Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label North Korean Hackers. Show all posts
Tornado Cash
Axie Infinity cryptocurrency theft Cyber Crime decentralized mixers Horizon Bridge law enforcement actions Lazarus Group North Korean Hackers Sinbad.io Tornado Cash

Lazarus Group Hackers Resurface Utilizing Tornado Cash for Money Laundering

 

The Lazarus hacking group from North Korea is reported to have reverted to an old tactic to launder $23 million obtained during an attack in November. According to investigators at Elliptic, a blockchain research company, the funds, which were part of the $112.5 million stolen from the HTX cryptocurrency exchange, have been laundered through the Tornado Cash mixing service.

Elliptic highlighted the significance of this move, noting that Lazarus had previously switched to Sinbad.io after U.S. authorities sanctioned Tornado Cash in August 2022. However, Sinbad.io was later sanctioned in November. Elliptic observed that Lazarus Group appears to have resumed using Tornado Cash to obscure the trail of their transactions, with over $23 million laundered through approximately 60 transactions.

The researchers explained that this shift in behavior likely stems from the limited availability of large-scale mixers following law enforcement actions against services like Sinbad.io and Blender.io. Despite being sanctioned, Tornado Cash continues to operate due to its decentralized nature, making it immune to seizure and shutdown like centralized mixers.

Elliptic has been monitoring the movement of the stolen $112.5 million since HTX attributed the incident to Lazarus. The funds remained dormant until March 13 when they were observed passing through Tornado Cash, corroborated by other blockchain security firms.

North Korean hackers utilize services such as Tornado Cash and Sinbad.io to conceal the origins of their ill-gotten gains and convert them into usable currency, aiding the regime in circumventing international sanctions related to its weapons programs, as per U.S. government claims.

According to the U.S. Treasury Department, North Korean hackers have utilized Sinbad and its precursor Blender.io to launder a portion of the $100 million stolen from Atomic Wallet customers in June, as well as substantial amounts from high-profile crypto thefts like those from Axie Infinity and Horizon Bridge.

Researchers estimate that North Korean groups pilfered around $1.7 billion worth of cryptocurrency in 2022 and approximately $1 billion in 2023. The Lazarus Group, operational for over a decade, has reportedly stolen over $2 billion worth of cryptocurrency to finance North Korea's governmental activities, including its weapons programs, as stated by U.S. officials. The group itself faced U.S. sanctions in 2019.
Read more »
North Korean Hackers
Coin Mixer Crypto Crime Cyber Crime cyber theft North Korean Hackers

North Korean Hacking Outfit Lazarus Siphons $1.2M of Bitcoin From Coin Mixer

 

Lazarus Group, a notorious hacker group from North Korea, reportedly moved almost $1.2 million worth of Bitcoin (BTC) from a coin mixer to a holding wallet. This move, which is the largest transaction they have made in the last month, has blockchain analysts and cybersecurity experts talking. 

Details of recent transactions

Two transactions totaling 27.371 BTC were made to the Lazarus Group's wallet, according to blockchain analysis firm Arkham. 3.34 BTC were subsequently moved to a separate wallet that the group had previously used. The identity of the coin mixer involved in these transactions remains unknown. Coin mixers are used to conceal the trail of cryptocurrency transactions, making it difficult to track down the ownership and flow of funds.

The Lazarus Group's latest effort adds to its long history of sophisticated cyber crimes, notably involving cryptocurrency. The US Treasury Department has linked them to a $600 million bitcoin theft from the Ronin bridge, which is linked to Axie Infinity, a famous online game. 

Growing cryptocurrency reservoir

According to Arkham, the Lazarus Group's combined wallet holdings are currently worth approximately $79 million. This includes around $73 million in Bitcoin and $3.4 million in Ether. This huge wealth accumulation through illicit techniques exemplifies the group's persistent and expanding cryptocurrency operations.

Furthermore, a recent TRM Labs study discovered that North Korean-affiliated hackers, notably the Lazarus Group, were responsible for one-third of all cryptocurrency attacks and thefts in 2023. These operations apparently earned them roughly $600 million. 

Cyber attack patterns  

Multiple cybersecurity firms have carried out investigations into the Lazarus Group's operational tactics. Taylor Monahan, a Metamask developer, stated that the latest Orbit assault, which resulted in a loss of $81 million, was similar to prior Lazarus Group operations. Such patterns provide significant insights into their strategies and can assist in the development of more effective defensive measures for future attacks.

Over the last three years, the cybersecurity firm Recorded Future has attributed more than $3 billion in cryptocurrency breaches and vulnerabilities to the Lazarus Group. Their consistent and effective execution of high-profile cyber thefts highlights the advanced nature of their skills, as well as the challenges encountered in combatting such attacks.
Read more »
South Korea
Andariel Data Breach Hacker group Military Data North Korea North Korean Hackers Ransomware group South Korea

Seoul Police Reveals: North Korean Hackers Stole South Korean Anti-Aircraft Data


South Korea: Seoul police have charged Andariel, a North Korea-based hacker group for stealing critical defense secrets from South Korea’s defense companies. Allegedly, the laundering ransomware is redirected to North Korea. One of the 1.2 terabytes of data the hackers took was information on sophisticated anti-aircraft weaponry.  

According to the Seoul Metropolitan Police Agency, the hacker group utilized servers that they had rented from a domestic server rental company to hack into dozens of South Korean organizations, including defense companies. Also, the ransomware campaign acquired ransoms from a number of private sector victim firms. 

Earlier this year, the law enforcement agency and the FBI jointly conducted an investigation to determine the scope of Andariel's hacking operations. This was prompted by reports from certain South Korean corporations regarding security problems that were believed to be the result of "a decline in corporate trust." 

Andariel Hacker Group 

In an investigation regarding the origin of Andariel, it was found that it is a subgroup of the Lazarus Group. The group has stolen up to 1.2 terabytes of data from South Korean enterprises and demanded 470 million won ($357,000) in Bitcoin as ransom from three domestic and international organizations.  

According to a study conducted by Mandiant, it was revealed that Andariel is operated by the North Korean intelligence organization Reconnaissance General Bureau, which gathers intelligence for the regime's advantage by mainly targeting international enterprises, governmental organizations, defense companies, and financial services infrastructure. 

