Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label North Korea Hackers. Show all posts
Vulnerabilities and Exploits
CISA cyber threat DLL hijacking North Korea North Korea Hackers Security Breach Vulnerabilities and Exploits

Navigating the Complex Landscape of Cyber Threats: Insights from the Sisense Breach and North Korean Tactics

 

In the intricate tapestry of cybersecurity, recent events have thrust vulnerabilities and threats into the spotlight once again. The breach of data analytics powerhouse Sisense, coupled with the emergence of novel sub-techniques utilized by North Korean threat actors, underscores the dynamic and relentless nature of cyber warfare. Let's delve deeper into these incidents and glean valuable insights for bolstering our defenses against evolving cyber threats. 

Sisense, a formidable player in the realm of business intelligence software, recently found itself ensnared in a security breach that rippled through critical infrastructure organizations. With offices sprawled across strategic locations such as New York City, London, and Tel Aviv, and a prestigious clientele including Nasdaq, ZoomInfo, Verizon, and Air Canada, Sisense's allure to cyber adversaries is palpable. 

The breach, currently under scrutiny by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), serves as a stark reminder of the precarious balance between innovation and security in today's digital landscape. At the heart of the Sisense breach lie two sub-techniques that have become favoured tools in the arsenal of North Korean threat actors. The first involves the manipulation of Transparency, Consent, and Control (TCC), a foundational security protocol governing application permissions on Apple's macOS. 

Despite the robustness of security measures such as Full Disk Access (FDA) and System Integrity Protection (SIP), attackers have exhibited a remarkable ability to circumvent these controls, gaining unfettered access to macOS environments. This tactic underscores the imperative of continuous monitoring and adaptive security strategies to thwart the nefarious designs of cyber adversaries. 

The second sub-technique, colloquially known as "phantom" Dynamic Link Library (DLL) hijacking, sets its sights on Windows environments, leveraging nonexistent DLL files referenced by the operating system. By capitalizing on this loophole, threat actors such as the Lazarus Group and APT 41 can inject malicious code undetected, posing a grave threat to system integrity. 

The clandestine nature of this tactic exemplifies the ingenuity and adaptability of cyber adversaries in navigating the labyrinthine landscape of cybersecurity defenses. Mitigating these sophisticated threats necessitates a multifaceted approach that encompasses both technical fortifications and user awareness initiatives. For macOS users, safeguarding the integrity of System Integrity Protection (SIP) and exercising caution with app permissions are imperative steps in mitigating the risk of TCC manipulation. 

In Windows environments, proactive monitoring, robust application controls, and preemptive measures to block remote DLL loading are indispensable in thwarting phantom DLL attacks. Moreover, fostering a culture of collaboration and information sharing between industry stakeholders and government agencies is paramount in confronting the ever-evolving threat landscape. 

By pooling resources, sharing threat intelligence, and adopting a unified front against cyber adversaries, organizations can amplify their collective resilience and fortify their defenses against emerging threats. 

In conclusion, the Sisense breach and the intricate tactics employed by North Korean threat actors serve as poignant reminders of the relentless onslaught of cyber threats. By remaining vigilant, proactive, and collaborative, organizations can navigate the turbulent waters of cybersecurity with resilience and fortitude, safeguarding their digital assets and preserving the integrity of our interconnected world.
Read more »
North Korea Hackers
Crypto Hacking cryptocurrency cryptocurrency theft Cyber Security Finance North Korea Hackers

The Week of Crypto Platform Breaches: Prisma Finance Incident Highlights

 

The past week witnessed a series of bewildering events in the realm of cryptocurrency, marked by breaches on two prominent platforms that left the crypto community grappling with perplexing motives and unexpected outcomes. 

The first incident unfolded on Tuesday evening when the Munchables blockchain-based game fell victim to an attack, resulting in the theft of approximately $62 million worth of cryptocurrency. Initial speculation pointed towards North Korea-linked hackers, given the country's history of targeting cryptocurrency platforms for financial gain. However, the situation took an unexpected turn when the alleged perpetrator voluntarily returned the stolen funds without any ransom demands. 

In a surprising twist, Munchables shared that the individual behind the attack had relinquished access to the private keys containing the stolen funds, expressing gratitude for their cooperation. Despite this resolution, questions lingered about the circumstances surrounding the incident, including the attacker's identity and motives, prompting calls for enhanced security measures within the crypto community. Shortly thereafter, another breach occurred on Thursday evening, this time affecting Prisma Finance, a popular decentralized finance (DeFi) platform, which suffered a loss of approximately $11.6 million. 

