Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label North Korea. Show all posts
Vulnerabilities and Exploits
CISA cyber threat DLL hijacking North Korea North Korea Hackers Security Breach Vulnerabilities and Exploits

Navigating the Complex Landscape of Cyber Threats: Insights from the Sisense Breach and North Korean Tactics

 

In the intricate tapestry of cybersecurity, recent events have thrust vulnerabilities and threats into the spotlight once again. The breach of data analytics powerhouse Sisense, coupled with the emergence of novel sub-techniques utilized by North Korean threat actors, underscores the dynamic and relentless nature of cyber warfare. Let's delve deeper into these incidents and glean valuable insights for bolstering our defenses against evolving cyber threats. 

Sisense, a formidable player in the realm of business intelligence software, recently found itself ensnared in a security breach that rippled through critical infrastructure organizations. With offices sprawled across strategic locations such as New York City, London, and Tel Aviv, and a prestigious clientele including Nasdaq, ZoomInfo, Verizon, and Air Canada, Sisense's allure to cyber adversaries is palpable. 

The breach, currently under scrutiny by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), serves as a stark reminder of the precarious balance between innovation and security in today's digital landscape. At the heart of the Sisense breach lie two sub-techniques that have become favoured tools in the arsenal of North Korean threat actors. The first involves the manipulation of Transparency, Consent, and Control (TCC), a foundational security protocol governing application permissions on Apple's macOS. 

Despite the robustness of security measures such as Full Disk Access (FDA) and System Integrity Protection (SIP), attackers have exhibited a remarkable ability to circumvent these controls, gaining unfettered access to macOS environments. This tactic underscores the imperative of continuous monitoring and adaptive security strategies to thwart the nefarious designs of cyber adversaries. 

The second sub-technique, colloquially known as "phantom" Dynamic Link Library (DLL) hijacking, sets its sights on Windows environments, leveraging nonexistent DLL files referenced by the operating system. By capitalizing on this loophole, threat actors such as the Lazarus Group and APT 41 can inject malicious code undetected, posing a grave threat to system integrity. 

The clandestine nature of this tactic exemplifies the ingenuity and adaptability of cyber adversaries in navigating the labyrinthine landscape of cybersecurity defenses. Mitigating these sophisticated threats necessitates a multifaceted approach that encompasses both technical fortifications and user awareness initiatives. For macOS users, safeguarding the integrity of System Integrity Protection (SIP) and exercising caution with app permissions are imperative steps in mitigating the risk of TCC manipulation. 

In Windows environments, proactive monitoring, robust application controls, and preemptive measures to block remote DLL loading are indispensable in thwarting phantom DLL attacks. Moreover, fostering a culture of collaboration and information sharing between industry stakeholders and government agencies is paramount in confronting the ever-evolving threat landscape. 

By pooling resources, sharing threat intelligence, and adopting a unified front against cyber adversaries, organizations can amplify their collective resilience and fortify their defenses against emerging threats. 

In conclusion, the Sisense breach and the intricate tactics employed by North Korean threat actors serve as poignant reminders of the relentless onslaught of cyber threats. By remaining vigilant, proactive, and collaborative, organizations can navigate the turbulent waters of cybersecurity with resilience and fortitude, safeguarding their digital assets and preserving the integrity of our interconnected world.
Read more »
North Korea
Cyber Security Digital Vigilante Geopolitical Intrigue Hacker North Korea

Alejandro Caceres: The Vigilante Hacker Who Took Down North Korea’s Internet

Alejandro Caceres: The Vigilante Hacker Who Took Down North Korea’s Internet

In the shadowy world of cybersecurity, where nation-states and rogue actors engage in digital warfare, one man stood out—a vigilante hacker named Alejandro Caceres. His audacious mission: was to take down North Korea’s internet infrastructure. 

Caceres launched a one-man cyberwar that disrupted every publicly visible website in North Korea, keeping them offline for over a week. But who was this mysterious figure, and what drove him to such extreme measures?

The Unlikely Hero

Alejandro Caceres, a 38-year-old Colombian-American cybersecurity entrepreneur, hardly fits the profile of a cyberwarrior. Yet, his personal vendetta against North Korean spies pushed him to the brink. 

Having been targeted by North Korean agents earlier, Caceres reported the incidents to the FBI, only to receive no government support. Frustrated and disillusioned, he decided to take matters into his own hands. His mission: to send a message to Kim Jong Un’s regime that messing with American hackers would have consequences.

The Pseudonym: P4x

As Caceres executed his attack, he adopted the pseudonym “P4x.” The name was a clever nod to his intention: to force peace with North Korea through the threat of his own punitive measures. 

By hiding behind this moniker, he hoped to evade both North Korean retaliation and potential criminal hacking charges from his own government. P4x became the faceless avenger, a digital vigilante with a singular purpose.

The Tools of the Trade

Armed with custom-built programs and cloud-based servers, Caceres disrupted North Korea’s internet infrastructure. His attacks were intermittent, calculated, and relentless. Publicly visible websites blinked out of existence, leaving the regime scrambling for answers. 

Caceres provided screen-capture videos and real-time evidence of his disruption, all while remaining hidden in his coastal Florida home. 

The Power of One

Caceres’ story underscores the power of a single individual in the vast digital landscape. In a world dominated by nation-states and cyber armies, he stood alone against North Korea. His actions were audacious, risky, and morally ambiguous. Was he a hero or a rogue? The answer, perhaps, lies in the gray areas of cyberwarfare.

The Message

As North Korea’s internet flickered and faltered, Caceres sent a message: No one is untouchable. Even the most secretive regime could be disrupted by a determined hacker. His personal vendetta had transformed into a geopolitical statement. The world watched as North Korea’s cyber defenses crumbled, and P4x became a legend.

Read more »
South Korea
Cyber Attacks CyberCrime Cybersecruity DPRK Global Authorities North Korea South Korea

Global Authorities Examine 58 Cyberattacks Linked to North Korea, Valued at $3 Billion

 


North Korean sanctions monitors have been investigating dozens of possible cyberattacks by the regime, which are believed to have raised $3 billion to fuel the state's nuclear weapons program, according to excerpts released from an unpublished report by the UN. 

In the executive summary of a new report submitted to the United Nations Security Council obtained Friday by The Associated Press, a panel of experts stated that the number of cyberattacks by North Korean hacking groups that report to the Reconnaissance General Bureau, North Korea’s primary foreign intelligence organization, is continuing to be high. 

This report covers the period from July 2023 to January 2024, and it is based on contributions made by unidentified United Nations representatives. A report sent to the council of 15 nations, compiled from member nations and other sources, was sent in response to the high tensions in the region caused by North Korean leader Kim Jong Un. 

As a result, the United States, South Korea, and Japan have increased their combined military exercises in response to his threat to destroy South Korea if provoked and escalating weapons demonstrations. He threatened to annihilate South Korea if provoked by an escalation of weapons demonstrations. Amid the increased military and political tensions on the Korean Peninsula, the experts said North Korea “continued to flout (U.N.) sanctions,” further developed its nuclear weapons, and produced nuclear fissile materials – the weapons’ key ingredients. 

