrency technology companies, gaming companies, and exchanges. This will enable it to generate and launder funds to support its regime. 

During the Harmony intrusion, the Lazarus Group moved bitcoin to several exchanges, which the FBI worked with to freeze those assets.

North Korean Lazarus Group Targeting Crypto Market via Telegram & Excel File


DEV-0139 uses targeted attacks to steal cryptocurrency investments 

Microsoft has identified a threat actor that has been targeting cryptocurrency investment startups. An entity that Microsoft has termed as DEV-0139 posed as a cryptocurrency investment firm on Telegram and used an Excel file deployed with malicious "well-crafted" malware to attack systems and access them remotely. 

The threat is part of a trend in cyberattacks showing a high degree of sophistication. In our case, the threat actor made a fake OKX employee profile and joined Telegram groups used for facilitating communication between VIP clients and cryptocurrency exchange platforms. 

In recent years, the cryptocurrency market has grown exponentially, getting the attention of investors as well as threat actors. Cybercriminals have used cryptocurrency for their attacks and campaigns, especially for ransom payment in ransomware attacks. 

DEV-0139 uses Telegram and Excel files to target victim

There has also been a rise in threat actors directly attacking organizations in the cryptocurrency industry for monetary motives. Cyberattacks targeting the cryptocurrency market come in various forms, this includes fraud, vulnerability exploitation, fake apps, and use of info stealers, threat actors use these variables to steal cryptocurrency funds. 

In October, the victim was asked to join a new group and then asked to provide feedback on an Excel document that compared Binance, OKX, and Huobi VIP fee structures. 

The document offered correct information and high awareness of the ground reality of crypto trading, however, it also sideloaded an infected. DLL (Dynamic Link Library) file to make a backdoor into the user's system. The victim was then told to view the .dll file while discussing the course fees. 

According to Microsoft, the weaponized Excel file initiates the following series of activities:

  • A malicious macro in the weaponized Excel file abuses the UserForm of VBA to obfuscate the code and retrieve some data.
  • The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64 and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
  • The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR-encoded backdoor.
  • The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR-encoded backdoor that lets the threat actor remotely access the infected system.

The attack method is popular, Microsoft suggests the attacker was the same as the one running .dll files for the same reasons in June, and also behind other cyberattack instances as well. As per Microsoft, DEV-0139 is the same threat actor that cybersecurity agency Volexity associated with North Korea's state-sponsored Lazarus Group. 

It uses a malware strain called AppleJeus and an MSI (Microsoft installer). The United States federal Cybersecurity and Infrastructure Security Agency reported on AppleJeus last year and Kaspersky Labs documented it in 2020. 

To stay safe from such threats, Microsoft suggests:

1. Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.

2. Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing emails and watering holes, and reporting reconnaissance attempts and other suspicious activity.

3. Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.

4. Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.

5. Turn on attack surface reduction rules to prevent common attack techniques observed in this threat:

  • Block Office applications from creating executable content
  • Block Office communication application from creating child processes
  • Block Win32 API calls from Office macros
6. Ensure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.

The cryptocurrency market is a lucrative interest for cybercriminals. Targeted victims are identified via trusted channels to better the chance of attack. While hackers prefer targeting big organizations, smaller organizations can also become an easy target of interest. 






North Korea Ransomware Attempt, Siphon Funds From an Israeli Company


Getting into financial institutions' systems and using hackers is a known tactic of North Korea, it nearly took down the Central Bank of Bangladesh by this practice. 

North Korean Hackers Strike Again

Earlier this week, North Korea tried to get access to the systems of an Israeli company that does business in the field of cryptocurrency and extracts the money that Pyongyang planned to use for its nuclear program. 

The hacking attack was done by North Koreans disguising themselves as the company's Japanese supplier. The hacking attempt was immediately caught by cybersecurity personnel from the "Konfidas" agency, which was able to stop the hack. 

Malicious files used to get control over systems

Authorities say the attempt was sophisticated and professional, unique tools were used- something that caught the eye of concerned authorities in Israel. 

The attacks do not happen overnight. There is a pattern behind the operation of most attacks, in the first step, the hacker does a conversation with the person on the other end, and gains your trust. After that, the hacker sends a malicious file containing the virus which is aimed to infiltrate the computer. 

Once the file reaches the computer, it will start spreading out on the network and access financial assets or data that the hacker wants, and in the end, can do whatever he wishes. 

Ransom motive behind the attack

Ransom demands generally happen in financial attacks, threat actors behind them are cyber criminals who intend to steal data and ask for ransom in exchange for not leaking the data and releasing the systems. 

In this particular incident, the North Korean mode of operation is a pattern in which the actors simply spy, steal money, and vanish. There is no user interaction except that he has to open the malicious files which allow the hacker to take control of the systems. 

North Korean hacking patterns

North Korean hackers are believed to be behind the theft of around $100 million in cryptocurrency from a US company earlier this year in June, as the country is trying to manage funding for its nuclear and ballistic missile programs. 

The assets were stolen from "Horizon Bridge," a Harmony blockchain service that lets assets to be sent to other blockchains. Following the theft, the activities by threat actors suggest that they may be linked to North Korea. Experts believe these actors to be highly skilled in the field of cyber penetration attacks. 


