Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label lazarus. Show all posts
Unibot
Apple MacOS Cryptocurrency exchange KandyKorn KandyKorn malware lazarus Lazarus Group malware North Korean Hackers Unibot

KandyKorn: Apple MacOS Malware Targets Blockchain Engineers of Crypto Exchange Platform


A new malware linked to the North Korean threat group Lazarus was discovered on Apple’s macOS, and it appears that it was intended for the blockchain engineers of a crypto exchange platform. 

KandyKorn Malware 

According to a study conducted by Elastic Security Labs, the malware, dubbed as ‘KandyKorn’ is a sophisticated backdoor that could be used to steal data, directory listing, file upload/download, secure deletion, process termination, and command execution.

At first, the attackers used Discord channels to propagate Python-based modules by pretending to be active members of the community.

Apparently, the social engineering attacks pose as an arbitrage bot intended to generate automatic profits by coercing its members into downloading a malicious ZIP archive called “Cross=platform Bridges.zip.” However, there are 13 malicious modules that are being imported by the file to work together in order to steal and alter the stolen information. 

The report reads, “We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking.”

Users of Unibot were notified by blockchain analytics company Scopescan about an ongoing hack, which was subsequently verified by an official source:

“We experienced a token approval exploit from our new router and have paused our router to contain the issue.” Later, Unibot guaranteed that it would compensate all the victims who lost their funds in the exploit. 

Lazarus Group/ Lazarus is a North Korean state-sponsored cyber threat group, linked to the Reconnaissance General Bureau that operates out of North Korea. As part of a campaign called Operation Blockbuster by Novetta, the group, which has been operating since at least 2009, is said to have been behind the devastating wiper attack against Sony Pictures Entertainment in November 2014. The malware that Lazarus Group uses is consistent with other known campaigns, such as DarkSeoul, Operation Flame, Operation 1Mission, Operation Troy, and Ten Days of Rain.

However, in certain definitions of the North Korean group, security researchers apparently report all North Korean state-sponsored cyber activities under the term Lazarus Group instead of tracking clusters or subgroups like Andariel, APT37, APT38, and Kimsuky.

The crypto industry remains a main target for Lazarus, with a primary motivation of profit rather than espionage, which is their second primary operational focus.

The fact that KandyKorn exists proves that macOS is well within Lazarus's target range and highlights the threat group's amazing ability to create subtle and sophisticated malware specifically designed for Apple devices.  

Read more »
State Sponsored Hackers
cyber espionage lazarus malware Malware loader State Sponsored Hackers

North Korean Links: Lazarus Group Strikes Again. This time via Unpatched Software Flaws


North Korean hackers spreading malware through legit software

North Korean hackers are spreading malware by exploiting known flaws in genuine software. The Lazarus group targets a version of an undisclosed software product for which vulnerabilities have been documented and solutions are available in a new campaign discovered by Kaspersky researchers.

Despite the vulnerabilities being disclosed and patched, the new advanced persistent threat campaign attacking companies globally used known flaws in a previous version of an unnamed software to encrypt web connection via digital certificates.

Threat actors used software to gain entry points

According to Kaspersky, hackers from the Lazarus group exploited the insecure software and used it as an entry point to breach organizations and encrypt web communication using digital certificates.

North Korea uses "cyber intrusions to conduct both espionage and financial crime in order to project power and finance both their cyber and kinetic capabilities," according to research by Google's Mandiant threat intelligence department. 

UN alleges North Korean links

Under Kim Jong Un's leadership, the DPRK is linked with a variety of state-sponsored hacking teams both at home and abroad that collect espionage on allies, opponents, and defectors, as well as hack banks and steal cryptocurrency. The UN has earlier accused North Korea of using stolen assets to fund the country's long-range missile and nuclear weapons programs, as well as enticing the country's officials.