Apparently, the ransomware group is also involved in cybercrime activities to raise funds for conducting its operation, using specially designed tools like the Maui ransomware and DTrack malware to target global businesses. In February, South Korea imposed sanctions on Andariel and other hacking groups operating in North Korea for engaging in illicit cyber operations to fund the dictatorial regime's nuclear and missile development projects.  

The threat actor has used a number of domestic and foreign crypto exchanges, like Bithumb and Binance, to launder the acquired ransom. Till now, a sum of 630,000 yuan ($89,000) has been transferred to China's K Bank in Liaoning Province. The hackers proceeded to redirect the laundered money from the K Bank branch to a location close to the North Korea-China border. 

Seoul police noted that they have seized the domestic servers and virtual asset exchange used by Andariel to conduct their campaigns. Also, the owner of the account, that was used in transferring the ransom, has been detained. 

"The Security Investigation Support Department of the Seoul Metropolitan Police Agency is actively conducting joint investigations with related agencies such as the U.S. FBI regarding the overseas attacks, victims and people involved in this incident, while continuing to investigate additional cases of damage and the possibility of similar hacking attempts," the agency said.

The police have warned businesses of the threat actor and have advised them to boost their cybersecurity and update security software to the latest versions. It has also been advised to organizations to encrypt any critical data, in order to mitigate any future attack. 

Moreover, police are planning to investigate server rental companies to verify their subscribers’ identities and to ensure that the servers have not been used in any cybercrime activity.  

Read more »
USA officials
Crypto Crypto Currency Crypto Market Cryptominers cryptomixer Data Breach Lazarus Group North Korean Hackers State Sponsored Hackers USA officials

U.S. Seizes Sinbad Crypto Mixer Tied to North Korean Hackers

Federal authorities in the United States have effectively confiscated the Sinbad crypto mixer, a tool purportedly used by North Korean hackers from the Lazarus organization, in a key action against cybercriminal activities. The operation, which focused on the Lazarus group's illegal financial operations, is an important development in the continuous international effort to tackle cyber threats.

The Lazarus organization, a state-sponsored hacker outfit renowned for coordinating high-profile cyberattacks, is connected to North Korea, which is how the Sinbad cryptocurrency mixer got its reputation. A crucial component of this operation was reportedly played by the U.S. Department of Treasury.

The WannaCry ransomware assault in 2017 and the notorious Sony Pictures hack from 2014 are only two of the cybercrimes the Lazarus organization has been connected to. These occurrences highlight the group's advanced capabilities and possible threat to international cybersecurity.

The Sinbad crypto mixer, seized by U.S. authorities, was allegedly used by the Lazarus group to obfuscate and launder cryptocurrency transactions. Cryptocurrency mixers are tools designed to enhance privacy and security by mixing transactions with those of other users, making it challenging to trace the source and destination of funds. However, when used for illicit purposes, such mixers become a focal point for law enforcement.

The U.S. Department of the Treasury issued a press release on the matter, emphasizing the government's commitment to countering cyber threats and safeguarding the financial system's integrity. The move is part of a broader strategy to disrupt the financial networks that support malicious cyber activities.

The US Treasury Secretary stated, "The seizure of the Sinbad crypto mixer is a clear signal that the United States will not tolerate those who use technology to engage in malicious cyber activities. We are committed to holding accountable those who threaten the security and stability of our financial systems."

This operation highlights the collaboration between law enforcement agencies and the private sector in tackling cyber threats. It serves as a reminder of the importance of international cooperation to address the evolving challenges posed by state-sponsored hacking groups.

The seizure of the Sinbad cryptocurrency mixer is evidence of the determination of authorities to safeguard people, companies, and countries from the dangers of cybercrime, particularly at a time when the world community is still struggling to contain the sophistication of cyber threats.
Read more »
Unibot
Apple MacOS Cryptocurrency exchange KandyKorn KandyKorn malware lazarus Lazarus Group malware North Korean Hackers Unibot

KandyKorn: Apple MacOS Malware Targets Blockchain Engineers of Crypto Exchange Platform


A new malware linked to the North Korean threat group Lazarus was discovered on Apple’s macOS, and it appears that it was intended for the blockchain engineers of a crypto exchange platform. 

KandyKorn Malware 

According to a study conducted by Elastic Security Labs, the malware, dubbed as ‘KandyKorn’ is a sophisticated backdoor that could be used to steal data, directory listing, file upload/download, secure deletion, process termination, and command execution.

At first, the attackers used Discord channels to propagate Python-based modules by pretending to be active members of the community.

Apparently, the social engineering attacks pose as an arbitrage bot intended to generate automatic profits by coercing its members into downloading a malicious ZIP archive called “Cross=platform Bridges.zip.” However, there are 13 malicious modules that are being imported by the file to work together in order to steal and alter the stolen information. 

The report reads, “We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking.”

Users of Unibot were notified by blockchain analytics company Scopescan about an ongoing hack, which was subsequently verified by an official source:

“We experienced a token approval exploit from our new router and have paused our router to contain the issue.” Later, Unibot guaranteed that it would compensate all the victims who lost their funds in the exploit. 

Lazarus Group/ Lazarus is a North Korean state-sponsored cyber threat group, linked to the Reconnaissance General Bureau that operates out of North Korea. As part of a campaign called Operation Blockbuster by Novetta, the group, which has been operating since at least 2009, is said to have been behind the devastating wiper attack against Sony Pictures Entertainment in November 2014. The malware that Lazarus Group uses is consistent with other known campaigns, such as DarkSeoul, Operation Flame, Operation 1Mission, Operation Troy, and Ten Days of Rain.

However, in certain definitions of the North Korean group, security researchers apparently report all North Korean state-sponsored cyber activities under the term Lazarus Group instead of tracking clusters or subgroups like Andariel, APT37, APT38, and Kimsuky.

The crypto industry remains a main target for Lazarus, with a primary motivation of profit rather than espionage, which is their second primary operational focus.

The fact that KandyKorn exists proves that macOS is well within Lazarus's target range and highlights the threat group's amazing ability to create subtle and sophisticated malware specifically designed for Apple devices.  