There was no doubt that the light-water reactor at North Korea's main nuclear complex at Yongbyon appeared to be operational, according to the experts. Despite suspicions that the North may use it as a new source of fissile materials for nuclear weapons, the South Korean defence minister said in late December that the reactor is likely to become operational by the summer. 

A 5-megawatt reactor near Yongbyon, the country that possesses the world's largest nuclear capacity, has been producing weapons-grade plutonium for many years. As an additional source of bomb fuel, this light-water reactor would be a useful addition to the arsenal, and observers have pointed out that, with its larger capacity, it can produce more plutonium. 

Furthermore, Yongbyon has its own facility for enriching uranium, which can enrich uranium up to 99%. According to the panel, North Korea is likely preparing to conduct its seventh nuclear test from Punggye-ri, which would mark the first nuclear test conducted there since 2017. The panel said it has been working on monitoring activities at the nuclear test site. 

It has been estimated that North Korea has nuclear weapons in the range of 20-60 (or more than 100, depending on who is doing the counting) to more than 100. North Korea is thought to be capable of adding between six and 18 bombs per year, according to experts. Kim Jong Un has repeatedly made a promise to build more nuclear weapons and introduce high-technology weapons to deal with what he calls intensifying U.S. hostility since his diplomacy with the U.S. collapsed in 2019. 

According to the panel, at least seven ballistic missiles were launched by the Democratic People's Republic of Korea during the six months that ended in January, including one intercontinental ballistic missile, one intermediate-range missile, and five short-range missiles. That was one of the most numerous rocket launches that the North has ever made, according to the panel. 

A military observation satellite has been successfully launched by the DPRK in orbit, following two failed attempts, experts said Sunday. As part of the North's military arsenal, an old diesel submarine has been modified so that it can be used as a tactical nuclear attack submarine. 

The monitoring panel overseeing U.N. sanctions against North Korea has observed persistent breaches by the DPRK. The country, in defiance of Security Council resolutions, is found to illicitly import refined petroleum products. 

To circumvent maritime sanctions, the DPRK employs a blend of obfuscation techniques. In the year 2023, the recorded trade volume exceeded that of 2022, encompassing a diverse range of consumer goods. Some of these items, deemed luxury goods and prohibited by U.N. sanctions, were included. 

The panel is actively probing reports from member states regarding the DPRK's potential involvement in the arms and ammunition trade, a clear violation of U.N. sanctions. Recent accusations from the United States, Ukraine, and six allies assert Russia's utilization of North Korean ballistic missiles and launchers in devastating aerial attacks against Ukraine, violating U.N. sanctions. South Korea's military, in November, suspected North Korea of exporting various armaments, including short-range ballistic missiles and anti-tank missiles to Russia, contravening U.N. sanctions. 

Throughout the last six months, discernible trends indicate the DPRK's focus on targeting defence companies and supply chains, as well as increased collaboration in infrastructure and tools. The panel has also delved into reports of numerous DPRK nationals working abroad in sectors such as information technology, restaurants, and construction, generating income in violation of U.N. sanctions. 

Additionally, the DPRK persists in accessing the international financial system for illicit financial operations. While U.N. sanctions are designed to spare ordinary North Koreans, the panel acknowledges unintentional repercussions on the humanitarian situation and aspects of aid operations. Nevertheless, the precise impact of sanctions relative to other factors remains challenging to discern.
Read more »
Ransomware
Block Chain Crypto Theft Cyber Security North Korea Ransomware

North Korean Actors Behind $600M in Crypto Thefts: TRM Labs


North Korean Hackers

According to a TRM Labs analysis, hackers with ties to North Korea were responsible for one-third of all cryptocurrency exploits and thefts last year, taking away about $600 million in cash.

The blockchain analytics company claimed on Friday that the amount takes the Democratic People's Republic of Korea's (DPRK) total revenue from cryptocurrency initiatives to about $3 billion over the previous six years.

Nevertheless, according to Ari Redbord, head of legal and government affairs at TRM, the amount is roughly 30% lower than in 2022. Actors with ties to the DPRK stole about $850 million that year, "a huge chunk" of which came from the Ronin Bridge exploit, Redbord said. 

Current Scenario

The latter few months of 2023 saw the majority of the stolen money seized.

"They're clearly attacking the crypto ecosystem at a really unprecedented speed and scale and continue to take advantage of sort of weak cyber controls," said Redbord. Many of the attacks continue to use so-called social engineering, allowing the perpetrators to acquire private keys for projects, he said.

TRM links around $200 M in stolen funds to North Korea last year. The fact that the earnings of North Korean attacks go toward the development of WMDs raises worries about national security and sets them apart from other attacks.

Stolen Money: 2023

In 2023, the total amount of money obtained through hacking was approximately $1.7 billion, as opposed to $4 billion, which was taken the year before.

Redbord gave multiple reasons for the decline. Less significant hacks, such as the Ronin theft in 2022, have occurred. Other contributing factors include stronger cybersecurity measures, effective law enforcement initiatives, and, to a lesser degree, price volatility in the previous year.

During a recent trilateral meeting over North Korea's WMD efforts, national security officials from the United States, the Republic of Korea, and Japan brought up these concerns directly.

"North Korean hackers are different, because it's not for greed or money or the typical hacker mentality; it's about taking those funds and using them for weapons proliferation and other types of destabilizing activity, which is a global threat," Redbord said. "And that's why there's such a focus on it from a national security perspective."
Read more »
South Korea
Andariel Data Breach Hacker group Military Data North Korea North Korean Hackers Ransomware group South Korea

Seoul Police Reveals: North Korean Hackers Stole South Korean Anti-Aircraft Data


South Korea: Seoul police have charged Andariel, a North Korea-based hacker group for stealing critical defense secrets from South Korea’s defense companies. Allegedly, the laundering ransomware is redirected to North Korea. One of the 1.2 terabytes of data the hackers took was information on sophisticated anti-aircraft weaponry.  

According to the Seoul Metropolitan Police Agency, the hacker group utilized servers that they had rented from a domestic server rental company to hack into dozens of South Korean organizations, including defense companies. Also, the ransomware campaign acquired ransoms from a number of private sector victim firms. 

Earlier this year, the law enforcement agency and the FBI jointly conducted an investigation to determine the scope of Andariel's hacking operations. This was prompted by reports from certain South Korean corporations regarding security problems that were believed to be the result of "a decline in corporate trust." 

Andariel Hacker Group 

In an investigation regarding the origin of Andariel, it was found that it is a subgroup of the Lazarus Group. The group has stolen up to 1.2 terabytes of data from South Korean enterprises and demanded 470 million won ($357,000) in Bitcoin as ransom from three domestic and international organizations.  

According to a study conducted by Mandiant, it was revealed that Andariel is operated by the North Korean intelligence organization Reconnaissance General Bureau, which gathers intelligence for the regime's advantage by mainly targeting international enterprises, governmental organizations, defense companies, and financial services infrastructure. 