North Korea Uses Stolen Cryptoassets to fund its Nuclear Weapons Programs

International investigators and researchers have claimed that North Korea, in recent months is responsible for stealing $300 million worth of Bitcoin and other cryptocurrencies, which was done through hacking and other mass cyberattacks. 
 
The crypto assets are allegedly stolen in order to pay for North Korea's nuclear weapons program. In regards to this, a row has broken out in South Korean political circles over Korea's politicians’ and other leaders' ties to crypto developer Virgil Griffith. 
 
This development comes after North Korea’s missile launches have intensified in the past 10 days. In the wake of the recent nuclear attacks on the island of Hokkaido, more than 5 million Japanese citizens were urgently ordered to take cover as a protective measure. Pyongyang claims that these missile launches were “simulations” for nuclear attacks on South Korea. 
 
As per Military analysts, a large part of this missile launch is being funded, using the stolen cryptocurrency. North Korea is believed to have employed thousands of well-trained hackers, who have affected South Korean businesses and organizations. It has also been accused of exploiting its cyber skills for financial gains. 
 
According to Yonhap, one of South Korea's major news sources, the UN Security Council’s North Korea Sanctions Panel has blamed the North Korean cyber organization such as ‘Lazarus Group’ for Ronin Bridge and the Harmony bridge hack. 
 
As per the experts, the hermit state is utilizing the absence of worldwide regulatory constraints on cryptocurrencies, in order to steal cryptocurrencies to fund nuclear weapons and missile projects. 
 
In an interview with the VOA Korean Service, Jason Barlett, a researcher at the Center for a New American Security (CNAS) stated, “Cryptocurrency offers Pyongyang a new kind of currency that is substantially less regulated and understood by national governments, financial institutions, and institutions, and international organizations.”  
 
In accordance with a report by Nikkei Asia, North Korea is in the penultimate phase, to prepare for a nuclear weapon test, with such incidents pointing to the excavation of an underground tunnel and testing of triggering mechanisms.

Lazarus Hackers are Using Log4j to Hack US Energy Companies

 

A new cyber espionage campaign targeting US, Canadian, and Japanese energy providers has been linked to the North Korean state-sponsored Lazarus hacking group, according to security researchers.

Cisco Talos, a threat intelligence company, announced Thursday that Lazarus, also known as APT38, was observed targeting unidentified energy providers in the United States, Canada, and Japan between February and July of this year. 

According to Cisco's findings, the hackers exploited a year-old Log4j vulnerability known as Log4Shell to compromise internet-exposed VMware Horizon servers in order to gain an initial foothold on a victim's enterprise network before deploying bespoke malware known as "VSingle" and "YamaBot" to gain long-term persistent access. 

Japan's national cyber emergency response team, known as CERT, recently linked YamaBot to the Lazarus APT. Symantec first disclosed information of this espionage campaign in April of this year, attributing the operation to "Stonefly," another North Korean hacking group with some overlaps with Lazarus.

However, Cisco Talos discovered a previously unknown remote access trojan (RAT) called "MagicRAT," which is attributed to the Lazarus Group and is used by hackers for reconnaissance and credential theft.

Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura, “The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

However, in recent months, the group has shifted its focus to blockchain and cryptocurrency organisations. It has been associated with the recent thefts of $100 million in cryptocurrency from Harmony's Horizon Bridge and $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain created for the popular play-to-earn game Axie Infinity.

Pyongyang has long used stolen cryptocurrency and information theft to finance its nuclear weapons programme. In July, the United States offered a $10 million reward for data on members of state-sponsored North Korean threat groups, including Lazarus, more than doubling the amount previously offered. The State Department made the announcement in April.

The Lazarus Group is a North Korean-backed hacking organisation best known for the high-profile Sony hack in 2016 and the WannaCry ransomware attack in 2017. Lazarus is also motivated by efforts to support North Korea's state objectives, such as military R&D and evasion of international sanctions.

SharpTongue: A Malware from North Korea that Monitors Emails

About SharpTongue

Threat actor SharpTongue, which is linked to North Korea, was found using a malicious extension on Chromium-based browsers to keep surveillance on victims' Gmail and AOL email accounts. Experts from cybersecurity agency Volexity found the hackers as SharpTongue, but its activities coincide with one of the Kimsuky APT groups. 

The SharpTongue's toolset was covered by Huntress in 2021 in a published report, but in September 2021, Volexity started noticing usage of earlier unreported Malware strain, in the past year. Volexity has looked over various cybersecurity cases which involve SharpTongue and in most of the incidents, hackers use a malicious Microsoft Edge or Google Chrome extension known as "SHARPEXT." 

How does SharpTongue operate?

Contrary to other extensions in use by the Kimsuky APT group, SHARPEXT doesn't steal passwords or usernames, however, it accesses the target's webmail account while they're browsing it. The present version of the extension backs three browsers and is capable of stealing the contents of e-mails from AOL webmail and Gmail accounts. 

The report analysis says that SHARPEXT is a malicious browser extension deployed by SharpTongue following the successful compromise of a target system. In the first versions of SHARPEXT investigated by Volexity, the malware only supported Google Chrome. 