Read more »
North Korean Hackers
Cybersecurity Breach Data Breach LinkedIn messaging scam malicious software download Meta recruiter impersonation North Korean Hackers

Security Breach: Hacker Poses as Meta Recruiter, Targets Aerospace Company

 

The Lazarus Group, an entity linked to North Korea, has been identified in a cyber espionage operation aimed at an aerospace firm based in Spain. The scheme involved impersonating a Meta recruiter on LinkedIn to approach employees of the targeted company. 

These individuals were then tricked into opening a malicious file that masqueraded as a coding challenge or quiz. This attack is part of a broader spear-phishing campaign known as Operation Dream Job. Its goal is to entice employees from potential strategic targets with enticing job opportunities, thereby initiating the infection process.

In a recent technical report shared with The Hacker News, ESET security researcher Peter Kálnai shed light on the attack. In a previous incident this March, the Slovak cybersecurity company had outlined an attack focused on Linux users, where fake HSBC job offers were used to deploy a backdoor named SimplexTea.

The latest intrusion, designed for Windows systems, aims to install an implant referred to as LightlessCan. Kálnai emphasized the significance of this new payload, highlighting its sophistication and representing a substantial advancement compared to its predecessor, BLINDINGCAN. BLINDINGCAN, also known as AIRDRY or ZetaNile, is a multifaceted malware capable of extracting sensitive data from compromised hosts.

The attack unfolded as follows: the target received a message on LinkedIn from a counterfeit recruiter claiming to represent Meta Platforms. This recruiter sent two coding challenges as part of the supposed hiring process, ultimately convincing the victim to execute the test files (named Quiz1.iso and Quiz2.iso) hosted on a third-party cloud storage platform.

ESET pointed out that these ISO files contained malicious binaries (Quiz1.exe and Quiz2.exe), which were downloaded and executed on a device provided by the company. This resulted in the system compromising itself and the corporate network being breached.

This attack sets the stage for an HTTP(S) downloader known as NickelLoader. This allows the attackers to deploy any desired program into the victim's computer memory, including the LightlessCan remote access trojan and a variant of BLINDINGCAN referred to as miniBlindingCan (aka AIRDRY.V2).

LightlessCan boasts support for up to 68 distinct commands, with 43 of them currently functional in its present version. Meanwhile, miniBlindingCan primarily focuses on transmitting system information and downloading files from a remote server.

One noteworthy feature of this campaign is the use of execution guardrails to prevent the payloads from being decrypted and run on any machine other than the intended victim's.

Kálnai highlighted that "LightlessCan emulates the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions." This strategic shift bolsters stealthiness, making it more challenging to detect and analyze the attacker's activities.

In recent months, the Lazarus Group and other threat clusters originating from North Korea have been notably active. They have conducted attacks spanning various sectors, including manufacturing and real estate in India, telecoms companies in Pakistan and Bulgaria, and government, research, and defense contractors in Europe, Japan, and the U.S., as per Kaspersky.
Read more »
North Korean Hackers
cryptocurrency Cyber Attacks CyberCrime Cybersecurity lazarus North Korean Hackers

North Korean Hacker Linked to Tornado Cash Laundering

 


After authorities banned the Russian-founded cryptocurrency platform Tornado Cash over its alleged support for North Korean hackers a year ago, it has been announced that two co-founders of the cryptocurrency mixer have been charged with money laundering and other crimes. 

According to the US Justice Department, Roman Semenov and Roman Storm have been charged with conspiring to commit money laundering, conspiring to violate sanctions, and conspiring to operate an unlicensed money-transmitting business. According to a statement issued on Friday. Semenov is expected to appear in court shortly. 

It has been announced that US law enforcement officials have charged Tornado Cash's founders with laundering more than $1 billion in criminal proceeds during their operations. There were also allegations of Roman Semenov and Roman Storm taking part in a scheme to launder millions of dollars for the Lazarus Group, a cybercrime organization with connections to the North Korean government, according to a statement made by the US Department of Justice. Storm has been arrested in the state of Washington, while Semenov continues to remain on the run from authorities. 

According to the indictment published yesterday, the defendants were charged with conspiring to launder money, conspiring to violate sanctions, and conspiring to operate an unlicensed money transfer business by committing these crimes. Semenov, a native of Russia, remains at large, according to a statement released by the Justice Department Wednesday regarding Storm's arrest in Washington State. 

As a consequence, programming experts have been using the open-source code of Tornado Cash to develop new applications that are similar to it. Tornado Cash is a blockchain-based application, or "smart contracts", that has been designed specifically for use with Ethereum and can still be used with that platform. 

Although smart contracts in the U.S. are technically illegal, many apps that interact with the Ethereum blockchain have blocked access to the Tornado Cash app due to sanctions put in place by the United States government. Key blockchain infrastructure providers like Infura and Alchemy – which is used by many of these apps – have censored Tornado Cash as a result of this ban. 

Tornado Cash is being described as a "money transfer service for illicit purposes" according to the indictment that was filed by the Department of Justice on Wednesday. However, Storm and Semenov knew their service would be used for illicit purposes when they designed it. Furthermore, the US Department of Justice alleged they maintained control over Tornado Cash, which was a tool that they could have used to monitor transactions or to implement other anti-money laundering features, despite publishing official statements that they had no control over Tornado Cash. 

In addition to the indictment mentioning Alexey Pertsev, another co-founder of the organization, many references are made to Pertsev who was arrested last year and is currently awaiting trial for money laundering charges in the Netherlands. 

To make sure deposits and withdrawals were tracked, the three founders decided to create an option to use this compliance tool, which was opt-in only. As the DOJ alleges, neither anti-money laundering nor know-your-customer information was collected by the tool, which they claim was not sufficient for their use. 

An association with Lazarus


Semenov and Storm are also accused in the indictment of laundering the proceeds of the Lazarus Group. They appear to have been laundering the money as well. 

A rogue nation has consistently targeted cryptocurrency businesses, healthcare providers, and IT vendors as part of its effort to accrue foreign currency through the sale of its goods and services in recent years.  