To control the victim, hackers used SIGNBT malware and the infamous LPEClient tool, which experts have seen in attacks targeting defense contractors, nuclear engineers, and the cryptocurrency sector, and which was discovered in the infamous 3CX supply chain attack. "This malware acts as the initial point of infection and plays a crucial role in profiling the victim and delivering the payload," said experts.

According to Kaspersky, the developers of the unknown software previously became a target to Lazarus. According to the report, this repeated breach indicates a determined and persistent threat actor with the likely goal of compromising important source code or interfering with the software supply chain.

A deep look into the malware

According to Kaspersky experts, in mid-July, they noticed an increasing number of attacks on many victims utilizing the prone software, and they discovered post-exploitation activity within the genuine software's processes.

To establish and maintain efforts on hacked machines, the threat actor used a variety of techniques, including the development of a file called ualapi.dll in the system folder, which is loaded by default by the spoolsv.exe process at each system boot. According to the experts, Lazarus hackers also built registry entries to run genuine files for the purpose of malicious side-loading, assuring a durable persistence mechanism.

Lazarus used that malware loader to spread additional malware to the victim computers, such as LPEClient and credential dumping applications. The tool allows in extracting victim data as well as downloading additional payloads from a remote server for activation in memory.

As previously stated by the experts, it now uses advanced tactics to improve secrecy while preventing detection, such as deactivating user-mode syscall hooking and restoring system library memory parts.

Read more »
North Korean Hackers
cryptocurrency Cyber Attacks CyberCrime Cybersecurity lazarus North Korean Hackers

North Korean Hacker Linked to Tornado Cash Laundering

 


After authorities banned the Russian-founded cryptocurrency platform Tornado Cash over its alleged support for North Korean hackers a year ago, it has been announced that two co-founders of the cryptocurrency mixer have been charged with money laundering and other crimes. 

According to the US Justice Department, Roman Semenov and Roman Storm have been charged with conspiring to commit money laundering, conspiring to violate sanctions, and conspiring to operate an unlicensed money-transmitting business. According to a statement issued on Friday. Semenov is expected to appear in court shortly. 

It has been announced that US law enforcement officials have charged Tornado Cash's founders with laundering more than $1 billion in criminal proceeds during their operations. There were also allegations of Roman Semenov and Roman Storm taking part in a scheme to launder millions of dollars for the Lazarus Group, a cybercrime organization with connections to the North Korean government, according to a statement made by the US Department of Justice. Storm has been arrested in the state of Washington, while Semenov continues to remain on the run from authorities. 

According to the indictment published yesterday, the defendants were charged with conspiring to launder money, conspiring to violate sanctions, and conspiring to operate an unlicensed money transfer business by committing these crimes. Semenov, a native of Russia, remains at large, according to a statement released by the Justice Department Wednesday regarding Storm's arrest in Washington State. 

As a consequence, programming experts have been using the open-source code of Tornado Cash to develop new applications that are similar to it. Tornado Cash is a blockchain-based application, or "smart contracts", that has been designed specifically for use with Ethereum and can still be used with that platform. 

Although smart contracts in the U.S. are technically illegal, many apps that interact with the Ethereum blockchain have blocked access to the Tornado Cash app due to sanctions put in place by the United States government. Key blockchain infrastructure providers like Infura and Alchemy – which is used by many of these apps – have censored Tornado Cash as a result of this ban. 

Tornado Cash is being described as a "money transfer service for illicit purposes" according to the indictment that was filed by the Department of Justice on Wednesday. However, Storm and Semenov knew their service would be used for illicit purposes when they designed it. Furthermore, the US Department of Justice alleged they maintained control over Tornado Cash, which was a tool that they could have used to monitor transactions or to implement other anti-money laundering features, despite publishing official statements that they had no control over Tornado Cash. 

In addition to the indictment mentioning Alexey Pertsev, another co-founder of the organization, many references are made to Pertsev who was arrested last year and is currently awaiting trial for money laundering charges in the Netherlands. 

To make sure deposits and withdrawals were tracked, the three founders decided to create an option to use this compliance tool, which was opt-in only. As the DOJ alleges, neither anti-money laundering nor know-your-customer information was collected by the tool, which they claim was not sufficient for their use. 