Apparently, the ransomware group is also involved in cybercrime activities to raise funds for conducting its operation, using specially designed tools like the Maui ransomware and DTrack malware to target global businesses. In February, South Korea imposed sanctions on Andariel and other hacking groups operating in North Korea for engaging in illicit cyber operations to fund the dictatorial regime's nuclear and missile development projects.  

The threat actor has used a number of domestic and foreign crypto exchanges, like Bithumb and Binance, to launder the acquired ransom. Till now, a sum of 630,000 yuan ($89,000) has been transferred to China's K Bank in Liaoning Province. The hackers proceeded to redirect the laundered money from the K Bank branch to a location close to the North Korea-China border. 

Seoul police noted that they have seized the domestic servers and virtual asset exchange used by Andariel to conduct their campaigns. Also, the owner of the account, that was used in transferring the ransom, has been detained. 

"The Security Investigation Support Department of the Seoul Metropolitan Police Agency is actively conducting joint investigations with related agencies such as the U.S. FBI regarding the overseas attacks, victims and people involved in this incident, while continuing to investigate additional cases of damage and the possibility of similar hacking attempts," the agency said.

The police have warned businesses of the threat actor and have advised them to boost their cybersecurity and update security software to the latest versions. It has also been advised to organizations to encrypt any critical data, in order to mitigate any future attack. 

Moreover, police are planning to investigate server rental companies to verify their subscribers’ identities and to ensure that the servers have not been used in any cybercrime activity.  

Read more »
NPM
Cyber Attacks Cyber Hackers Cyberattack Threat CyberCrime Cybersecurity GDPR GitHub North Korea NPM

New Cyber Threat: North Korean Hackers Exploit npm for Malicious Intent

 


There has been an updated threat warning from GitHub regarding a new North Korean attack campaign that uses malicious dependencies on npm packages to compromise victims. An earlier blog post published by the development platform earlier this week claimed that the attacks were against employees of blockchain, cryptocurrency, online gambling, and cybersecurity companies.   

Alexis Wales, VP of GitHub security operations, said that attacks often begin when attackers pretend to be developers or recruiters, impersonating them with fake GitHub, LinkedIn, Slack, or Telegram profiles. There are cases in which legitimate accounts have been hijacked by attackers. 

Another highly targeted attack campaign has been launched against the NPM package registry, aimed at enticing developers into downloading immoral modules by enticing them to install malicious third-party software. There was a significant attack wave uncovered in June, and it has since been linked to North Korean threat actors by the supply chain security firm Phylum, according to Hacker News. This attack wave appears to exhibit similar behaviours as another that was discovered in June. 

During the period from August 9 to August 12, 2023, it was identified that nine packages were uploaded to NPM. Among the libraries that are included in this file are ws-paso-jssdk, pingan-vue-floating, srm-front-util, cloud-room-video, progress-player, ynf-core-loader, ynf-core-renderer, ynf-dx-scripts, and ynf-dx-webpack-plugins. A conversation is initiated with the target and attempts are made to move the conversation to another platform after contacting them. 

As the attacker begins to execute the attack chain, it is necessary to have a post-install hook in the package.json file to execute the index.js file which executes after the package has been installed. In this instance, a daemon process is called Android. The daemon is launched as a dependency on the legitimate pm2 module and, in turn, a JavaScript file named app.js is executed. 

A JavaScript script is crafted in a way that initiates encrypted two-way communications with a remote server 45 seconds after the package is installed by masquerading as RustDesk remote desktop software – "ql. rustdesk[.]net," a spoofed domain posing as the authentic RustDesk remote desktop software. This information entails the compromised host's details and information. 

The malware pings every 45 seconds to check for further instructions, which are decoded and executed in turn, after which the malware checks for new instructions every 45 seconds. As the Phylum Research Team explained, "It would seem to be that the attackers are monitoring the GUIDs of the machines in question and selectively sending additional payloads (which are encoded Javascript code) to the machines of interest in the direction of the GUID monitors," they added. 

In the past few months there have been several typosquat versions of popular Ethereum packages in the npm repository that attempts to make HTTP requests to Chinese servers to retrieve the encryption key from the wallet on the wallet.cba123[.]cn, which had been discovered. 

Additionally, the highly popular NuGet package, Moq, has come under fire since new versions of the package released last week included a dependency named SponsorLink, that extracted the SHA-256 hash of developers' email addresses from local Git configurations and sent them to a cloud service without their knowledge. In addition, Moq has been receiving criticism after new versions released last week came with the SponsorLink dependency. 

Version 4.20.2 of the app has been rolled back as a result of the controversial changes that raise GDPR compliance issues. Despite this, Bleeping Computer reported that Amazon Web Services (AWS) had withdrawn its support for the project, which may have done serious damage to the project's reputation. 

There are also reports that organizations are increasingly vulnerable to dependency confusion attacks, which could've led to developers unwittingly introducing malicious or vulnerable code into their projects, thus resulting in large-scale attacks on supply chains on a large scale. 

There are several mitigations that you can use to prevent dependency confusion attacks. For example, we recommend publishing internal packages under scopes assigned to organizations and setting aside internal package names as placeholders in the public registry to prevent misuse of those names.

Throughout the history of cybersecurity, the recent North Korean attack campaign exploiting npm packages has served as an unmistakable reminder that the threat landscape is transforming and that more sophisticated tactics are being implemented to defeat it. For sensitive data to be safeguarded and further breaches to be prevented, it is imperative that proactive measures are taken and vigilant measures are engaged. To reduce the risks posed by these intricate cyber tactics, organizations need to prioritize the verification of identity, the validation of packages, and the management of internal packages.
Read more »
North Korea
Cyber Attacks Cyber Data Hackers North Korea

Kimsuky Hackers from North Korea Back in Action with Advanced Reconnaissance Malware

 

Kimsuky, a North Korean APT outfit, has been discovered deploying a piece of bespoke malware named RandomQuery as part of a reconnaissance and information exfiltration operation.

"Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," Aleksandar Milenkoski and Tom Hegel of SentinelOne noted in a report published.

According to the cybersecurity firm, the current targeted campaign is particularly aimed at information services as well as organizations supporting human rights advocates and North Korean defectors.
Kimsuky, who has been active since 2012, has demonstrated targeting patterns that correspond to North Korea's operational directives and priorities.

As SentinelOne disclosed earlier this month, the information collection missions have featured the employment of a broad assortment of malware, including another reconnaissance program named ReconShark.

The group's most recent activity cluster began on May 5, 2023, and employs a form of RandomQuery that is specially tailored to enumerate files and siphon sensitive data.

RandomQuery, along with FlowerPower and AppleSeed, are among the most widely disseminated tools in Kimsuky's arsenal, with the former acting as an information stealer and a conduit for the distribution of remote access trojans such as TutRAT and xRAT.