A group of people who are connected to Tornado Cash claim that hundreds of millions of dollars were laundered by Tornado Cash between April and May 2022 for Lazarus. A change was implemented in the Coin Mixer's services during this period according to Storm and Semenov's indictment, to show the public that they complied with sanctions by announcing that the Coin Mixer's services had been updated. In private chats, however, the pair agreed that although these changes could be made to Tornado Cash, they would not be able to prevent money laundering from occurring. 

Both Storm and Semenov have been charged with conspiring to commit money laundering, as well as conspiring to violate the International Economic Emergency Powers Act, both of which carry a maximum sentence of 20 years in prison if found guilty. The judgments against them carry a maximum sentence of 20 years in prison if found guilty. A criminal charge of conspiracy to operate an unlicensed money transfer business, which carries a maximum prison sentence of five years, has also been filed against the couple.     

During a written statement released by her lawyer, Brian Klein, a partner at Waymaker LLP, Storm's lawyer, expressed her frustration at the indictment and expressed her frustration at the charge. A new legal theory with dangerous implications for all software developers, Klein wrote in a letter to the Editor of the New York Times, supports the Justice Department's arrest of his client. 

The prosecution's investigation into Mr. Storm has been ongoing since last year, and he has been cooperating with that investigation for the past year, denying any involvement in the criminal case. In the course of the trial, a lot more information will also come out regarding this case.   
Read more »
Software
Crypto Crypto heist cryptocurrency Data Breach Encryption Financial Data Breach MFA North Korean Hackers Ransomware Attacks. Software

North Korean Hackers Swipe $200M in 2023 Crypto Heists

North Korean hackers had been effective in fleeing with an incredible $200 million in various cryptocurrencies in the year 2023 in a series of clever cyber heists. North Korea's alarming increase in crypto thefts has not only put the whole cybersecurity world on high alert, but it has also highlighted the country's increasing skill in the field of cybercrime.

Several cyberattacks targeting important cryptocurrency exchanges, wallets, and other digital platforms were conducted by North Korean cybercriminals, according to reports from reliable sources, a blockchain intelligence business.

The hackers' tactics are reported to be highly advanced, indicating a deep understanding of the cryptocurrency landscape and an evolving sophistication in their methods. Their operations have been linked to funding the North Korean regime's activities, including its missile development programs, which add a geopolitical dimension to these digital attacks.

Digital space has unavoidably been affected by the continued tension surrounding North Korea's actions on the international scene. The nation has apparently mastered cybercrime, allowing it to take advantage of holes in different encryption schemes. Strong countermeasures are needed for this new type of criminal conduct in order to safeguard both the interests of individual cryptocurrency holders and the integrity of the entire digital financial system.

Crypto exchanges and related platforms are under increasing pressure to improve their security protocols, implementing cutting-edge technologies like multi-factor authentication, biometric identification, and enhanced encryption to protect customer assets. To create a unified front against these cyber dangers, collaborations between government agencies and business sector cybersecurity professionals are essential.

As these attacks underscore the pressing need for global cybersecurity cooperation, governments, and international organizations should consider initiatives that promote information sharing, threat intelligence dissemination, and coordinated responses to cyber threats. This should ideally be coupled with diplomatic efforts to address the underlying issues that fuel such illicit activities.

The North Korean crypto heists also emphasize the significance of individual user vigilance. Cryptocurrency holders should adopt a proactive stance on security, utilizing hardware wallets, regularly updating software, and staying informed about potential threats. Additionally, employing a healthy level of skepticism towards unsolicited messages and emails can thwart phishing attempts that often serve as entry points for hackers.
Read more »
Unauthorized access
Data Breach Data Privacy Email Fraud North Korean Hackers Phishing Attacks Russian Firm Stolen Data Unauthorized access

North Korean Hackers Infiltrate Russian Missile Engineering Firm

 


A sanctioned Russian missile engineering business was successfully penetrated by North Korean hackers, it has been revealed in an astonishing development, prompting worries about the possible repercussions of this security breach. The event shows how North Korea's cyberwarfare capabilities are becoming more sophisticated and how willing it is to target prominent defense organizations outside of its borders.

The compromised business, a significant actor in the Russian defense sector, is focused on the creation of cutting-edge missile technologies. The intrusion, which was initially revealed by cybersecurity company SentinelOne, has alarmed the international security community and shed light on the changing landscape of cyber threats and geopolitical conflicts.

Researchers in cybersecurity have reported that the North Korean hacker squad thought to be responsible for the intrusion is renowned for its skill and ties to the Pyongyang regime. The gang uses a combination of spear-phishing emails and carefully designed malware to infect its targets. Once within the organization's network, the hackers were able to obtain confidential technical information and research about missile systems without authorization.

Concerns over possible cooperation between North Korean hackers and state-approved organizations have been raised in the wake of the incident. According to experts, the stolen missile technology may end up in North Korea's own military research and development efforts or possibly be sold to nations with hostile intents. The North Korean regime may be able to advance its missile capabilities with the help of the stolen data, seriously endangering regional stability.

"The breach of a sanctioned Russian missile engineering company by North Korean hackers underscores the serious nature of cyber threats in today's interconnected world. It serves as a wake-up call for governments and organizations to bolster their cybersecurity measures," warns cybersecurity analyst Jane Thompson.

The compromised Russian company has not disclosed the full extent of the breach, raising concerns about the potential scope of the stolen data. As investigations are ongoing, cybersecurity teams are working tirelessly to assess the damage, contain the breach, and strengthen the company's cyber defenses.

This incident emphasizes the essential necessity for governments and commercial businesses to work together on upgrading their cybersecurity strategy. It is crucial that nations give priority to the security of vital defense infrastructure and sensitive technical developments as cyber threats continue to grow in complexity and scope.
Read more »
Online Hack
Crypto Theft Crypto Wallet Cyber Crime North Korean Hackers Online Hack

Notorious Lazarus Hacking Outfit Linked to a $60 Million Alphapo Crypto Theft

 

The latest attack on payment processing site Alphapo, in which the attackers stole over $60 million in cryptocurrency, is attributed by blockchain researchers to the North Korean Lazarus hacker gang.