An association with Lazarus


Semenov and Storm are also accused in the indictment of laundering the proceeds of the Lazarus Group. They appear to have been laundering the money as well. 

A rogue nation has consistently targeted cryptocurrency businesses, healthcare providers, and IT vendors as part of its effort to accrue foreign currency through the sale of its goods and services in recent years.  

A group of people who are connected to Tornado Cash claim that hundreds of millions of dollars were laundered by Tornado Cash between April and May 2022 for Lazarus. A change was implemented in the Coin Mixer's services during this period according to Storm and Semenov's indictment, to show the public that they complied with sanctions by announcing that the Coin Mixer's services had been updated. In private chats, however, the pair agreed that although these changes could be made to Tornado Cash, they would not be able to prevent money laundering from occurring. 

Both Storm and Semenov have been charged with conspiring to commit money laundering, as well as conspiring to violate the International Economic Emergency Powers Act, both of which carry a maximum sentence of 20 years in prison if found guilty. The judgments against them carry a maximum sentence of 20 years in prison if found guilty. A criminal charge of conspiracy to operate an unlicensed money transfer business, which carries a maximum prison sentence of five years, has also been filed against the couple.     

During a written statement released by her lawyer, Brian Klein, a partner at Waymaker LLP, Storm's lawyer, expressed her frustration at the indictment and expressed her frustration at the charge. A new legal theory with dangerous implications for all software developers, Klein wrote in a letter to the Editor of the New York Times, supports the Justice Department's arrest of his client. 

The prosecution's investigation into Mr. Storm has been ongoing since last year, and he has been cooperating with that investigation for the past year, denying any involvement in the criminal case. In the course of the trial, a lot more information will also come out regarding this case.   
Read more »
ScarCruft
Data Breach Data Stolen lazarus Mashinostroyeniya Data Breach Missile Program North Korea Hackers NPO Mash ScarCruft

North Korean Hackers Breach Russia’s Top Missile Maker’s Data


Reuters reported on Tuesday about a North Korea-based elite hacker group that is in a bid to steal technology by covertly breaching the computer networks of a Russian missile developer giant. Apparently, the hackers have been running the campaign for nearly five months in 2022. 

The North Korean cyberespionage group has targeted Mashinostroyeniya, a rocket design based in Reutov, Moscow. The hackers group, code-named ScarCruft and Lazarus installed covert digital backdoors into the system at NPO Mashinostroyeniya and was located by Reuters’ James Pearson and Christopher Bing.

However, it has not been made clear as to what data was acquired in the breach. In the following month, the digital break-in Pyongyang introduced several new developments in its banned ballistic missile program, while is not clear if this was in any regards to the breach.

Moreover, no official confirmation has been provided of the espionage by NPO Mashinostroyeniya officials.

About the Targeted Company

The company, commonly known as NPO Mash, specialized in developing hypersonic missiles, satellite technologies and new-generation ballistic armaments. The company was prominent in the Cold War as a premier satellite maker for Russia's space program and as a provider of cruise missiles.

According to experts, the hackers garnered interest in the company after it underlined its mission to develop an Intercontinental Ballistic Missile (ICBM), capable of bringing catastrophe to the mainland United States.

Apparently, the hackers acquired access to the company’s documents and leaked them between 2021, and May 2022. Following this, the IT engineers detected the cybercrime activities, the news agency reported. 

Hackers Read Email Traffic, Jumped Between Networks and Extracted Data from the Company 

According to Tom Hegel, a security researcher with U.S. cybersecurity firm SentinelOne, following the hack, the hackers gained access to the company’s IT environment, which enabled them to read email traffic, jump between networks, and extract data. "These findings provide rare insight into the clandestine cyber operations that traditionally remain concealed from public scrutiny or are simply never caught by such victims," Hegel said.