The attacks begin with phishing emails purporting to be from Daily NK, a famous Seoul-based online daily covering North Korean events, in order to convince potential targets to open a Microsoft Compiled HTML Help (CHM) file.

It's worth noting at this point that CHM files have also been used as a lure by ScarCruft, another North Korean nation-state actor. When the CHM file is launched, a Visual Basic Script is executed, which sends an HTTP GET request to a remote server to receive the second-stage payload, a VBScript flavor of RandomQuery.

The virus then proceeds to collect system metadata, running processes, installed apps, and files from various folders, which are all sent back to the command-and-control (C2) server.
"This campaign also demonstrates the group's consistent approach of delivering malware through CHM files," the researchers said.

"These incidents underscore the ever-changing landscape of North Korean threat groups, whose remit not only encompasses political espionage but also sabotage and financial threats."

The discoveries come only days after the AhnLab Security Emergency Response Centre (ASEC) discovered Kimsuky's watering hole assault, which comprises putting up a mimic webmail system used by national policy research organizations to capture credentials entered by victims.

Kimsuky has also been linked to attacks that weaponize vulnerable Windows Internet Information Services (IIS) servers in order to drop the Metasploit Meterpreter post-exploitation framework, which is then used to spread Go-based proxy malware.

Read more »
Technology Threats
Cyber Security Hacker group Kimsuky North Korea State-sponsored Hackers Technology Threats

Kimsuky Spear-Phishing Campaign Goes Global Using New Malware

On Thursday, security researchers from SentinelOne reported that the North Korean state-sponsored APT group, Kimsuky, has been observed utilizing a brand new malware component called ReconShark. The malware is disseminated through spear-phishing emails that are specifically targeted, containing OneDrive links that, when clicked, trigger the download of documents that subsequently activate malicious macros.  

Tom Hegel and Aleksandar Milenkoski from SentinelOne revealed that the spear-phishing emails used to distribute ReconShark are tailored to specific individuals, with a high level of design quality that increases the likelihood of the target opening them. These emails appear legitimate, using proper formatting, grammar, and visual clues that can deceive unsuspecting users. 

Moreover, the malicious documents and the links in the emails are disguised with the names of real individuals whose knowledge or expertise is relevant to the subject of the lure, for instance, political scientists. 

Furthermore, the researcher added that “The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses”.

The state-sponsored APT group Kimsuky, which has been operating since 2012, is also identified by other names such as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima. This notorious threat actor group has been involved in targeted attacks on numerous entities, including non-governmental organizations (NGOs), diplomatic agencies, military organizations, think tanks, research entities, and economic groups across Asia, North America, and Europe. 

In new developments, Kimsuky differs from its predecessors. It avoids storing collected data on the file system. Instead, the malware stores the information in string variables and transmits it to a command-and-control (C2) server via HTTP POST requests. Additionally, ReconShark can install supplementary payloads, such as DLL files or scripts, by examining the detection mechanisms present on the infected systems. 

Furthermore, the security researchers noted that Kimsuky's recent activities are designed to hit global issues. “For example, the latest Kimsuky campaigns have focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine,” reads the report. 

The discovery of ReconShark highlights the growing proof that Kimsuky is changing its techniques to secretly access and control computer systems, stay undetected, and collect information for prolonged periods.
Read more »
virus
APT Cyber Attacks Cybersecurity Linux Malware malware North Korea SET SimplexTea virus

Linux Malware Set to Be Deployed by North Korean APT Group

 


There is a shred of growing evidence that North Korean actors were responsible for the 3CX software supply chain hack, as found by ESET researchers. The newly discovered piece of malware extends the evidence that a North Korean group hacked the supply chain. 

In analyzing the backdoor, researchers from cybersecurity firm Eset found that it was tied to Pyongyang's latest fake job recruitment campaign, Operation Dream Job. This campaign recruits people for Pyongyang jobs. The Eset report indicates that North Korean hackers produce and use malware that works on all major desktop operating systems, including Windows, MacOS, and Linux. 

There is no connection between Linux malware and the 3CX supply-chain attack disclosed in late March by Lazarus Group. However, ESET researchers said they were confident that the 3CX attack was conducted by this company. This is even though it does not seem related to the Linux malware. As the name suggests, this is less a distinct organization than it is an umbrella term for a variety of North Korean hacking groups, some state-sponsored, and some criminal, that work for the Hermit Kingdom, and that are based in the country. 

A Trojan attack on 3CX's source code by North Korean hackers was publicly reported in late March, revealing their source code was stolen. A research team from Mandiant reported this week that they had traced the infection source to a previous attack on Trading Technologies' software supply chain. 

Trading Technologies develops software used in financial trading. Researchers from Symantec said on Friday that they had identified two more victims of the Trading Technologies hack that occurred earlier this week. 

There was no doubt throughout this whole investigation that the 3CX case had a North Korean connection from the very start. On March 29, a CrowdStrike engineer posted a message on a Reddit thread in which he reported that this had happened. 

It has also been confirmed that a North Korean nexus was involved in the attack by a preliminary report to be presented to 3CX by Mandiant - hired to investigate the breach. As well as Syphos, Check Point, Broadcom, Trend Micro, and other security companies have also provided summaries of the events. Most of them attribute the compromise to a group aligned with North Korea, citing various reasons. 

In addition to having more than 600,000 clients, 3CX according to their website, boasts several big names in the field. These include American Express, BMW, Air France, Toyota, IKEA, and many others. Shodan's search, conducted on March 30, found over 240,000 phone management systems exposed by 3CX. Huntress, a managed security service provider, reported on March 13, that it received 2,783 incident reports where the binary 3CXDesktopApp.exe matches known malicious hashes. In addition, it has a 3CX-certified certificate attached. 

HSBC, a British multinational bank with a presence in more than 155 countries, offered software development services involving Linux backdoors revealed by ESET researchers. It is believed that anyone who double-clicked on the PDF offer letter downloaded ESET's SimplexTea backdoor for Linux, an operating system known for its lack of security.

SimplexTea has similarities to Bluecall, a North Korean backdoor for Windows computers that had already been identified. This includes the use of domains to construct secure TLS connections similar to SimplexTea domains.  

It is also worth noting that the SimplexTea backdoor used the same core implementation of the A5/1 cipher used by North Korean hackers to sabotage Sony Pictures' release of the comedy "The Interview", which depicts Kim Jong Un's death by fiery helicopter as a camera pans through the company's offices. 

In addition to this direct connection, Eset also mentions that it shares the network infrastructure with the Trojanized VoIP software that serves as the backdoor for the 3CX hackers. As a command-and-control domain, each of these programs uses journalide.org as its point of control. There is also a similar method of loading the configuration files for SimplexTea malware and 3CX malware. 

In a statement released by ESET, the North Korean actors have been identified as the Lazarus Group. Despite this, Mandiant has identified the documents as likely associated with UNC4736, also known as AppleJeus, a Pyongyang hacking activity motivated by profit. 