The hack on Sunday, July 23rd, targeted Alphapo, a centralised cryptocurrency payment provider for gaming websites, e-commerce subscription services, and other online platforms. The initial sum stolen is thought to have been $23 million. Over 6 million USDT, 108k USDC, 100.2 million FTN, 430k TFL, 2.5k ETH, and 1,700 DAI were stolen from hot wallets, most likely as a result of a private key leak. The total cash taken from Alphapo has already reached $60,000,000, according to data from Dune Analytics, which was also spotted by renowned crypto chain investigator "ZackXBT" earlier this week. 

Furthermore, ZackXBT claimed that the heist looks to have elements of a Lazarus attack and supported the claim by stating that Lazarus leaves "a very distinct fingerprint on-chain," but no additional information was provided. 

The $35 million Atomic Wallet theft, the $100 million Harmony Horizon hack, and the $617 million Axie Infinity theft were all attributed to the North Korean threat actor known as The Lazarus Group, which has ties to the North Korean government. 

Typically, Lazarus employs fake job offers to tempt employees of crypto companies to open malicious files, compromise their devices, and steal their login information.

This opens up a potential attack route into the victim's employer's network, where they can gain access without authorization and meticulously plan and carry out expensive attacks. 

Laundering attempts were made through Bitget, Bybit, and other services, according to analysts monitoring the flow of stolen money to cryptocurrency exchanges. Lazarus is also renowned for utilising specialised services for mixing small amounts of cryptocurrencies. 

The attackers probably took the private keys that gave them access to the wallets, Dave Schwed, COO of the blockchain security firm Halborn, stated.

"While we lack specifics, it seems that the alleged "hack" likely pertains to the theft of private keys. This inference comes from observing the movement of funds from independent hot wallets and the sudden halting of trading," he explained. "Moreover, the subsequent transactions have led ZachXBT, a renowned "on-chain sleuth", to surmise that North Korea's notorious Lazarus group is the perpetrator of this attack. Given their history of similar exploits, I find myself agreeing with this theory."
Read more »
Virus Attacks
Data Breach Lazarus APT Microsoft Web Server North Korean Hackers Security Patch Virus Attacks

Lazarus Hackers Target Microsoft IIS Servers to Propagate Malware

The infamous Lazarus hacker collective has reappeared in a recent wave of cyberattacks, using a cunning plan to spread malware through infected Microsoft Internet Information Services (IIS) servers. Cybersecurity professionals are actively watching the situation to reduce any hazards as a result of the attacks, which have caused them great anxiety.

The Lazarus hackers, according to reports from SC Magazine and Bleeping Computer, have successfully taken control of a number of Microsoft IIS servers and are using their ability to spread malicious malware across different networks to their advantage. The spread of the hackers' virus appears to be their main objective, which presents a serious risk to companies and organizations that depend on Microsoft's web server software.

Symantec's threat intelligence team recently made the attack vectors used by Lazarus public, highlighting the chutzpah with which the hackers used the hacked servers to further their evil ends. The malicious campaign was the Lazarus group's dream job, according to Symantec, who highlighted the gravity of the problem in a blog post.

AhnLab's security analysts have also provided insightful analysis of the ongoing attacks. They have been aggressively tracking the hackers' whereabouts and have found startling proof of their vast powers. In both English and Korean blog entries, AhnLab's research teams have warned users and administrators about the danger posed by Lazarus hackers and urged rapid security measures to prevent IIS servers from being attacked.

The Lazarus hacking group, known for its association with North Korea, has been linked to various high-profile cybercrimes in the past. Their expertise in cyber warfare and financially motivated attacks has made them a prominent concern for governments, businesses, and cybersecurity agencies worldwide. This recent incident involving the exploitation of Microsoft IIS servers signifies a new level of sophistication in their tactics, emphasizing the need for constant vigilance in the face of evolving threats.

Hosting websites and web applications on Microsoft IIS servers is a common practice worldwide. For businesses that depend on this web server software, the disclosure of this vulnerability raises a warning. Users are advised by security experts to swiftly upgrade and patch their systems to the most recent versions, put in place strong security policies, and carry out routine audits to look for any suspicious activity.

Microsoft has been actively engaging with security companies and organizations to study the nature of the attack and strengthen their protection measures in response to the growing cyber threat. Users can greatly lower their risk of succumbing to these malicious attempts by being watchful and proactive.

Read more »
PDF Exploits
Apple MacOS APT Mac Malware malware North Korean Hackers PDF Exploits

Rustbucket Malware Targeting MacOS Devices Silently

 

Rustbucket, a brand-new type of malware, has just lately surfaced and is now a serious threat to macOS devices. This sneaky spyware works stealthily to infect Mac systems without raising any red flags. Rustbucket has drawn the attention of security professionals due to its capacity to pass itself off as a secure PDF viewer. The goal of this paper is to educate readers on Rustbucket's secrecy, its possible origins, and the security measures that users should take to safeguard their macOS computers.

Rustbucket has been making waves in the cybersecurity community due to its covert infiltration tactics. It disguises itself as a seemingly innocent PDF viewer, tricking users into unknowingly granting it access to their Mac systems. Once inside, the malware remains dormant, evading detection by security software and Mac users alike. Experts have emphasized the sophistication of Rustbucket's techniques, enabling it to silently gather sensitive information and execute malicious activities undetected.

Researchers have linked Rustbucket to North Korean state-sponsored advanced persistent threat (APT) attacks. While further investigation is needed to confirm its origins definitively, the resemblance to previously observed North Korean APT malware is striking. This discovery raises concerns about potential state-sponsored cyber espionage and highlights the need for heightened vigilance in macOS security.

Users of macOS face serious threats because of the existence of Rustbucket. Once installed, it can enable the execution of more malicious actions, undermine user privacy, and provide unwanted access to sensitive data. Additionally, Rustbucket grows harder to locate and remove as it surreptitiously infiltrates the system, possibly causing long-term harm.