However, the aftermath of this breach was marked by cryptic messages from the hacker, who claimed the attack was a "white hat" endeavour aimed at highlighting vulnerabilities in the platform's smart contracts. The hacker, whose identity remained undisclosed, reached out to Prisma Finance seeking to return the stolen funds and engaging in a discourse about smart contract auditing and developer responsibilities. 

Despite the hacker's apparent altruistic intentions, the incident underscored the importance of rigorous security measures and comprehensive audits in the DeFi space. Prisma Finance later released a post-mortem report detailing the flash loan attack that led to the breach, shedding light on the exploitation of vulnerabilities in the platform. The report emphasized ongoing efforts to investigate the incident and ensure the safety of users' funds, highlighting the collaborative nature of the crypto community in addressing security breaches. 

These breaches come against the backdrop of heightened scrutiny of cyberattacks on cryptocurrency platforms, with a recent United Nations report identifying North Korean hackers as key perpetrators. The report highlighted a staggering $3 billion in illicit gains attributed to North Korean cyberattacks over a six-year period, underscoring the persistent threat posed by state-sponsored hackers in the crypto space. 

As the investigation into these breaches continues, the crypto community remains vigilant, emphasizing the importance of robust security measures and proactive collaboration to safeguard against future threats. While the motives behind these breaches may remain shrouded in mystery, the incidents serve as a stark reminder of the ever-present risks associated with digital assets and the imperative of maintaining heightened security protocols in the evolving landscape of cryptocurrency.
Read more »
Python Package
App Developers Japan Malicious Package malware North Korea Hackers Python Package

Japan Blames Lazarus for PyPi Supply Chain Attack

 

Japanese cybersecurity officials issued a warning that North Korea's infamous Lazarus Group hacking group recently launched a supply chain attack on the PyPI software repository for Python apps. 

Threat actors disseminated contaminated packages with names like "pycryptoenv" and "pycryptoconf" that are comparable to the real "pycrypto" encryption tools for Python. Developers who are duped into installing the malicious packages onto their Windows workstations are infected with a severe Trojan called "Comebacker.” 

"The malicious Python packages confirmed this time have been downloaded approximately 300 to 1,200 times," Japan CERT noted in a warning issued late last month. "Attackers may be targeting users' typos to have the malware downloaded.” 

Comebacker is a general-purpose Trojan that can be used to deliver ransomware, steal passwords, and infiltrate the development pipeline, according to analyst and senior director at Gartner Dale Gardner. 

The trojan has been used in multiple attacks linked to North Korea, including one against a npm software development repository. 

Impacting Asian Developers

Since PyPI is a centralised service with a global reach, developers worldwide should be aware of the most recent Lazarus Group campaign. 

"This attack isn't something that would affect only developers in Japan and nearby regions," Gardner explains. "It's something for which developers everywhere should be on guard." 

Several experts believe non-native English speakers may be more vulnerable to the Lazarus Group's most recent attack. Due to communication issues and limited access to security information, the attack "may disproportionately impact developers in Asia," stated Taimur Ijlal, a tech specialist and information security leader at Netify. 

According to Academic Influence's research director, Jed Macosko, app development groups in East Asia "tend to be more tightly integrated than in other parts of the world due to shared technologies, platforms, and linguistic commonalities." He believes intruders may be looking to take advantage of regional ties and "trusted relationships." 

Small and startup software businesses in Asia often have lower security budgets than their Western counterparts, according to Macosko. "This means weaker processes, tools, and incident response capabilities — making infiltration and persistence more attainable goals for sophisticated threat actors.” 

Cyber Defence

Protecting application developers from software supply chain threats is "difficult and generally requires a number of strategies and tactics," Gartner's Gardner explained. 

Developers should use extra caution and care while downloading open source dependencies. Given the amount of open source used today and the pressures of fast-paced development environments, it's easy for even a well-trained and vigilant developer to make a mistake, Gardner added. 

Gardner recommends using software composition analysis (SCA) tools to evaluate dependencies and detect fakes or legitimate packages that have been compromised. He also suggests "proactively testing packages for the presence of malicious code" and validating packages using package managers to minimise risk.
Read more »
United States
Cyber Security Nation-State Attack North Korea Hackers Threat Landscape U.S. Treasury United States

U.S. Treasury Sanctions Eight Foreign-Based Agents and North Korean Kimsuky Attackers

 

"The Office of Foreign Assets Control (OFAC) of the US Department of Treasury recently announced that it has sanctioned the cyberespionage group Kimsuky, also known as APT43, for gathering intelligence on behalf of the Democratic People's Republic of Korea (DPRK). 