The current variant 3.0 supports three browsers:

  • Edge
  • Chrome
  • Whale (It is used in South Korea)

The attack process

The attack chain begins with hackers manually extracting files required to install extensions from the malicious workstation. After a breach of the victim's Windows system, the hackers change the web browser's Preferences and Secure Preferences. 

After that, hackers manually deploy SHARPEXT via a VBS script and enable the DevTools panel in the active tab to keep surveillance on the email contents and steal file attachments from the target's mail account. This is done via PowerShell script, hackers also conceal warning messages running developer mode extensions. 

Security Affairs report, "experts pointed out that this is the first time the threat actor used malicious browser extensions as part of the post-exploitation phase. Stealing email data from a user’s already-logged-in session makes this attack stealthy and hard to be detected by the email provider. The researchers shared the YARA rules to detect these attacks and Indicators of Compromise (IOCs) for this threat."


US State Department Offers $10 Million for Information on North Korean Hackers

 

The US government has disclosed it is offering up to $10m as a reward for information on people linked with North Korean state-sponsored hacking groups. 

The US State Department revealed Tuesday it is interested in information on hackers that are part of groups including Lazarus Group, Guardians of Peace, Kimsuky, and APT38 amongst others. 

“If you have information on any individuals associated with North Korean government-linked malicious cyber groups (such as Andariel, APT38, Bluenoroff, Guardians of Peace, Kimsuky, or Lazarus Group) and who are involved in targeting US critical infrastructure in violation of the Computer Fraud and Abuse Act, you may be eligible for a reward,” read a notice posted to Twitter. 

The North Korean hacking group is the only one to be called out by name on the Rewards for Justice site, which otherwise explains the purpose of the program is to generate useful information “that protects Americans and furthers US national security.” It says rewards are also offered for information on “the financial mechanisms of individuals engaged in certain activities to support the North Korean regime.” 

The amount is double the bounty the government offered in March 2022 for information on DPRK-backed hackers targeting crypto exchanges and financial institutions worldwide to support the Kim Jong-un regime's illegal operations. 

Lazarus, for example, has been blamed for various high-profile cyberattacks, including the world’s biggest ever crypto-heist when $618m was stolen from Vietnamese developer Sky Mavis and its Ronin Network. In 2020, the hackers exfiltrated $281m from Singapore-headquartered cryptocurrency exchange KuCoin. 

The North Korean hackers have also infiltrated mobile phones of well-known personalities, including particular South Korean legislators, to obtain their private data, claimed Mun Chong Hyun, head of the EST security response center (ESRC). He said hackers target organizations on North Korea's websites or build counterfeit Facebook accounts for those functioning in the North Korean industry on an ongoing basis. 

Last year, the US Department of Justice unsealed a federal incitement of several suspected members of the infamous Lazarus Group (APT38), said to be linked to military intelligence agency the Reconnaissance General Bureau (RGB). However, North Korea is a notoriously secretive and globally isolated state, making traditional intelligence-gathering efforts challenging. 

In 2019, the U.S. Treasury Department banned three North Korean hacking groups (Lazarus Group, Bluenoroff, and Andariel) for funneling financial assets they stole in cyberattacks to the North Korean government.

Lazarus Group Responsible For $100M Crypto-Heist


Cyber security researchers have found Lazarus Group responsible for stealing $100m worth of crypto via Harmony's Horizon Bridge, a California-based company. Lazarus group is a popular North Korean state-sponsored hacking group that was also behind $620 million worth of crypto theft from the Ronin exchange in March. 

Following the incident, the Harmony cybersecurity team was warned of the attack last week by blockchain forensics company Elliptic that the institution has been attacked by a cross-chain bridge. 

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds,” Elliptic wrote. 

Additionally, Reuters reported that Chainalysis, a blockchain firm is also investigating with Harmony; it claims that the attack style is similar to previous attacks attributed to North Korea-linked actors.

“On Thursday, June 23, 2022, the Harmony Protocol team was notified of a malicious attack on our proprietary Horizon Ethereum Bridge. At 5:30 AM PST, multiple transactions occurred that compromised the bridge with 11 transactions that extracted tokens stored in the bridge,” the company said in its blog. 

As the name suggests, Blockchain bridges allow users to transfer their crypto assets from one blockchain to another. The malicious actors stole $100 million in crypto assets, including Ethereum (ETH), Binance Coin, Tether, USD Coin, EOS, and Dai. 

Elliptic said that the hack was carried out by compromising the cryptographic keys of a multi-signature wallet, a technique that is popularly used by the suspected groups. 

“Lazarus Group tends to focus on APAC-based targets, perhaps for language reasons referring to the Asia-Pacific region. Although Harmony is based in the US, many of the core team has links to the APAC region,” Elliptic added. 

Further, the report suggests that after two days of attack Harmony offered to pay a $1 million bounty to the group for the return of Horizon bridge funds. Also, researchers reported that they have found the offenders behind the $100 million hack.

Hackers in Dprk use Trojanized DeFi Wallet App to Steal Bitcoin

 

North Korean government-linked hackers have now been circulating a trojanized version of a DeFi Wallet for holding bitcoin assets to obtain access to cryptocurrency users' and investors' systems.