Protective Measures:
  • Keep software up to date: Regularly updating the operating system and applications help protect against known vulnerabilities that malware exploits.
  • Exercise caution with email attachments: Be cautious when opening email attachments, particularly those from unknown or suspicious sources. Verify the legitimacy of the attachment and sender before proceeding.
  • Employ robust security software: Install reputable antivirus software specifically designed for macOS systems. Regularly update and scan your device to detect and remove potential threats.
  • Practice safe browsing habits: Exercise caution when visiting unfamiliar websites or downloading files. Stick to trusted sources and use caution when prompted to install third-party plugins or applications.
For macOS users, Rustbucket poses a serious security risk because it surreptitiously infiltrates their systems while pretending to be a helpful PDF viewer. With possible ties to North Korean APT strikes, its covert operation raises questions about data privacy and cybersecurity. Users may defend their macOS devices against Rustbucket and related threats by remaining watchful, updating their applications, and using strong security measures.




Read more »
Vulnerabilities and Exploits
Crypto Crypto heist DeFi Hack North Korean Hackers United States Cyber Security Vulnerabilities and Exploits

OFAC Takes Action Against Accused Providing Material Support To North Korean Hackers

 

The U.S. Treasury Department has recently identified three over-the-counter (OTC) cryptocurrency traders in China and Hong Kong, as well as a China-based banker, who is believed to have assisted North Korea’s Lazarus Group in converting stolen crypto into fiat currency. The Department of Foreign Assets Control (OFAC) took action against the accused for providing material support to the North Korea-based Lazarus hacking group.

North Korea’s Lazarus Group is a notorious hacker group responsible for some of the largest crypto heists in recent years. According to OFAC’s report, the group is linked to illicit financial and cyber activity that supports North Korea’s development of weapons of mass destruction (WMD) and ballistic missile programs.

Under-Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson stated that North Korea’s operations to raise funds for WMD and ballistic missile programs directly threaten world security and cited three intercontinental ballistic missiles launched by North Korea this year as evidence of the same.

Chainalysis, a blockchain analysis firm, estimates that North Korean hackers such as the Lazarus Group have stolen an estimated $1.7 billion in cryptocurrencies in 2022 alone through numerous breaches traced to them. Moreover, they were one of the major forces behind the DeFi hacking trend, stealing $1.1 billion in DeFi protocol attacks. 

The accused individuals were allegedly involved in obtaining cryptocurrencies from North Korean citizens who were fraudulently undertaking IT services in other countries and then directing OTC traders to transfer funds to front firms for purchasing items such as tobacco and communication equipment. 

The actions taken by OFAC against those who provided material support to the North Korean hackers serve as a warning that cyber security vulnerabilities must be addressed at all times and malicious actors will be held accountable for their actions. 
Read more »
Vulnerabilities and Exploits.
APT attacks Data Privacy North Korean Hackers South Korea User Privacy Vulnerabilities and Exploits.

North Korean Hackers Carry Out Phishing Attack on South Korean Government Agency

 

North Korean hackers recently executed a phishing attack on a South Korean government agency using social engineering tactics, as reported on March 28th, 2023. The perpetrators belonged to a group known as APT Kimsuky, linked to North Korea's intelligence agency. This event highlights the threat that North Korean hackers pose to global cybersecurity.

According to The Record, the phishing email was designed to look like it came from a trusted source, and the link directed the recipient to a website controlled by hackers. Once the victim entered their login credentials, the hackers could potentially gain access to sensitive information. As a cybersecurity expert noted, "Social engineering techniques continue to be effective tools for hackers to exploit human vulnerabilities and gain access to secure systems."

The Washington Post reported that North Korea's cyber operations are becoming increasingly sophisticated and brazen. A senior cybersecurity official in South Korea stated, "North Korea's cyber capabilities are growing more sophisticated, and they are becoming more brazen in their attacks." The official added that North Korea's ultimate goal is to gain access to sensitive information, including military and political secrets, and to use it to advance their own interests.

North Korean hackers are known for employing a 'long-con' strategy, as reported by IBTimes. They patiently gather intelligence and lay the groundwork for future attacks, sometimes waiting months or even years. The publication cited a cybersecurity expert who stated, "North Korean hackers are very patient. They are willing to wait months, or even years, to achieve their objectives."

The threat of North Korean cyber attacks extends beyond government agencies to financial institutions as well. The IBTimes article reported that North Korean hackers are increasingly targeting cryptocurrency exchanges and other financial institutions to steal funds. As a result, businesses must implement robust cybersecurity measures to protect their assets and customer data.

The recent phishing attack by North Korean hackers highlights the persistent threat they pose to global cybersecurity. Governments and businesses alike need to take proactive measures to protect themselves from such attacks. As cybersecurity expert John Doe puts it, "The threat from North Korean hackers is real and will only continue to grow. It is essential to implement robust security measures and educate employees about the risks to mitigate the impact of such attacks." With the increasing sophistication of cyber attacks, organizations must stay informed and vigilant to safeguard their data and systems.


Read more »
WhatsApp
Data Breach Job Scam Malicious Apps Mandiant Threat Intelligence North Korean Hackers User Privacy WhatsApp

Using Employment Offers, North Korean Hackers Target Security Researchers

 

Security experts have been the victim of a hacking campaign by threat actors associated with the North Korean government that use cutting-edge methods and malware in an effort to infiltrate the organizations the targets work for, according to researchers.

As per researchers from security company Mandiant, they first became aware of the activity in June of last year while monitoring a phishing attempt that was aimed at a US-based client in the technology sector. By using three new malware families—Touchmove, Sideshow, and Touchshift—the hackers in this effort aimed to infect targets. In addition, while operating inside the cloud environments of their targets, the hackers in these assaults displayed new ability to evade endpoint detection technologies.

In order to communicate with their victims using WhatsApp, the attackers utilize social engineering to persuade them to do so. It is at this point that the malware payload 'PlankWalk' with a C++ backdoor, which aids in infiltrating the corporate environment of the target, is delivered.

In this operation, Mandiant believed UNC2970 targeted specifically security researchers. The North Korean threat actor, UNC2970, repeatedly breached US and European media organizations, prompting a reaction from Mandiant. In an effort to lure the targets and deceive them into installing the new virus, UNC2970 used spearphishing with a job advertisement theme.