According to Conversant Group's chief executive officer, John Anthony Smith, this Linux-based malware attack shows how threat actors are continuously expanding their arsenals, targets, tactics, and reach to circumvent security controls and practices in place. There is a growing trend among threat actors to expand the range of their malware variants to affect more systems, he added.
Read more »
Thallium
APT43 Archipelago Cyber Attacks Hacker group Kimsuky Mandiant Threat Intelligence North Korea security threat Spear Phishing Thallium

APT43: Cyberespionage Group Targets Strategic Intelligence


APT43, also known as Kimsuky or Thallium, recently exposed by the Mandiant researchers, is a cyberespionage threat group supporting the objectives of the North Korean regime. By conducting credential harvesting attacks and successfully compromising its targets using social engineering, ATP43 concentrates on gathering strategic intelligence. 

Mandiant, which has been tracking APT43 since 2018, noted that the threat group supports the mission of the Reconnaissance General Bureau, North Korea's primary external intelligence agency. 

In terms of attribution indicators, APT43 shares infrastructure and tools with known North Korean operators and threat actors. Essentially, APT43 shares malware and tools with Lazarus. 

Targets of APT43 

Prior to 2021, the APT43 organization mostly targeted foreign policy and nuclear security challenges, but this changed in response to the global COVID-19 pandemic. 

APT43 primarily targets manufacturing products including fuel, machinery, metals, transportation vehicles, and weaponry whose sale to North Korea has been banned in South Korea, the U.S., Japan, and Europe. In addition to this, the group attacks business services, education, research and think tanks focusing on geopolitical and nuclear policy and government bodies. 

Spear Phishing and Social Engineering Techniques Used by APT 43 

Spear phishing is one of the primary methods used by APT43 to compromise its targets. The group frequently fabricates plausible personas, impersonating important figures. Ones they have succeeded in compromising one such individual, the threat group proceeds into using the person’s contact lists to aim further targets with spear phishing. 

In one such instance, exposed by Google, Archipelago (a subset of APT43) would send phishing emails where they portray themselves as a representative of a media outlet or think task asking the targeted victim for an interview. To view the questions, a link must be clicked, but doing so takes the victim to a phony Microsoft 365 or Google Drive login page. The victim is directed to a paper with questions after entering their credentials. 

According to the Google report, Archipelago tends to interact with the victim for several days in order to build trust before sending the malicious link or file. 

Another tactic used by Archipelago involves sending benign PDF files purportedly from a third party that alerts the recipient to fraudulent logins they should examine. 

Malware Families and Tools Used 

APT43 employs a variety of malware families and tools. Some of the public malware families used include Gh0st RAT, Quasar RAT, and Amadey. However, the threat group mostly uses a non-public malware called LATEOP or BabyShark, apparently developed by the group itself. 

How can you Protect Yourself from the APT43 Security Threat? 

Here, we have listed some measures that could ensure protection against  malicious APT43 attacks: 

  • Educate users about the social engineering techniques used by APT43 and Archipelago.  
  • Train users to detect phishing attempts and report them immediately to their security staff. 
  • Use security solutions to detect phishing emails or malware infection attempts. 
  • Keep operating systems and software up to date and patched. 

Moreover, professionals in the field of geopolitics and international politics are advised to be trained in detecting any approach from attackers or potential threat actors, posing as a journalist or a reporter. Careful identification and examination of such individuals approaching important figures must be taken into priority, prior to any exchange of information or intelligence.  

Read more »
WithSecure
Cyber Attacks Cyberespionage Cybersecurity Lazarus Group North Korea Ransomware WithSecure

Energy and Healthcare Firms Are The Focus of The Lazarus Group Once Again

 


The North Korean Lazarus Group, which was employed by the North Korean government to target medical research and energy organizations with cyberattack campaigns, was reported by security researchers on February 2.  

The campaign was discovered by threat intelligence analysts at WithSecure. They were trying to unravel a ransomware attack that they suspected had been launched against one of their customers. In the course of their investigation, they discovered evidence indicating that the Lazarus crew had committed an OpSec oversight that led to a key operational security (OpSec) slip-up, which provided them with proof that the event was part of a wider state-sponsored intelligence gathering campaign already being carried out by North Korea. 

Sami Ruohonen, the senior threat intelligence researcher for WithSecure, says his initial suspicion was that it was an attempted BianLian ransomware attack. 

Even though WithSecure had collected evidence in one direction, it quickly pointed in a different direction. Throughout the process of gathering more information, they became more and more confident that the attack had been perpetrated by a group associated with the North Korean government. Having discovered this, WithSecure concluded that it was indeed the Lazarus Group that had posed as the attack. 

The Path to Cyberespionage Begins With Ransomware 

It was the initial compromise and privilege escalation of the system that led them to the conclusion that they were engaged in this activity. In August, the Zimbra mail server was exploited using a known vulnerability that existed in an unpatched version of Zimbra. In one week, the threat actors had already accessed many gigabytes of data from the mailboxes on the server. The attacker used live-off-the-land (LotL) strategies along the way as he moved horizontally across the network by the end of October. The compromised assets began becoming connected to Cobalt Strike's command-and-control (C2) infrastructure in November, beginning the process of infiltrating almost 100GB of data from the network during the period between November and December.  

It is believed that the researchers dubbed this incident "No Pineapple" because it referred to an error message that was used in a backdoor that was used by the bad guys that replied > No Pineapple! > When the data size exceeds the segmented byte size, the operation fails. 

Based on the malware, the TTP, and a couple of unique findings, the researchers feel that there is a high degree of confidence in their identification of Lazarus group activity. Data exfiltration involves several key actions, one of which is critical. Several suspicious web pages appeared to be connected to a North Korean IP address for a short time, as a result of an attacker-controlled Web shell. Even though the country only has fewer than a thousand of these addresses, at first the researchers wondered if they had made a mistake. However, they later confirmed that they had not. 

The attacker showed exemplary tradecraft and still managed to carry out considered actions on carefully selected endpoints despite this OpSec failure, Tim West, head of WithSecure’s threat intelligence unit, commented on the actor’s performance. 

Upon digging deeper into the incident, the researchers discovered that additional victims were also identified as a result of the attack as the investigation proceeded. The victims were identified based on their connections to a C2 server that was controlled by threat actors during the attack. There are many espionage motives involved in this process, which points to a much larger effort than was first suspected as being the target. 

Among the hundreds of victims, several companies in the healthcare sector suffered losses including a company that researches healthcare. In addition, a company that manufactures technology utilized in the energy, defense, research, and healthcare sectors. 

During the third quarter of 2022, most of the breaches that have been reported occurred because of the infrastructure that researchers noticed in May. According to the victimology of the campaign, analysts consider the threat actor to have intentionally targeted the supply chain of the industry verticals of medical research and energy. This is based on the victimology of the campaign. 

Lazarus Never Remained Down for Long 

It is widely believed that the Foreign Intelligence and Reconnaissance Bureau of North Korea is responsible for the long-running Lazarus threat group that has been operating for over a decade. Researchers have confirmed that the group has been involved in hacking activities at least as far back as 2009. It has been responsible for an increasing number of attacks since then. It has only been a matter of short intervals where the man has been thrown to the ground between periods of standing. 