Digging further into the findings, Hegel’s team of security analysts discovered that one of the NPO Mash IT employees unintentionally exposed his company's internal communications while attempting to investigate the North Korean attack by uploading evidence to a secret portal used by cybersecurity researchers worldwide.

Experts speculate that the data stolen by the hacker group is of great importance, however, it will take a lot more information, effort and expertise for them to actually develop a missile. 

"That's movie stuff[…]Getting plans won't help you much in building these things, there is a lot more to it than some drawings," Hegel further added.

Read more »
Technology
Cyber Victim Cyberattacks Cybersecurity GitHub lazarus Malicious Threat NPM Package Technology

GitHub Issues Alert on Lazarus Group's Social Engineering Attack on Developers

 


According to a security alert issued by GitHub, this social engineering campaign is designed to compromise developers' accounts in the blockchain, cryptocurrency, online gambling, and cybersecurity industries. This is done through social engineering techniques. 

The campaign was reportedly linked to the Lazarus hacking group sponsored by the North Korean state. It was also linked to the groups Jade Sleet and TraderTraitor (both tools of Microsoft Threat Intelligence). There was a report released by the United States government in 2022 which detailed threat actors' tactics. 

Hacking group targets cryptocurrency companies and cybersecurity researchers to eavesdrop on them and steal their coins. The Lazarus Group is a cybercrime organization that targets cryptocurrency companies and cyber researchers using various names, such as Jade Sleet and TraderTraitor. Cyberespionage and cryptocurrency theft are two of the group's activities. According to GitHub, no GitHub accounts were compromised in this campaign, nor were any npm systems accounts.  

Lazarus Group reportedly uses legitimate GitHub or social media accounts that have been compromised or fake personas to pose as developers or recruiters on the platforms where they operate. This includes GitHub or social media. There is a wide range of personas designed to engage individuals in targeted industries. Ultimately, these personas will lead individuals to another platform, such as WhatsApp, through conversation. 

It is normally threat actors who initiate collaboration on a project. They invite targets to clone a GitHub repository related to media players and cryptocurrency trading tools after establishing trust between them. There are, however, malicious NPM dependencies on these projects that can download additional malware onto the devices of their targets. 

In June 2022, Phylum published a report on NPM packages that have been based on malicious code, with details about how they behave despite GitHub not providing details about the malware's specific behavior. Phylum reports that these packages function as malware downloaders that connect to remote websites via a browser. The download of additional payloads onto the infected machine. Several limitations in the payload reception process meant that researchers were unable to analyze the final malware delivered. 

As a consequence of this campaign, all NPM accounts and GitHub accounts associated with it have been suspended by GitHub. Additionally, they have published a list of indicators that can be used to identify whether a campaign is successful, including domains, GitHub accounts, and NPM packages. GitHub says the campaign was not intended to damage their systems. 

Lazarus has run previous social engineering campaigns similar to this one in the past. A few of these attacks included the targeting of security researchers in January 2021, a fake company website that was created in March 2021, and a fake email campaign in July 2021. As a result of these attacks, threat actors were effective at creating elaborate personas and distributing malware disguised as exploits for vulnerabilities. 

Lazarus is a group that targets cryptocurrency companies and developers to fund initiatives for the North Korean government. Several million dollars worth of cryptocurrency was stolen from them due to their involvement in the crime. It is worth noting that the theft of over 617 million dollars worth of Ethereum and USDC tokens was reported in an attack recently on Axie Infinity. 

Aside from fund theft and phishing scams, Lazarus has allegedly employed other tactics as well, including sending malicious PDF files disguised as job offers to targets that could compromise their bank accounts. In this case, the group has successfully delivered malware using false employment opportunities as a method of delivering their malware. 

Those in the target industries and developers should remain vigilant against the various types of social engineering attacks that are out there. Generally, individuals can protect themselves and their devices from malicious software and potentially compromised devices if they are aware of the tactics used by threat actors and adopt good cybersecurity practices, such as verifying the authenticity of requests and avoiding links and downloads that appear suspicious or unknown. 