Securing economic benefits is one of the primary motives for the Lazarus threat actor, with a focus on the cryptocurrency industry. The Lazarus group's targeting of the financial industry is increasing as the price of cryptocurrencies rises and the appeal of the non-fungible asset (NFT) and decentralized finance (DeFi) enterprises grows.

In this attack, the threat actor used web servers in South Korea to distribute malware and communicate with the implants that had been placed. Kaspersky Lab researchers recently identified a malicious version of the DeFi Wallet software that installed both the legal app and a backdoor disguised as a Google Chrome web browser executable. When the trojanized DeFi application was launched on the machine, it introduced a full-featured backdoor with a compilation date of November 2021. It's unknown how the hackers spread the word, but phishing emails or contacting victims through social media are both possibilities. 

Although it's not clear how the threat actor persuaded the victim to run the Trojanized program (0b9f4612cdfe763b3d8c8a956157474a), it is believed they used a spear-phishing email or social media to contact the victim. The Trojanized application initiates the previously unknown infection technique. This installation package masquerades as DeFi Wallet software, but it actually contains a legal binary that has been packed with the installer. 

The virus installed in this manner, as per the researchers, has "sufficient capabilities to manage" the target host by issuing Windows commands, uninstalling, starting or killing processes, enumerating files and related information, or connecting the computer to a particular IP address. 

The malware operator can also collect relevant data (IP, name, OS, CPU architecture) and the discs (kind, free space available), files from the command and control server (C2), and retrieve a list of files stored in a specified area using additional functionalities. According to Japan CERT, the CookieTime malware group known as LCPDot has been linked to the DPRK operation Dream Job, which enticed victims with phony job offers from well-known firms. 

Google's Threat Analysis Group (TAG) revealed recent activity related to Dream Job earlier this month, finding North Korean threat actors used a loophole for a zero-day, remote code execution bug in Chrome to aim at people working for media, IT companies, cryptocurrency, and fintech companies. "The CookieTime cluster has linkages with the Manuscrypt and ThreatNeedle clusters, which are also attributed to the Lazarus organization," Kaspersky adds. 

The links between the current trojanized DeFiWallet software and other malware attributed to North Korean hackers go beyond the virus code to the C2 scripts, which overlap many functions and variable names. It's worth mentioning that Lazarus is the umbrella name for all state-sponsored North Korean threat operations. Within the DPRK, however, several threat groups are operating under different institutions/departments of the country's intelligence establishment. 

Mandiant analysts prepared an evaluation of the DPRK's cyber program structure using data collected over 16 months from its digital activity tracking for the entire country, OSINT monitoring, defector reporting, and imaging analysis. Targeting bitcoin heists is certainly within the scope of financially motivated units inside the country's Reconnaissance General Bureau's 3rd Bureau (Foreign Intelligence), according to their map (RGB).   

North Korea Stealing Millions in Cyber Attacks

 

A recent report of UN experts on cybersecurity threats has revealed that North Korea has not stopped stealing hundreds of millions of dollars from financial institutions and cryptocurrency organizations and exchanges. Illegally obtained money plays a very important role in North Korean nuclear and missile programs, U.N. experts said in a report quoting cyber specialists. 

The state-sponsored cybercriminals often use prevalent methods of attacks including phishing lures, malware, code exploits, and advanced social engineering to siphon funds out of these organizations’ internet-connected ‘hot’ wallets into DPRK-controlled addresses. 

The panel of experts has also said that according to an unnamed government, North Korean “cyber-actors stole more than $50 million between 2020 and mid-2021 from at least three cryptocurrency exchanges in North America, Europe, and Asia, probably reflecting a shift to diversify its cybercrime operations.” 

The experts further added that the “Cyber-actors stole a total of $400 million worth of cryptocurrency through seven intrusions into cryptocurrency exchanges and investment firms". 

The panel of experts monitoring sanctions on North Korea said that the cryptocurrency funds that have been stolen by the state-sponsored threat actors go through a very protective money laundering process in order to be cashed out.

A year ago, the panel quoted an unidentified country saying North Korea’s “total theft of virtual assets from 2019 to November 2020 is valued at approximately $316.4 million.” 

In the same year, North Korea had advanced its nuclear weapons and ballistic missiles even after United Nations sanctions. Further, for its funding, the state uses malicious actors' help and continues to seek material and technology overseas for its arsenal including in Iran, said, experts. 

“Cyberattacks, particularly on cryptocurrency assets, remain an important revenue source for the state government, and the experts are monitoring the implementation of sanctions against the North,” experts said in the new report.

Cyber Attack: North Korea Suffers Internet Outage

North Korea faced an internet shutdown, and experts suspect cyber-attacks are the main reason. The internet outage remained for six hours in the country on Wednesday last week during local morning time. It is the second incident causing internet outages in North Korea in the past two weeks. Cybersecurity expert Junaid Ali from Britain says the recent outage may be due to a denial-of-service (DDoS) attack. 

If a user in North Korea tried to connect to an IP address, the internet could not route the data into the country. The servers were back to normal within a few hours after the DDoS attack. Individual servers, however, could not function normally because of the disruption, these servers include-Naenara, the North Korean government official portal, Air Koryo Airlines, and the North Korea Ministry of Affairs. 