This anti-terrorist operation serves both a financial purpose - it is an extremely valuable source of revenue for the regime - as well as a spying purpose. As early as 2022, there were many reports of Lazarus providing sophisticated attacks against Apple of their M1 chip as well as fake job posting scams using Apple's M1. It should be noted that a similar attack took place last April. Computers were used to upload malicious files, disguised as job offers for highly attractive dream jobs, to targets in the chemical sector and information technology. 

As of last week, the FBI confirmed that the Lazarus Group, a group of cyber threat actors from the United States, was implicated in the theft of $100 million worth of virtual currency last June from the cross-chain technology created by Harmony to exchange data across blockchains, termed Horizon Bridge, owned by the blockchain company Harmony. According to estimates provided by the FBI, because of the actions of the group in the Horizon Bridge heist, the group was able to launder more than $60 million worth of Ethereum by using the Railgun privacy protocol in January. There has been a report that authorities were able to freeze "some of these funds."
Read more »
North Korea
Bitcoin cryptocurrency Cyber Security Cyberattacks FBI Hackers Harmony Bridge Lazarus Groups North Korea

A $100 Million Theft Has Been Attributed to the Lazarus Group by the FBI

 


A $100 million cryptocurrency heist was committed by the Lazarus Group last June, which has been blamed by the FBI for the crime. Known for stealing cryptocurrency to help support the military and weapons programs of the North Korean government, this team is associated with the North Korean government. 

A statement released by the FBI on Tuesday identified Lazarus Group, which is also known as APT38, as the perpetrators of the June 24 attack on the Harmony Horizon bridge. The FBI released this information. In the course of this attack, $100 million worth of Ethereum was lost. Harmony Horizon is a bridge that allows you to connect Ethereum, Bitcoin, Binance Chain, and Harmony with the aforementioned cryptocurrency systems. The Ethereum bridge was accessed by attackers in June of this year and the cryptocurrency was stolen. 

There has been a reported theft on the Horizon bridge this morning for approximately $100MM, which was discovered by the Harmony team. At the time of the incident, Harmony said that they had begun to work with national authorities and forensic specialists to identify the perpetrator. In addition, they had begun to regain the funds that had been stolen. 

As a team, the FBI and the Department of Justice's National Cryptocurrency Enforcement Team have combined to investigate the Harmony heist, as well as several United States attorneys' offices. Earlier this week, the FBI announced that the Lazarus Group had been responsible for the attack and used its malware tool TraderTraitor as part of its operation. This malware was one of the components of the attack. 

"During the June 2022 heist, North Korean cyber actors, who used an encryption protocol known as Railgun, a privacy protocol, gained access to over $60 million worth of Ethereum (ETH) that had been stolen. It is believed that a portion of the stolen Ethereum from this theft was sent to several virtual asset services for conversion into bitcoin (BTC)," the FBI said in a statement released by the bureau. 

Lazarus Group is a North Korean security firm that has been active for several years. It is closely associated with the North Korean government and typically pursues the interests of the government. A successful attack by this group on the Bank of Bangladesh in 2016 netted it $81 million. Since then, Lazarus has continued to operate against banks and crypto exchanges to fund its operations. 

Lazarus Group is a group of companies that specialize in penetrating cryptocurrency firms and exchanges, as well as other targets. This is done with the use of their tools that are integrated into TraderTraitor. Oftentimes, these tactics begin when hackers send phishing emails to employees at a target company. They entice them to download malicious files in the hopes that they will be able to decipher what they are downloading. 

Many of these messages are disguised as recruitment efforts and offer high-paying jobs to entice recipients to download cryptocurrency applications laced with malware, also known as TraderTraitor by the U.S. government, according to a CISA advisory released in April. 

TraderTraitor is the term used to describe a series of malicious applications that are written using cross-platform JavaScript and run on the Node.js runtime running on Electron using the Node.js runtime environment. Several malicious open-source applications have been downloaded into the system, posing as tools that can help traders or price forecasters trade cryptocurrencies. TraderTraitor campaigns promote the alleged features of the applications on websites with modern designs. 

Several intrusions carried out by the Lazarus Group have used TraderTraitor as part of their investigations, and they have been quite successful in doing so. There was also another tool they used, a macOS backdoor called AppleJeus, which they implemented along with more advanced ways. 

In addition to spreading cryptocurrency trading applications modified to contain malware that facilitates cryptocurrency theft, the Lazarus Group also distributed AppleJeus trojanized cryptocurrency applications targeting individuals and companies, including cryptocurrency exchanges and financial services firms. 

According to the advisory, the North Korean regime will likely continue to exploit the vulnerabilities of cryptocurrency technology companies, gaming companies, and exchanges. This will enable it to generate and launder funds to support its regime. 

During the Harmony intrusion, the Lazarus Group moved bitcoin to several exchanges, which the FBI worked with to freeze those assets.
Read more »
Telegram
Crypto Cyber Attacks DEV Excel Files lazarus Lazarus APT Lazarus Group Microsoft North Korea Telegram

North Korean Lazarus Group Targeting Crypto Market via Telegram & Excel File


DEV-0139 uses targeted attacks to steal cryptocurrency investments 

Microsoft has identified a threat actor that has been targeting cryptocurrency investment startups. An entity that Microsoft has termed as DEV-0139 posed as a cryptocurrency investment firm on Telegram and used an Excel file deployed with malicious "well-crafted" malware to attack systems and access them remotely. 

The threat is part of a trend in cyberattacks showing a high degree of sophistication. In our case, the threat actor made a fake OKX employee profile and joined Telegram groups used for facilitating communication between VIP clients and cryptocurrency exchange platforms. 

In recent years, the cryptocurrency market has grown exponentially, getting the attention of investors as well as threat actors. Cybercriminals have used cryptocurrency for their attacks and campaigns, especially for ransom payment in ransomware attacks. 

DEV-0139 uses Telegram and Excel files to target victim

There has also been a rise in threat actors directly attacking organizations in the cryptocurrency industry for monetary motives. Cyberattacks targeting the cryptocurrency market come in various forms, this includes fraud, vulnerability exploitation, fake apps, and use of info stealers, threat actors use these variables to steal cryptocurrency funds. 

In October, the victim was asked to join a new group and then asked to provide feedback on an Excel document that compared Binance, OKX, and Huobi VIP fee structures. 

The document offered correct information and high awareness of the ground reality of crypto trading, however, it also sideloaded an infected. DLL (Dynamic Link Library) file to make a backdoor into the user's system. The victim was then told to view the .dll file while discussing the course fees. 

According to Microsoft, the weaponized Excel file initiates the following series of activities:

  • A malicious macro in the weaponized Excel file abuses the UserForm of VBA to obfuscate the code and retrieve some data.
  • The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64 and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
  • The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR-encoded backdoor.
  • The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR-encoded backdoor that lets the threat actor remotely access the infected system.