Attack Process by the Lazarus Group


To begin with, the threat actor claims to be a developer or recruiter. He poses as them on GitHub and other social media websites related to the developer or recruiter niche. For contacting victims, they use their accounts as well as compromised accounts by Jade Sleet exploited by the group. 

There may be instances when the actor initiates contact on one platform and switches to another platform after a few minutes. When a threat actor connects with a victim he or she invites the victim to collaborate on a GitHub repository and uses the target as a means of cloning and executing the contents of the repository. The attacker may send the malicious software directly through a messaging service or file-sharing service, without inviting people to the repository and cloning it, in some cases. 

A malicious npm dependency has been included in the GitHub repository for the software. In addition to media players, the threat actor uses tools for selling cryptocurrencies in some of the software he builds. In addition to the malicious npm packages, these malicious npm packages also download secondary malware onto the victim's machine. A malicious package will normally not be published until a fake repository invitation is sent to you by an unknown threat actor.  

IOC details have been shared on the GitHub blog along with the suspension of npm and GitHub accounts associated with the campaign. As a practice, the most effective method of avoiding this campaign is to be cautious of social media solicitations for collaboration on or the installation of software that relies on NPM packages or dependencies. 

Lazarus Attacks in The Past 


Cryptocurrency companies and developers have been the target of North Korean hackers for a long time to steal assets needed to fund their country's initiatives. To steal cryptocurrency wallets and funds, Lazarus spreads Trojanized cryptocurrency wallets and exchange apps to target cryptocurrency users. 

It has been revealed that the U.S. Secret Service and the FBI have linked the Lazarus group to the theft of USDC and Ethereum tokens worth over $617 million from the blockchain-based game Axie Infinity by members of the Lazarus group. A malicious laced PDF file was later revealed to have been sent to one of the blockchain engineers by the threat actors, claiming to be a lucrative job offer disguised as a malicious PDF file. In this case, the attack was a result of this. 

Additionally, in 2020, a campaign called "Operation Dream Job" was used to deliver malware to employees at prominent aerospace and defense companies in the US through fake employment opportunities used to spread malware to them.
Read more »
Wslink
APT 32 lazarus malware WinorDLL64 Wslink

Lazarus's Latest Weapons: Wslink Loader and WinorDLL64 Backdoor


Cyberattacks have become increasingly advanced, and one of the most dangerous threats that companies face these days is backdoors. Backdoors are a type of malware that gives unauthorized access to a system to hackers, letting them steal important info, interrupt operations, and impact security. One such backdoor that surfaced recently is WinorDLL64, linked with the North Korean hacking group, Lazarus.

What is Wslink and WinorDLL64?

ESET researchers have found one of the payloads of the Wslink downloader that experts previously discovered in 2021. The payload is called WinorDLL64 based on its filename. Wslink, a loader for Windows binaries, is different from other loaders, it runs as a server and executes retrieved modules in memory. 

As the name suggests, a loader would serve as a tool to launch the payload or the malware into the infected system. Experts haven't identified the initial Wslink compromise vector yet. The WinorDLL64 is delivered by the Wslink malware downloader. These tools may be linked with the infamous North Korea-based APT group Lazarus. 

About WinorDLL64?

ESET researchers have found one of the payloads of the Wslink downloader that experts previously discovered in 2021. The payload is called WinorDLL64 based on its filename. Wslink, a loader for Windows binaries, is different from other loaders, it runs as a server and executes retrieved modules in memory. As the name suggests, a loader would serve as a tool to launch the payload or the malware into the infected system. Experts haven't identified the initial Wslink compromise vector yet. The WinorDLL64 is delivered by the Wslink malware downloader. These tools may be linked with the infamous North Korea-based APT group Lazarus. 

WinorDLL64 is a backdoor that was first found by cybersecurity experts in 2019. It is a 64-bit variant of the original Winor backdoor, which the Lazarus group used in its previous attacks. WinorDLL64 is built to be highly deceptive, which makes it difficult for experts to identify.