News website NK Pro reports network records and log files suggest that websites hosted in North Korean domains that end with ".kp" could not be accessed. A similar incident happened in North Korea earlier on January 24, 2022. In simple terms, network disturbance, not power cut, caused the internet outage. Experts observed that no internet traffic went in and out of North Korea during the attack. 

According to Junaid ", it is common for one server to go offline for some periods, but these incidents have seen all web properties go offline concurrently. It is not common to see their entire internet dropped offline. 

During the incidents, operational degradation would build up first with network timeouts, then individual servers going offline and then their key routers dropping off the internet." Internet access is restricted in North Korea, we don't know how many people have direct access to it, but the data suggests that around 25 million people have access to the internet, which is only 1% of the total population.

The Lazarus Group uses Windows Update to Spread Malware

 

Researchers discovered that Lazarus Group is leveraging Windows Update to spread malware in a campaign backed by a GitHub command-and-control (C2) server. The Malwarebytes Threat Intelligence team announced on Thursday that they identified the North Korean state advanced persistent threat (APT) group's latest living-off-the-land strategy while investigating a spear-phishing campaign discovered on Jan. 18. 

The campaign's emphasis – in which the APT posed as the American global security and aerospace company Lockheed Martin – is consistent with Lazarus' preference for penetrating the military.  

Lazarus, which has been active since at least 2009, is regarded by researchers as one of the world's most active threat actors. The US also refers to Lazarus as Hidden Cobra, a term used to describe the North Korean government's cyber-activity in general.

“This APT group has been behind large-scale cyber-espionage and ransomware campaigns and has been spotted attacking the defence industry and cryptocurrency markets,” Kaspersky researchers have noted in the past. 

In the Jan. 18 campaign, Malwarebytes discovered two macro-embedded decoy documents purporting to offer new job openings at Lockheed Martin. Their filenames: Lockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_confidential.doc. 

Both of these documents were created on April 24, 2020, but researchers have enough evidence to believe they were utilized in a campaign in late December 2021 or early 2022. The domains utilized by the threat actor are some of the evidence that this assault was carried out recently. Both documents employ the same attack theme and share some features, such as embedded macros, but the entire attack chain appears to be completely different. 

According to the researchers, the attack begins by running malicious macros embedded in Word documents. The malware achieves startup persistence in the victim's system after a series of injections. When a victim opens the malicious attachments and allows macro execution, an embedded macro places a WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a secret Windows/System32 folder. LNK files are Windows shortcut files, meaning they are pointers to original files in Windows. 

Then comes the .LNK file which is needed to launch the WSUS / Windows Update client - wuauclt.exe, a genuine process file generally known as Windows automatic updates and is located in C:WindowsSystem32. The Update client is used to execute a malicious DLL that avoids detection by security software. 

“With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL,” the researchers explained.

North Korean Hackers Attack Russian Diplomats

 

American information security experts from Cluster25 and Black Lotus Labs discovered cyberattacks on employees of the Russian Foreign Ministry before the New Year holidays. They were allegedly carried out by the North Korean hacker group Konni. 

According to Black Lotus Labs, the attackers began a phishing campaign back in October. They sent some diplomats archives with information about vaccination data and sent others links to download a fake program for registering vaccinated people on the federal vaccine registry. As a result, the account of one of the employees of the Foreign Ministry (mshhlystova@mid.ru) was compromised. From this address, hackers sent a phishing email to Deputy Minister Sergei Ryabkov at SRyabkov@mid.ru on December 20. 

In addition, Cluster25 reported that another letter, which contained an infected archive was sent on December 20 to the Russian Embassy in Indonesia, the sender was listed as the diplomatic mission in Serbia. 

The Russian Foreign Ministry confirmed that the attack was real. "However, the attack was timely detected and localized by standard means of active protection of the ministry's information infrastructure and did not spread further," the Foreign Ministry said. The ministry stressed that the phishing attack had no destructive impact on the information infrastructure of the Foreign Ministry. 

As Anastasia Tikhonova, the head of the Group-IB threat research group explained, American experts could take examples of emails from the VirusTotal (VT) service, which analyzes suspicious files. According to her, one of these letters was posted there on the day of the attack, December 20. 

It should be noted that the Konni group (APT37) has been known since 2017. In its attacks, it used, in particular, documents related to Russia-DPRK relations, taking texts from public sources. Kaspersky Lab cybersecurity expert Denis Legezo said that Konni can send a corrupted PDF file. The recipient cannot open it, and attackers under the guise of a reader send him an infected program.

Lazarus Has Started to Target the IT Supply Chain

 

The Lazarus hacker gang, which is backed by North Korea, has shifted its emphasis to new targets and has been detected by Kaspersky security experts improving its supply chain assault capabilities. After breaching a Latvian IT provider in May, Lazarus utilized a new form of the BLINDINGCAN backdoor to attack a South Korean research tank in June.

Lazarus built an infection chain in the first case found by Kaspersky researchers, which began with legitimate South Korean security software distributing a malicious payload. The target in the second case was a Latvian company that develops asset monitoring solutions, an unusual victim for Lazarus. CISA and the FBI were the first to notice the backdoor utilized in these assaults. It can elude detection by removing itself from infiltrated computers, exfiltrate data, create and destroy processes, and tamper with file and folder timestamps, according to the researchers. 