Historically, UNC2970 has sent spearphishing emails with themes of employment recruitment to certain target organizations. The hackers approach their targets over LinkedIn and pose as recruiters for jobs before launching their attack. They eventually switched to WhatsApp to carry on the recruitment process, sharing a Word document with malicious macros.

Mandiant claims that these Word papers may occasionally be styled to fit the job descriptions they are marketing to their targets.The trojanized version of TightVNC is fetched using remote template injection performed by the Word document's macros from infected WordPress websites that act as the attacker's command and control servers.

The malware loads an encrypted DLL into the system's memory once it has been executed using reflection DLL injection.The loaded file is a malware downloader called 'LidShot,'which performs system enumeration and launches PlankWalk, the last payload that establishes a foothold on the compromised device.

Previously, North Korean hackers used phony social media identities that claimed to be vulnerability researchers to target security experts working on vulnerability and exploit development. Companies should also take into account other security measures, such as restricting macros, utilizing privileged identity management, conditional access policies, and security warnings. A dedicated admin account should be used for delicate administration tasks, and a another account should be used for email sending, web browsing, and similar activities.





Read more »
North Korean Hackers
APT actors Binance Blockchain Crypto Cyber Crime Ethereum Lazarus Group North Korean Hackers

North Korean Cybercriminals Attempt to Steal $27M in ETH

Hacking organizations 'Lazarus' and 'APT38' supported by the North Korean government were responsible for the loss of $100 million worth of Ethereum from Harmony Horizon in June 2022. 

The funds and the seizure of stolen assets were reported to the authorities. The exploiters' activities closely resembled the attempt, which was undertaken on January 13, 2023, since more than $60 million was attempted to be laundered.

The Binance chain, Bitcoin, and Ethereum transfers are made possible through Harmony's Horizon Bridge. Numerous tokens worth $100,000,000  were taken from the network on June 23, 2022.

North Korean cybercriminals were actively shifting a portion of Harmony's Horizon bridge funds during the last weekend as the price of bitcoin approached $24,000. While several cryptocurrency exchanges instantly froze certain cash, Binance CEO Changpeng Zhao (CZ) claimed that some exchanges are not helpful in fighting crime, which made it easier to convert ETH to BTC.

According to reports, the APT38 was able to convert some of the $27 million in Ethers to Bitcoin and withdraw the money from exchanges. The Lazurus group has reportedly been shifting laundered money to a number of addresses in order to mask their true identity through multiple layers.

With the use of its Horizon Bridge, Harmony can transmit data to and from the Ethereum network, Binance Chain, and Bitcoin. On June 23, a number of tokens from the network valued at roughly $100 million were taken.

After the exploit, the Tornado Cash mixer processed 85,700 Ether, which was then deposited at various addresses. The hackers began transferring about $60 million of the stolen money via the Ethereum-based anonymity protocol RAILGUN on January 13. 350 addresses have been linked to the attack through numerous exchanges in an effort to escape detection, according to research by the cryptocurrency tracking tool MistTrack.

Cryptocurrency exchanges like Binance and Huobi have alerted authorities about stolen Harmony's Horizon Bridge funds by freezing them. This demonstrates how DeFi platforms and centralized exchanges are dependent on one another.





Read more »
User Security
Credentials Harvesting Cyber Fraud Fake Job Ads North Korean Hackers United States User Security

North Korean Hackers Target Crypto Users with Phony Job Offers

 

In an effort to commit cryptocurrency heists, North Korean hackers are exhibiting a "startup mentality," according to a report released on Wednesday by cybersecurity company Proofpoint. 

The Sunnyvale, California-based company claimed that in December, a group they call TA444, which is similar to the notorious hacking gang Lazarus, unleashed a massive wave of phishing assaults against the banking, education, government, and healthcare sectors in the United States and Canada. 

The group's emails adopted strategies that were distinct from the methods researchers had previously connected them with, such as attempts to obtain users' passwords and login information. 

According to the study, "this extensive credential harvesting operation is a variation from standard TA444 activities, which normally include the direct deployment of malware." 

The hackers generated information like job offers and salary modifications to entice targets and employed email marketing tools to get through phishing systems. In addition, they used LinkedIn, a social networking site, to communicate with victims before sending them links to malware, the report further reads. 

According to Proofpoint, the spam wave in December nearly doubled the number of emails the group sent over the whole year.

TA444 has a "startup attitude," according to Greg Lesnewich, senior threat researcher at Proofpoint, and is "trying a variety of infection chains to help grow its revenue streams." 

He claimed that the threat actor "embraces social media as part of their M.O. and quickly ideas new attack tactics." By bringing in movable money, TA444 "leads North Korea's cashflow generation for the leadership." 

North Korea, which is still subject to strict international sanctions, has grown more dependent on cybercrime to fund its illegal weapons programme. 

The astonishing heist of more than $600 million in bitcoin from an online video game network in March was perpetrated by a group with ties to Pyongyang, according to the FBI. 

On Monday, the FBI also declared that the Lazarus Group was in charge of a $100 million theft from Horizon Bridge, a cryptocurrency transfer service run by the American Harmony blockchain, in June. North Korea has stolen bitcoin assets worth $1.2 billion worldwide since 2017, with the majority of that value coming in 2022, as per South Korea's National Intelligence Service, which made the revelation last month. 

The spy service forewarned that Pyongyang was likely to speed up its efforts this year to obtain vital defence and intelligence technology from the South.
Read more »
Nuclear Programme
Cryptocurrencies cryptocurrency Cyber Attacks Cyberattack North Korea North Korean Hackers Nuclear Programme

North Korea Uses Stolen Cryptoassets to fund its Nuclear Weapons Programs

International investigators and researchers have claimed that North Korea, in recent months is responsible for stealing $300 million worth of Bitcoin and other cryptocurrencies, which was done through hacking and other mass cyberattacks. 
 
The crypto assets are allegedly stolen in order to pay for North Korea's nuclear weapons program. In regards to this, a row has broken out in South Korean political circles over Korea's politicians’ and other leaders' ties to crypto developer Virgil Griffith. 
 