How does WinorDLL64 work?

WinorDLL64 is usually distributed via spear-phishing emails or malicious downloads. Once it compromises a system, it makes a backdoor that lets threat actors remotely gain entry and control the attacked system. It is built to avoid detection by using a number of techniques, this includes encrypting the communication process and concealing its sight on the system.

WeLiveSecurity by ESET reports "active since at least 2009, this infamous North-Korea aligned group is responsible for high-profile incidents such as both the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive attacks against South Korean public and critical infrastructure since at least 2011. US-CERT and the FBI call this group HIDDEN COBRA."

Risks associated with WinorDLL64?

WinorDLL64 is a highly advanced backdoor that allows threat actors full control over the compromised system. Threat actors can steal important info, add malware, and do various malicious activities while evading detection. The dangers associated with WinorDLL64 are consequential, especially for companies that depend on sensitive data or critical systems.

How to protect yourself against WinorDLL64?

In the case of malware, safety is fundamental when it comes to defending against WinorDLL64. Companies can take various measures to decrease the chance of compromise. This includes:

Familiarizing employees with the dangers of phishing emails and inspiring them to be careful while opening attachments or suspicious links.

Maintaining software and security systems up-to-date to make sure all vulnerabilities are patched. 

Enforcing two-factor authentication and other login controls to reduce the damage from cyberattacks. 

Daily monitoring of network activity and system logs for any hints of malicious behavior.

Using a trusted anti-malware solution that can find and stop WinorDLL64 and various kinds of malware.

In summary, we can say that WinorDLL64 is a highly effective backdoor that is a significant threat to companies. It is believed to be the work of the North Korean hacking group, Lazarus, and is designed to evade detection and provide attackers with complete control over an infected system. Organizations can take various measures to defend against WinorDLL64, this includes educating the workplace, having the latest software, enforcing access controls, checking network activity, and using anti-malware software. With a proactive approach to cybersecurity, companies can lower the threat of a successful cyber attack and safeguard their precious systems and data. 


Read more »
Zimbra
CISA Cyber Attacks DPRK lazarus spying Zimbra

DPRK Uses Unfixed Zimbra Devices for Spying on Researchers


State-sponsored hackers exploit unpatched Zimbra devices

A recent series of compromises that exploited unpatched Zimbra devices was an operation sponsored by the North Korean government and aimed to steal intelligence from a collection of private and public medical and energy sector researchers. 

Analysts with W labs in a new report explained that due to an overlap in techniques, and thanks to a mess up by one of the threat actors, they attributed the recent series of cyber incidents against unpatched Zimbra devices to the Lazarus group, a well-known cybercriminal group sponsored by the North Korean government. 

A joint report by NSA and Central Security service said "DPRK cyber actors have been using cryptocurrency generated through illicit cybercrime activities to procure infrastructure such as IP addresses and domains. The actors intend to conceal their affiliation and then exploit common vulnerabilities and exposures (CVE) in order to gain access and escalate privileges on targeted networks to perform ransomware activities. Recently observed CVEs include remote code execution in the Apache Log4j software library (also known as "Log4Shell") and remote code execution in various SonicWall appliances."

Lazarus ran a campaign using unpatched Zimbra devices

Lazarus ran this campaign and other likewise intelligence-gathering operations till the end of 2022. The experts have named the campaign "No pineapple" after an error message created by the malware during their investigation. The threat actors quietly stole around 100GB of data, without running any destructive cyber campaign or disrupting information.

Security teams running unpatched, Internet-connected Zimbra Collaboration Suite (ZCS) can assume they are compromised and should take immediate detection and response action. 

A recent security alert by CISA flagged active Zimbra exploits for CVE-2022-24682, CVE-2022-27924, and CVE-2022-27925, which are being chained with CVE-2022-37042, and CVE-2022-30333. 

The cyber attacks lead to remote code execution (RCE) and access to the Zimbra platform. 