Sanctions imposed by the United States are technically in response for a North Korean military reconnaissance satellite launch on Nov. 21, but they are also intended to deprive the DPRK of revenue, materials, and intelligence needed to sustain its weapons of mass destruction development programme, according to the Treasury's sanctions announcement. 

The Lazarus Group and its subsidiaries Andariel and BlueNoroff were subject to similar sanctions by the OFAC in September 2019—more than four years ago. Kimsuky is the target of these sanctions as it gathers intelligence to support the regime's strategic goals. 

Kimsuky is a well-known cyber espionage group that primarily targets governments, nuclear organisations, and foreign relations entities in order to gather intelligence that serves North Korea's interests. It is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly known as Thallium), Nickel Kimball, and Velvet Chollima.

"The group combines moderately sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organisations, academics, and think tanks focused on Korean peninsula geopolitical issues," Mandiant, which is owned by Google, stated in October 2023. 

Similar to the Lazarus Group, it is a part of the Reconnaissance General Bureau (RGB), which is in charge of intelligence gathering operations and is North Korea's main foreign intelligence service. At least since 2012, it has been known to be active. 

"Kimsuky employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets," the Treasury stated.

The agency also named Choe Song Chol and Im Song Sun for managing front companies that made money by exporting skilled workers; Kang Kyong Il, Ri Sung Il, and Kang Phyong Guk for serving as weapons sales representatives; and So Myong, Choe Un Hyok, and Jang Myong Chol for participating in illegal financial transfers to acquire materials for North Korea's missile programmes.
Read more »
UK
Cyber Security Joint Advisory North Korea Hackers South Korea Threat Intelligence UK

UK and South Korea Issue Joint Advisory Over North Korea-Linked Cyber Assaults

 

The UK and South Korea have issued warnings that cyber attacks by North Korean state-linked groups are becoming more sophisticated and widespread.

The two countries' cyber security and intelligence agencies have issued a new joint advisory urging organisations to strengthen their security measures in order to minimise the risk of their systems being compromised. 

According to the UK's National Cyber Security Centre (NCSC), which is part of GCHQ, and the South Korean National Intelligence Service (NIS), hackers have been leveraging previously unknown vulnerabilities and exploits in third-party software in their supply chains to gain access to an organisation's systems. 

Both agencies expressed concern that such assaults on the software-based supply chain pose a particularly major threat because a single initial breach can affect a number of organisations and lead to subsequent attacks, resulting in greater disruption or the deployment of ransomware.

The joint advisory warns that organisations should take measures to safeguard themselves as these kinds of attacks, which are backed by North Korea, are likely to escalate. 

Paul Chichester, NCSC director of operations, stated: “In an increasingly digital and interconnected world, software supply chain attacks can have profound, far-reaching consequences for impacted organisations. 

"Today, with our partners in the Republic of Korea, we have issued a warning about the growing threat from DPRK (North Korea) state-linked cyber actors carrying out such attacks with increasing sophistication.

“We strongly encourage organisations to follow the mitigative actions in the advisory to improve their resilience to supply chain attacks and reduce the risk of compromise.” 

President Yoon Suk Yeol of South Korea is currently on a state visit to the UK. This joint advisory marks the first time the NCSC has issued a warning of this nature without collaboration from other Five Eyes agencies in Australia, Canada, New Zealand, and the US. 

This is not the first instance that hackers have targeted their enemies. In 2017, North Korea launched a cyberattack on global hospitals, businesses, and banks. And in 2014, its hackers reportedly targeted Sony Pictures in retaliation for a satirical film about their leader, Kim Jong Un.
Read more »
Vulnerabilities and Exploits
Hacking Team Internet Provider North Korea Hackers Threat Landscape Vulnerabilities and Exploits

Lazarus Employs Public ManageEngine Exploit to Breach Internet Firms

 

The North Korean state-backed hacking group Lazarus has been compromising an internet backbone infrastructure provider and healthcare organisations by exploiting a major flaw (CVE-2022-47966) in Zoho's ManageEngine ServiceDesk. 

The attacks kicked off earlier this year with the goal of infiltrating companies in the United States and the UK in order to disseminate the QuiteRAT malware and a newly found remote access trojan (RAT) known as CollectionRAT. 

CollectionRAT was discovered after researchers analysed the infrastructure employed by the campaigns, which the threat actor had previously used for past assaults. 