The attack method is popular, Microsoft suggests the attacker was the same as the one running .dll files for the same reasons in June, and also behind other cyberattack instances as well. As per Microsoft, DEV-0139 is the same threat actor that cybersecurity agency Volexity associated with North Korea's state-sponsored Lazarus Group. 

It uses a malware strain called AppleJeus and an MSI (Microsoft installer). The United States federal Cybersecurity and Infrastructure Security Agency reported on AppleJeus last year and Kaspersky Labs documented it in 2020. 

To stay safe from such threats, Microsoft suggests:

1. Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.

2. Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing emails and watering holes, and reporting reconnaissance attempts and other suspicious activity.

3. Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.

4. Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.

5. Turn on attack surface reduction rules to prevent common attack techniques observed in this threat:

  • Block Office applications from creating executable content
  • Block Office communication application from creating child processes
  • Block Win32 API calls from Office macros
6. Ensure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.

The cryptocurrency market is a lucrative interest for cybercriminals. Targeted victims are identified via trusted channels to better the chance of attack. While hackers prefer targeting big organizations, smaller organizations can also become an easy target of interest. 






Read more »
User Security
Cyber Attacks North Korea Ransomware State Sponsored Hackers User Security

North Korea Ransomware Attempt, Siphon Funds From an Israeli Company


Getting into financial institutions' systems and using hackers is a known tactic of North Korea, it nearly took down the Central Bank of Bangladesh by this practice. 

North Korean Hackers Strike Again

Earlier this week, North Korea tried to get access to the systems of an Israeli company that does business in the field of cryptocurrency and extracts the money that Pyongyang planned to use for its nuclear program. 

The hacking attack was done by North Koreans disguising themselves as the company's Japanese supplier. The hacking attempt was immediately caught by cybersecurity personnel from the "Konfidas" agency, which was able to stop the hack. 

Malicious files used to get control over systems

Authorities say the attempt was sophisticated and professional, unique tools were used- something that caught the eye of concerned authorities in Israel. 

The attacks do not happen overnight. There is a pattern behind the operation of most attacks, in the first step, the hacker does a conversation with the person on the other end, and gains your trust. After that, the hacker sends a malicious file containing the virus which is aimed to infiltrate the computer. 

Once the file reaches the computer, it will start spreading out on the network and access financial assets or data that the hacker wants, and in the end, can do whatever he wishes. 

Ransom motive behind the attack

Ransom demands generally happen in financial attacks, threat actors behind them are cyber criminals who intend to steal data and ask for ransom in exchange for not leaking the data and releasing the systems. 

In this particular incident, the North Korean mode of operation is a pattern in which the actors simply spy, steal money, and vanish. There is no user interaction except that he has to open the malicious files which allow the hacker to take control of the systems. 

North Korean hacking patterns

North Korean hackers are believed to be behind the theft of around $100 million in cryptocurrency from a US company earlier this year in June, as the country is trying to manage funding for its nuclear and ballistic missile programs. 

The assets were stolen from "Horizon Bridge," a Harmony blockchain service that lets assets to be sent to other blockchains. Following the theft, the activities by threat actors suggest that they may be linked to North Korea. Experts believe these actors to be highly skilled in the field of cyber penetration attacks. 


Read more »
Nuclear Programme
Cryptocurrencies cryptocurrency Cyber Attacks Cyberattack North Korea North Korean Hackers Nuclear Programme

North Korea Uses Stolen Cryptoassets to fund its Nuclear Weapons Programs

International investigators and researchers have claimed that North Korea, in recent months is responsible for stealing $300 million worth of Bitcoin and other cryptocurrencies, which was done through hacking and other mass cyberattacks. 
 
The crypto assets are allegedly stolen in order to pay for North Korea's nuclear weapons program. In regards to this, a row has broken out in South Korean political circles over Korea's politicians’ and other leaders' ties to crypto developer Virgil Griffith. 
 
This development comes after North Korea’s missile launches have intensified in the past 10 days. In the wake of the recent nuclear attacks on the island of Hokkaido, more than 5 million Japanese citizens were urgently ordered to take cover as a protective measure. Pyongyang claims that these missile launches were “simulations” for nuclear attacks on South Korea. 
 
As per Military analysts, a large part of this missile launch is being funded, using the stolen cryptocurrency. North Korea is believed to have employed thousands of well-trained hackers, who have affected South Korean businesses and organizations. It has also been accused of exploiting its cyber skills for financial gains. 
 
According to Yonhap, one of South Korea's major news sources, the UN Security Council’s North Korea Sanctions Panel has blamed the North Korean cyber organization such as ‘Lazarus Group’ for Ronin Bridge and the Harmony bridge hack. 
 
As per the experts, the hermit state is utilizing the absence of worldwide regulatory constraints on cryptocurrencies, in order to steal cryptocurrencies to fund nuclear weapons and missile projects. 
 
In an interview with the VOA Korean Service, Jason Barlett, a researcher at the Center for a New American Security (CNAS) stated, “Cryptocurrency offers Pyongyang a new kind of currency that is substantially less regulated and understood by national governments, financial institutions, and institutions, and international organizations.”  
 
In accordance with a report by Nikkei Asia, North Korea is in the penultimate phase, to prepare for a nuclear weapon test, with such incidents pointing to the excavation of an underground tunnel and testing of triggering mechanisms.
Read more »
Vulnerabilities and Exploits
Bugs Flaws Hackers Log4j North Korea Security Researchers Threat Intelligence Vulnerabilities and Exploits

Lazarus Hackers are Using Log4j to Hack US Energy Companies

 

A new cyber espionage campaign targeting US, Canadian, and Japanese energy providers has been linked to the North Korean state-sponsored Lazarus hacking group, according to security researchers.

Cisco Talos, a threat intelligence company, announced Thursday that Lazarus, also known as APT38, was observed targeting unidentified energy providers in the United States, Canada, and Japan between February and July of this year. 

According to Cisco's findings, the hackers exploited a year-old Log4j vulnerability known as Log4Shell to compromise internet-exposed VMware Horizon servers in order to gain an initial foothold on a victim's enterprise network before deploying bespoke malware known as "VSingle" and "YamaBot" to gain long-term persistent access. 

Japan's national cyber emergency response team, known as CERT, recently linked YamaBot to the Lazarus APT. Symantec first disclosed information of this espionage campaign in April of this year, attributing the operation to "Stonefly," another North Korean hacking group with some overlaps with Lazarus.

However, Cisco Talos discovered a previously unknown remote access trojan (RAT) called "MagicRAT," which is attributed to the Lazarus Group and is used by hackers for reconnaissance and credential theft.

Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura, “The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

However, in recent months, the group has shifted its focus to blockchain and cryptocurrency organisations. It has been associated with the recent thefts of $100 million in cryptocurrency from Harmony's Horizon Bridge and $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain created for the popular play-to-earn game Axie Infinity.