The infection chain included the Racket downloader, which was signed with a stolen certificate. The hacker gang infiltrated weak web servers and installed scripts that gave them control over the dangerous implants. 

Lazarus has been targeting the defence industry using the MATA malware architecture for cyber-espionage purposes for some months, according to Kaspersky. MATA had previously been utilized by the gang for a variety of reasons, including data theft and ransomware transmission. A downloader was used to collect further malware from the command and control (C&C) server in the attacks, which leveraged a multi-stage infection chain. For this campaign, Lazarus upgraded the MATA framework and signed some of its components with a legitimate but stolen digital certificate. 

“Through this research, we discovered a stronger connection between MATA and the Lazarus group, including the fact that the downloader malware fetching MATA malware showed ties to TangoDaiwbo, which we had previously attributed to the Lazarus group,” Kaspersky said. 

Lazarus, also known as Hidden Cobra, has been active since at least 2009 and is suspected of orchestrating a number of high-profile strikes. In 2020, the group targeted COVID-19 research, as well as members of the security research community and vaccine maker Pfizer. 

"These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks," said Ariel Jungheit, a senior security researcher at Kaspersky. "When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year."

NSA’s Cyber Chief Warned About the Increasing Cyber Threat

 

On Wednesday the 29th of September, the chief of the cyber branch of the National Security Agency cautioned about the growing number of digital dangers and threats that these cybercriminals pose. 

Rob Joyce, Director of the NSA Cybersecurity Directorate, stated during the ASPEN Cyber Summit in Colorado that nearly every single government in the world today has a cyber exploitation program. 

Joyce has been a special assistant of the president and cyber security coordinator of the National Security Council in 2018, with many other responsibilities in the nation's leading e-spy agency. 

“The vast majority of those are used for espionage and intelligence purposes, but… there is interest in dabbling in offensive cyber and outcomes. The difference between the top of the list and the bottom of the list, usually, is scale,” stated Joyce. 

There are some “high-end, sophisticated small actors, but they’re confined to whatever that national interest is that they’re aimed at so we see less of them.” 

Joyce also gave his evaluated statements on the so-called "Big Four" and the latest internet business of the foreign states who were historically the digital opponents of America — Russia, China, Iran, and North Korea. 

Starting with Russia he said that, it's the distressing force. Often they attempt not to boost their activities but to pull others down. They are still extremely active in intelligence-gathering efforts targeting vital infrastructure and countries. The problem is that they employ disruptive effects all around the world aggressively. The organization saw indications of U.S. vital infrastructure pre-positioning. For this everyone must strive against every item that can't be permitted. 

Further, talking about China he noted that, Chinese is off the charts, considering the scale and scope. The number of cyber actors from China is growing all over the world. NSA respected them less than that from four or five years ago to the present day, the changes as perceived. They have always been wide, loud, and boisterous, and what the organization discovers, the elite in that group is the elite if one has such a vast resource base. 

“The high end of the Chinese sophistication is really good. We’ve got to continue to understand, disrupt and then find ways across the whole of that technology to kind of push back… Yes, defense is really important, but you also have to work to disrupt so that’s the continuous engagement strategy out of the [Defense Department] and the idea that we got to put sand and friction in their operations, so they don’t get just free shots on goal,” he added. 

Later he made statements about Iran saying that Iran is still operational in cyber activities. Certainly, they were the first and foremost nation when everyone spoke of a bank distributed denial of service operations and the Shamoon Wiper malware. However what NSA observed is that they often concentrate very much on regional matters, at present. Their attention was not as broad on the impact. But they are capable, especially because their decision is less judgmental, and most crucially because it is a realistic measure. Iran sometimes does not appreciate how much it has done to, or has gone far as to arouse the wrath and concern of the larger community. 

Lastly, he told that North Korea remains extremely focused on the regime's income creation, as North Korea can not be affected even with several sanctions. They, therefore, had to develop ways to create cash, trade and realized that it is simpler to steal Bitcoin than to steal from Bangladesh Bank. They didn't attack the largest banks as hard, since in the crypto realm they made their required money. 

“The commercial firms were dealing with a lot of North Korean issues back when the [Covid-19] vaccine was an issue; they were going after the intellectual property of vaccine makers. So, still active, still a threat, very capable but mostly focused on crypto exchanges and creating money.” He added. 

Internet Browser Vulnerabilities Exploited by North Korean Hackers to Implant Malware

 

A threat actor from North Korea has indeed been found exploiting two flaws in the Internet Explorer to attack individuals with a specialized implant, targeting a South Korean online daily newspaper as a component of strategic web compromise (SWC). 

Volexity, a cybersecurity firm, has accredited these attacks and operations to a threat actor recognized by the name InkySquid also better known by the monikers ScarCruft and APT37. It is indeed a widely known North Korean hackers' body. Daily NK — the publication of concern, is believed to have been host to the malevolent code from at least the end of March 2021 to early June 2021. 

InkySquid, the infamous North Korean hacker group has been leveraging the vulnerability since 2020 to upload falsified Javascript code that is usually buried within the genuine code in cyberattacks against an Internet Explorer browser. 