Targeting internet firms 

Researchers at Cisco Talos observed attacks against UK internet enterprises in early 2023 when Lazarus exploited CVE-2022-47966, a pre-authentication remote code execution bug impacting numerous Zoho ManageEngine products.

"In early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider in the United Kingdom to successfully deploy QuiteRAT. The actors exploited a vulnerable ManageEngine ServiceDesk instance to gain initial access," researchers at Cisco Talos stated. 

According to the analysts, Lazarus began employing the attack just five days after it became public. Multiple hackers used the exploit in attacks, as discovered by Rapid7, Shadowserver, and GreyNoise, forcing CISA to issue a warning to organisations. 

Lazarus hackers dropped the QuiteRAT malware from an external URL after exploiting the vulnerability to infiltrate a target.

QuiteRAT, found in February 2023, is described as a basic yet powerful remote access trojan that appears to be a step up from the more well-known MagicRAT, which Lazarus deployed in the second part of 2022 to target energy suppliers. 

The nalware's code is leaner than MagicRAT's, and careful library selection has decreased its size from 18MB to 4MB while preserving the same set of functions, researchers added.

New Lazarus malware 

In a separate report published earlier this week, Cisco Talos stated that Lazarus hackers had developed a new malware known as CollectionRAT, which is related to the "EarlyRAT" family. The new threat was discovered when experts examined the infrastructure employed by the actor in earlier operations.

CollectionRAT's features include arbitrary command execution, file management, gathering system information, reverse shell creation, new process spawning, fetching and launching new payloads, and self-deletion. 

Another intriguing feature of CollectionRAT is its use of the Microsoft Foundation Class (MFC) framework, which allows it to decrypt and execute code on the fly, elude detection, and frustrate analysis. 

Cisco Talos learned further indications of evolution in Lazarus' tactics, techniques, and procedures, such as the extensive use of open-source tools and frameworks, such as Mimikatz for credential stealing, PuTTY Link (Plink) for remote tunnelling, and DeimosC2 for command and control communication. 

This strategy makes it difficult to attribute, monitor, and create efficient defences because Lazarus leaves behind fewer identifiable traces.
Read more »
Threat actors
CISA & FBI CrowdStrike cryptocurrency hack Cyber Attacks IT Companies JumpCloud Labyrinth Collima North Korea Hackers Threat actors

North Korea-Backed Hackers Breach US Tech Company to Target Crypto Firms


A North Korean state-sponsored hacking group has recently breached a US IT management company, in a bid to further target several cryptocurrency companies, cybersecurity experts confirmed on Thursday. 

The software company – JumpCloud – based in Louisville, Colorado reported its first hack late in June, where the threat actors used their company’s systems to target “fewer than 5” of their clients. 

While the IT company did not reveal the identity of its affected customers, cybersecurity firms CrowdStrike Holding and Alphabet-owned Mandiant – managing JumpCloud and its client respectively – claims that the perpetrators are known for executing heists targeting cryptocurrency. 

Moreover, two individuals that were directly connected to the issue further confirmed the claim that the JumpCloud clients affected by the cyberattack were in fact cryptocurrency companies. 

According to experts, these North Korea-backed threat actors, who once targeted firms piecemeal are now making efforts in strengthening their approach, using tactics like a “supply chain attack,” targeting companies that could provide them wider access to a number of victims at once.

However, Pyongyang’s mission to the UN did not respond to the issue. North Korea has previously denied claims of it being involved in cryptocurrency heists, despite surplus evidence claiming otherwise.

CrowdStrike has identified the threat actors as “Labyrinth Collima,” one of the popular North Korea-based operators. The group, according to Mandiant, works for North Korea’s Reconnaissance General Bureau (RGB), its primary foreign intelligence agency.

However, the U.S. cybersecurity agency CISA and the FBI did not confirm the claim. 

Labyrinth Chollima is one of North Korea’s most active hackers, claiming responsibility for some of the most notorious and disruptive cyber threats in the country. A staggering amount of funds has been compromised as a result of its cryptocurrency theft: An estimated $1.7 billion in digital currency was stolen by North Korean-affiliated entities, according to data from blockchain analytics company Chainalysis last year.

JumpCloud hack first came to light earlier this month when an email from the firm reached its customers, mentioning how their credentials would be changed “out of an abundance of caution relating to an ongoing incident.”

Adam Meyers, CrowdStrike’s Senior Vice President for Intelligence further warns against Pyongyang’s hacking squads, saying they should not be underestimated. "I don't think this is the last we'll see of North Korean supply chain attacks this year," he says.  

Read more »
Subscribe to: Posts (Atom)