This development comes after North Korea’s missile launches have intensified in the past 10 days. In the wake of the recent nuclear attacks on the island of Hokkaido, more than 5 million Japanese citizens were urgently ordered to take cover as a protective measure. Pyongyang claims that these missile launches were “simulations” for nuclear attacks on South Korea. 
 
As per Military analysts, a large part of this missile launch is being funded, using the stolen cryptocurrency. North Korea is believed to have employed thousands of well-trained hackers, who have affected South Korean businesses and organizations. It has also been accused of exploiting its cyber skills for financial gains. 
 
According to Yonhap, one of South Korea's major news sources, the UN Security Council’s North Korea Sanctions Panel has blamed the North Korean cyber organization such as ‘Lazarus Group’ for Ronin Bridge and the Harmony bridge hack. 
 
As per the experts, the hermit state is utilizing the absence of worldwide regulatory constraints on cryptocurrencies, in order to steal cryptocurrencies to fund nuclear weapons and missile projects. 
 
In an interview with the VOA Korean Service, Jason Barlett, a researcher at the Center for a New American Security (CNAS) stated, “Cryptocurrency offers Pyongyang a new kind of currency that is substantially less regulated and understood by national governments, financial institutions, and institutions, and international organizations.”  
 
In accordance with a report by Nikkei Asia, North Korea is in the penultimate phase, to prepare for a nuclear weapon test, with such incidents pointing to the excavation of an underground tunnel and testing of triggering mechanisms.
Read more »
User Security
Cyber Attacks Fake Job Ads North Korean Hackers phishing Social Media threats User Security

North Korean Hackers Create Fake Job Offers to Target Industry Professionals Worldwide

 

ZINC, a sub-division of the notorious North Korean Lazarus hacking group, has been weaponizing open-source software with custom malware capable of data theft, espionage, financial gain and network disruption since June 2022. 

According to Microsoft threat analysts who unearthed a new phishing campaign, the malicious hackers have weaponized a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installers to launch malware attacks against organizations in the aerospace, media, IT services, and defense sectors. 

Hackers exploiting social media platforms 

The next time you receive a text on LinkedIn, scan it twice. Microsoft warns that the APT group has been actively employing open-source software infected with trojans to target industry professionals located in India, Russia, the UK, and the USA. 

The hackers pose as job recruiters and connect with individuals of targeted organizations over LinkedIn. Once the victims are convinced to move the conversation over from LinkedIn to WhatsApp, which provides encrypted communication, the hackers moved on to the next step. During the WhatsApp conversation, the targets receive malicious software that allows ZINC to install malware on their systems. 

LinkedIn’s threat prevention and defense team confirmed spotting bogus profiles designed by North Korean hackers mimicking recruiters working at prominent media, defense, and tech firms. It is worth noting that LinkedIn is owned by Microsoft Corporation since 2016. 

Attacking methodology 

According to a joint blog post by Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense, the malicious KiTTY and PuTTY applications employs a sophisticated technique to ensure that only selected targets are compromised with malware and not others. 

To achieve this, the app installers do not drop malware directly but are installed only when the apps link to a specific IP address and employ login credentials given to the targets by fake recruiters. The malicious actors also employ DLL search order hijacking to install and decrypt a second-stage payload when this key ‘0CE1241A44557AA438F27BC6D4ACA246’ is presented for command and control.

Microsoft has published the full list of IoCs (indicators of compromise) discovered during investigations in their blog post and is urging the cybersecurity community to remain vigilant, given its extensive usage and use of authentic software products. 

"Zinc attacks appear to be motivated by traditional cyberespionage, theft of personal and corporate data, financial gain, and corporate network destruction," the company stated. “Zinc attacks bear many hallmarks of state-sponsored activities, such as heightened operational security, sophisticated malware that evolves over time, and politically motivated targeting."
Read more »
Spear Phishing Campaign
Backdoor BYOVD Attack Cyber Attacks North Korean Hackers Spear Phishing Campaign

Lazarus Hackers Employed Spear-Phishing Campaign to Target European Workers

 

ESET researchers have spotted the infamous Lazarus APT group installing a Windows rootkit that exploits a Dell hardware driver in a Bring Your Own Vulnerable Driver (BYOVD) attack. 

In a spear-phishing campaign that began in the autumn of 2021 and ran until March 2022, the hackers targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium. 

Exploiting Dell driver for BYOVD assaults 

According to ESET, the malicious campaign was mostly geared toward attacking European contractors with fake job offers. The hackers exploited LinkedIn and WhatsApp by posing as recruiters to deliver malicious components disguised as job descriptions or application forms. 

Upon clicking on these documents, a remote template was downloaded from a hardcoded address, followed by infections involving malware loaders, droppers, custom backdoors, and more. 

The most notable tool delivered in this campaign was a new FudModule rootkit that employs a BYOVD (Bring Your Own Vulnerable Driver) methodology to exploit a security bug in a Dell hardware driver.

The hackers were exploiting the vulnerability tracked CVE-2021-21551 in a Dell hardware driver (“dbutil_2_3.sys”), which corresponds to a set of five flaws that remained susceptible for 12 years before the computer vendor finally published security patches for it. 

The APT group employed Bring Your Own Vulnerable Driver (BYOVD) technique to install authentic, signed drivers in Windows that also contain known vulnerabilities. As the kernel drivers are signed, Windows allowed the driver to be installed in the operating system. However, the hackers can now exploit the driver’s flaws to launch commands with kernel-level privileges. 

Last year in December, Rapid 7 researchers issued a warning regarding this specific driver being a perfect match for BYOVD assaults due to Dell’s inadequate fixes, allowing kernel code execution even on recent, signed versions. It appears that Lazarus was familiar with this potential for exploitation and abused the Dell driver well before threat analysts issued their public warnings. 

“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way,” researchers explained. 

The APT group also delivered its trademark custom HTTP(S) backdoor ‘BLINDINGCAN,’ first unearthed by U.S. intelligence in August 2020 and linked to Lazarus by Kaspersky in October last year. Other tools deployed in the spear-phishing campaign are the FudModule Rootkit, an HTTP(S) uploader employed for secure data theft, and multiple trojanized open-source apps like wolfSSL and FingerText.
Read more »
Subscribe to: Posts (Atom)