Pyongyang has long used stolen cryptocurrency and information theft to finance its nuclear weapons programme. In July, the United States offered a $10 million reward for data on members of state-sponsored North Korean threat groups, including Lazarus, more than doubling the amount previously offered. The State Department made the announcement in April.

The Lazarus Group is a North Korean-backed hacking organisation best known for the high-profile Sony hack in 2016 and the WannaCry ransomware attack in 2017. Lazarus is also motivated by efforts to support North Korea's state objectives, such as military R&D and evasion of international sanctions.
Read more »
Web browser
Emails North Korea SharpTongue Vulnerabilities and Exploits Web browser

SharpTongue: A Malware from North Korea that Monitors Emails

About SharpTongue

Threat actor SharpTongue, which is linked to North Korea, was found using a malicious extension on Chromium-based browsers to keep surveillance on victims' Gmail and AOL email accounts. Experts from cybersecurity agency Volexity found the hackers as SharpTongue, but its activities coincide with one of the Kimsuky APT groups. 

The SharpTongue's toolset was covered by Huntress in 2021 in a published report, but in September 2021, Volexity started noticing usage of earlier unreported Malware strain, in the past year. Volexity has looked over various cybersecurity cases which involve SharpTongue and in most of the incidents, hackers use a malicious Microsoft Edge or Google Chrome extension known as "SHARPEXT." 

How does SharpTongue operate?

Contrary to other extensions in use by the Kimsuky APT group, SHARPEXT doesn't steal passwords or usernames, however, it accesses the target's webmail account while they're browsing it. The present version of the extension backs three browsers and is capable of stealing the contents of e-mails from AOL webmail and Gmail accounts. 

The report analysis says that SHARPEXT is a malicious browser extension deployed by SharpTongue following the successful compromise of a target system. In the first versions of SHARPEXT investigated by Volexity, the malware only supported Google Chrome. 

The current variant 3.0 supports three browsers:

  • Edge
  • Chrome
  • Whale (It is used in South Korea)

The attack process

The attack chain begins with hackers manually extracting files required to install extensions from the malicious workstation. After a breach of the victim's Windows system, the hackers change the web browser's Preferences and Secure Preferences. 

After that, hackers manually deploy SHARPEXT via a VBS script and enable the DevTools panel in the active tab to keep surveillance on the email contents and steal file attachments from the target's mail account. This is done via PowerShell script, hackers also conceal warning messages running developer mode extensions. 

Security Affairs report, "experts pointed out that this is the first time the threat actor used malicious browser extensions as part of the post-exploitation phase. Stealing email data from a user’s already-logged-in session makes this attack stealthy and hard to be detected by the email provider. The researchers shared the YARA rules to detect these attacks and Indicators of Compromise (IOCs) for this threat."


Read more »
US Goverment
Bounty Program Cyber Security North Korea North Korean Hackers US Goverment

US State Department Offers $10 Million for Information on North Korean Hackers

 

The US government has disclosed it is offering up to $10m as a reward for information on people linked with North Korean state-sponsored hacking groups. 

The US State Department revealed Tuesday it is interested in information on hackers that are part of groups including Lazarus Group, Guardians of Peace, Kimsuky, and APT38 amongst others. 

“If you have information on any individuals associated with North Korean government-linked malicious cyber groups (such as Andariel, APT38, Bluenoroff, Guardians of Peace, Kimsuky, or Lazarus Group) and who are involved in targeting US critical infrastructure in violation of the Computer Fraud and Abuse Act, you may be eligible for a reward,” read a notice posted to Twitter. 

The North Korean hacking group is the only one to be called out by name on the Rewards for Justice site, which otherwise explains the purpose of the program is to generate useful information “that protects Americans and furthers US national security.” It says rewards are also offered for information on “the financial mechanisms of individuals engaged in certain activities to support the North Korean regime.” 

The amount is double the bounty the government offered in March 2022 for information on DPRK-backed hackers targeting crypto exchanges and financial institutions worldwide to support the Kim Jong-un regime's illegal operations. 

Lazarus, for example, has been blamed for various high-profile cyberattacks, including the world’s biggest ever crypto-heist when $618m was stolen from Vietnamese developer Sky Mavis and its Ronin Network. In 2020, the hackers exfiltrated $281m from Singapore-headquartered cryptocurrency exchange KuCoin. 

The North Korean hackers have also infiltrated mobile phones of well-known personalities, including particular South Korean legislators, to obtain their private data, claimed Mun Chong Hyun, head of the EST security response center (ESRC). He said hackers target organizations on North Korea's websites or build counterfeit Facebook accounts for those functioning in the North Korean industry on an ongoing basis. 

Last year, the US Department of Justice unsealed a federal incitement of several suspected members of the infamous Lazarus Group (APT38), said to be linked to military intelligence agency the Reconnaissance General Bureau (RGB). However, North Korea is a notoriously secretive and globally isolated state, making traditional intelligence-gathering efforts challenging. 

In 2019, the U.S. Treasury Department banned three North Korean hacking groups (Lazarus Group, Bluenoroff, and Andariel) for funneling financial assets they stole in cyberattacks to the North Korean government.
Read more »
North Korean Hackers
Breach Crypto Crime Data Breach Lazarus Group North Korea North Korean Hackers

Lazarus Group Responsible For $100M Crypto-Heist


Cyber security researchers have found Lazarus Group responsible for stealing $100m worth of crypto via Harmony's Horizon Bridge, a California-based company. Lazarus group is a popular North Korean state-sponsored hacking group that was also behind $620 million worth of crypto theft from the Ronin exchange in March. 

Following the incident, the Harmony cybersecurity team was warned of the attack last week by blockchain forensics company Elliptic that the institution has been attacked by a cross-chain bridge. 

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds,” Elliptic wrote. 

Additionally, Reuters reported that Chainalysis, a blockchain firm is also investigating with Harmony; it claims that the attack style is similar to previous attacks attributed to North Korea-linked actors.

“On Thursday, June 23, 2022, the Harmony Protocol team was notified of a malicious attack on our proprietary Horizon Ethereum Bridge. At 5:30 AM PST, multiple transactions occurred that compromised the bridge with 11 transactions that extracted tokens stored in the bridge,” the company said in its blog. 

As the name suggests, Blockchain bridges allow users to transfer their crypto assets from one blockchain to another. The malicious actors stole $100 million in crypto assets, including Ethereum (ETH), Binance Coin, Tether, USD Coin, EOS, and Dai. 

Elliptic said that the hack was carried out by compromising the cryptographic keys of a multi-signature wallet, a technique that is popularly used by the suspected groups. 

“Lazarus Group tends to focus on APAC-based targets, perhaps for language reasons referring to the Asia-Pacific region. Although Harmony is based in the US, many of the core team has links to the APAC region,” Elliptic added. 

Further, the report suggests that after two days of attack Harmony offered to pay a $1 million bounty to the group for the return of Horizon bridge funds. Also, researchers reported that they have found the offenders behind the $100 million hack.
Read more »
Subscribe to: Posts (Atom)