However, according to security researchers, earlier in April this year, Volexity identified a suspicious code loaded via www.dailynk[.]com onto unlawful jquery[.]services subdomains. There are two types of URLs identified, which are listed below:

  • hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
  • hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2 

Further, Volexity experts have noted that the "clever disguise of exploit code amongst legitimate code" as well as the usage of bespoke malware allows attackers to escape detection. 

These attacks involved manipulating the jQuery JavaScript libraries on the website to serve further obscured code from a remote URL and use it to abuse the exploits of two Internet Explorer vulnerabilities that were addressed by Microsoft in August 2020 and March 2021. A Cobalt Strike stagger, as well as the BLUELIGHT new backdoor, have successfully been deployed. 

  • CVE-2020-1380 (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability 
  • CVE-2021-26411 (CVSS score: 8.8) - Internet Explorer Memory Corruption Vulnerability 

It must be mentioned that both the vulnerabilities were actively leveraged in the wild by the North Korean hackers using them to target security scientists working in research and development on vulnerabilities in an operation that was uncovered earlier in January. 

After the timely implementation of the Cobalt Strike, BLUELIGHT is employed as a secondary payload, as a full-featured remote access technique that allows total access to an affected system. 

Along with obtaining system metadata and antivirus product information, malware can execute shellcodes, collect cookies and credentials through Internet Explorer, Microsoft Edge, and Google Chrome browsers, acquire files, and install arbitrary runs that are exfiltrated to a remote server.

North Korean Lazarus Group Attacks South African Freight Via New Weapon

 

The North Korean-backed Lazarus hacking group employed a new backdoor in targeted attacks against a South African freight and logistics company. ESET researchers first discovered the malware in June 2020, but further evidence suggests Lazarus has been using it in previous attacks going back to at least December 2020. 

The new backdoor malware, dubbed Vyveva is one of the latest tools discovered in the Lazarus armory. Vyveva has the capability of exfiltrating files, gathering data from an exploited machine and its drives, remotely connect to a command-and-control (C2) server and run arbitrary code. It also uses watchdogs to keep track of newly connected drives or the active user sessions to trigger new C2 connections on new sessions or drive events.

While ESET researchers have not gained much success in identifying the initial compromise vector but they have discovered three main components comprising Vyveva – its installer, loader and backdoor. Vyveva also consists a ‘timestomping’ option which allows its operators to manipulate any file’s data using metadata from other files on the system or by setting a random date between 2000 and 2004 to hide new or modified files. 

“Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET technology. However, the similarities do not end there: the use of a fake TLS protocol in network communication, command-like execution chains, and the methods of using encryption and Tor services all point toward Lazarus. Hence, we can attribute Vyveva to this APT group with high confidence,” security researcher Filip Jurcacko stated.

According to the US government, Lazarus group was formed in 2007 and since then, as per the researchers, the group has been responsible for the $80 million Bangladeshi bank heist and the HaoBao Bitcoin-stealing campaign. The Lazarus Group’s activities were widely reported only after it was blamed for the 2014 cyber-attack on Sony Pictures Entertainment and the 2017 WannaCry ransomware attack on the countries including the US and Britain.

US Agencies Publish Advisory on North Korean Cryptocurrency Malware, AppleJeus

 

The Federal Bureau of Investigation (FBI) jointly with the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury, released an advisory on North Korea's cyber-threat to cryptocurrency and on suggestions for mitigating. 

Operated with the US government allies, FBI, CISA and the Treasury assess that, Lazarus Group –advanced persistent threat (APT) actors assisted by these agencies in North Korea is targeting the consumers and firms through the dissemination of cryptocurrency trading apps, including crypto-currency exchange and financial service providers, that have been updated to cover. 

“This advisory marks another step by the U.S. Government to counter the ongoing and criminal North Korean global cryptocurrency theft scheme targeting finance, energy, and other sectors,” said CISA Acting Executive Assistant Director of Cybersecurity Matt Hartman. “The FBI, Treasury, and CISA continue to assess the evolving cyber threat posed by North Korea, cybercriminals, and other nation-state actors and are committed to providing organizations timely information and mitigations to combat these threats.” 

In the last year alone, these cyber actors attacked organizations for cryptocurrency theft, in more than 30 nations. These actors would undoubtedly see amended cryptocurrency trade applications as a way of bypassing North Korea's foreign sanctions—applications that allow them to gain access to cryptocurrency exchanges and loot cryptocurrency cash from victims' accounts. 

The US government refers to the North Korean Government's malicious cyber activity as HIDDEN COBRA. Malware and indicators of compromise (IOCs) have been identified by the United States Government to facilitate North Korean cryptocurrency robbery, which is called "AppleJeus" by the Cyber Security community. 

Although the malware was first found in 2018, North Korea has used several versions of AppleJeus. In the first place, HIDDEN COBRA actors used websites that seemed to host genuine cryptocurrency trading platforms, but these actors seem to be using other infection feature vectors, such as phishing, social networking, and social engineering, to get users to download the malware and to infect victims with AppleJeus. They are also using other infection vectors. Active AppleJeus Malware agencies in several areas, including energy, finances, government, industry, technology, and telecommunications, were targeted by HIDDEN COBRA actors. 

Ever since it was discovered, several variants of AppleJeus were found in the wild. Most of them are supplied as relatively simple applications from attacker-controlled websites that resemble legitimate cryptocurrency exchange sites and firms. 

“It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea — the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts,” states the report. 

If consumers perceive that they have been affected by AppleJeus, the findings suggest victims creating new keys or transferring funds from corrupted crypto wallets, expelling hosts, running anti-malware tests on tainted devices, and notifying the FBI, CISA, or treasury.

Is North Korea Planning Something Bigger in the Field of Cyber Crime ?

 

North Korea is excelling in a field of cybercrime with each passing day despite the tight economic sanctions levied by the United Nations and the United States of America in 2006 to prevent North Korea of the necessary funds for its nuclear program. North Korea has boosted its cyber capabilities by exploiting digital susceptibilities across the globe.

North Korea’s hacking groups code-named Lazarus Group or Hidden Cobra have launched several cyber-attacks across the globe to extort money for its banned nuclear weapons development program. Lazarus was suspected of being the driving force behind the famous robbery of nearly $80 million from the Bangladeshi Central Bank.

US Department of Homeland and the FBI in 2017 released a cybersecurity bulletin explaining the connection of North Korea to several cyber-attacks on US businesses and critical infrastructure. In May 2020 North Korea recruited nearly 100 science and technology university graduates into its military forces to oversee its tactical planning systems. Approximately 100 hackers graduate from Mirim College, also known as the University of Automation.

As per the reports of defector testimony, North Korea is training graduates from Mirim College to dismantle Microsoft Windows Operating Systems, build destructive computer viruses and write code in various computer programming languages. WannaCry ransomware a North Korean-led cyberattack in 2017, which wrought havoc in more than 300,000 computers in 150 countries by exploiting vulnerabilities in the Microsoft Windows operating system.

According to US Army reports, the alarming thing is that North Korea is not acting alone, North Korea has recruited nearly 6,000 cyber agents across the globe in four intelligence organizations. China is one of the North Korea supporters, it helps North Koreans illicit cyber activities via training and academic intrusion. North Korean students often study at topmost Chinese science and technology universities such as the Harbin Institute of Technology (HIT) where they have access to advanced technology and equipment which are unavailable in their home country due to U.S. and U.N. sanctions.

In November 2019, the North Korean Chairman of the Education and the Chinese Ministry of Education jointly signed the China-North Korea Education and Cooperation Agreement (2020-2030) to reinforce academic partnerships and postgraduate student exchanges. This tie-up was done to increase foreign exchange and higher education training programs which may lead to increased cybercrime, given the nature of these science and technology universities.

The U.S. government continues to expose new and dangerous cyber groups that pose a serious threat to international security and U.S. national interests. However, all is not lost for the United States and its global allies, the U.S. Department of Justice can mandate cybersecurity audits for U.S. banks and financial institutions as part of deferred prosecution agreements to boost compliance with the basic cybersecurity structure described by the Cybersecurity and Infrastructure Security Agency (CISA) and Financial Action Task Force (FATF).

Thallium Altered the Installer of a Stock Investment App

 

This week, ESTsecurity Security Response Center (ESRC) gave an account of a North Korean hacking group altering a private stock investment messaging application to deliver malevolent code. The gathering known as Thallium delivered a Windows executable utilizing Nullsoft Scriptable Install System (NSIS), a famous script-driven installer authoring tool for Microsoft Windows. This North Korean hacking group Thallium, colloquially known as APT37 has targeted clients of a private stock investment courier service in a software supply chain attack, as indicated by a report distributed recently. Not long ago, the group essentially depended on phishing assaults, for example, using Microsoft Office records, to focus on its victims. Thallium is presently utilizing different ways, for instance, transporting infected Windows installers and macro-laden Office records to go after investors.

The Windows executable contained malevolent code with the authentic files from a legitimate stock investment application program. ESTsecurity researchers demonstrated two manners by which the assailants influence the "XSL Script Processing" method. Inside the authentic installer of the stock investment platform, aggressors infused explicit orders that got a malignant XSL content from a maverick FTP server and executed it on Windows systems employing the in-built wmic.exe utility. 

The subsequent installer, repackaged with Nullsoft's NSIS, would give off the impression as though the client was installing the genuine stock investment application while discreetly sliding the malicious contents out of sight. The following phase of assault executes a VBScript to make documents and folders named 'OracleCache', 'PackageUninstall', and 'USODrive' among others in the %ProgramData% index. The payload at that point interfaces with the command-and-control (C2) server facilitated on frog.smtper[.]co to get extra commands. By making a maverick scheduled task called activate under a deceptive directory 'Office 365__\Windows\Office', the malware accomplishes continuity by instructing Windows Scheduler to run the dropped code every 15 minutes. These criminals observe the tainted system and after an initial screening, deployed a Remote Access Trojan (RAT) on the machine.

ESTsecurity researchers additionally noticed Microsoft Office documents, for example, Excel spreadsheets that contained macros were disturbing the previously mentioned XSL script payload. "ESRC is focusing on the way that the Thallium association is utilizing the 'XSL Script Processing' method not just in spear-phishing assaults dependent on noxious documents, yet besides for niche assaults including supply chain assaults," experts at ESTsecurity further said.