Unfixed Zimbra devices can affect sensitive info

The results can be quite dangerous when it comes to protecting sensitive info and shielding email-based follow-on threats. ZCS is a suite of business communication services that consists of an email server and a Web client for accessing messages via the cloud. 

CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC) strongly suggest administrators and users apply the guidelines in the recommendations of the cybersecurity advisory to defend their organization's systems against malicious cyber operations. 

"NSA and the other authoring agencies urge all critical infrastructure entities and organizations, including the Healthcare and Public Health (HPH) Sector, and the Department of Defense and Defense Industrial Base, to apply the mitigations listed in this advisory," said NSA


Read more »
Telegram
Crypto Cyber Attacks DEV Excel Files lazarus Lazarus APT Lazarus Group Microsoft North Korea Telegram

North Korean Lazarus Group Targeting Crypto Market via Telegram & Excel File


DEV-0139 uses targeted attacks to steal cryptocurrency investments 

Microsoft has identified a threat actor that has been targeting cryptocurrency investment startups. An entity that Microsoft has termed as DEV-0139 posed as a cryptocurrency investment firm on Telegram and used an Excel file deployed with malicious "well-crafted" malware to attack systems and access them remotely. 

The threat is part of a trend in cyberattacks showing a high degree of sophistication. In our case, the threat actor made a fake OKX employee profile and joined Telegram groups used for facilitating communication between VIP clients and cryptocurrency exchange platforms. 

In recent years, the cryptocurrency market has grown exponentially, getting the attention of investors as well as threat actors. Cybercriminals have used cryptocurrency for their attacks and campaigns, especially for ransom payment in ransomware attacks. 

DEV-0139 uses Telegram and Excel files to target victim

There has also been a rise in threat actors directly attacking organizations in the cryptocurrency industry for monetary motives. Cyberattacks targeting the cryptocurrency market come in various forms, this includes fraud, vulnerability exploitation, fake apps, and use of info stealers, threat actors use these variables to steal cryptocurrency funds. 

In October, the victim was asked to join a new group and then asked to provide feedback on an Excel document that compared Binance, OKX, and Huobi VIP fee structures. 

The document offered correct information and high awareness of the ground reality of crypto trading, however, it also sideloaded an infected. DLL (Dynamic Link Library) file to make a backdoor into the user's system. The victim was then told to view the .dll file while discussing the course fees. 

According to Microsoft, the weaponized Excel file initiates the following series of activities:

  • A malicious macro in the weaponized Excel file abuses the UserForm of VBA to obfuscate the code and retrieve some data.
  • The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64 and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
  • The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR-encoded backdoor.
  • The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR-encoded backdoor that lets the threat actor remotely access the infected system.

The attack method is popular, Microsoft suggests the attacker was the same as the one running .dll files for the same reasons in June, and also behind other cyberattack instances as well. As per Microsoft, DEV-0139 is the same threat actor that cybersecurity agency Volexity associated with North Korea's state-sponsored Lazarus Group. 

It uses a malware strain called AppleJeus and an MSI (Microsoft installer). The United States federal Cybersecurity and Infrastructure Security Agency reported on AppleJeus last year and Kaspersky Labs documented it in 2020. 

To stay safe from such threats, Microsoft suggests:

1. Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.

2. Educate end users about protecting personal and business information in social media, filtering unsolicited communication (in this case, Telegram chat groups), identifying lures in spear-phishing emails and watering holes, and reporting reconnaissance attempts and other suspicious activity.

3. Educate end users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent via instant messaging applications or social networks. Encourage end users to practice good credential hygiene and make sure the Microsoft Defender Firewall (which is enabled by default) is always on to prevent malware infection and stifle propagation.

4. Change Excel macro security settings to control which macros run and under what circumstances when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring runtime macro scanning by Antimalware Scan Interface (AMSI) is on. This feature—enabled by default—is on if the Group Policy setting for Macro Run Time Scan Scope is set to “Enable for All Files” or “Enable for Low Trust Files”.

5. Turn on attack surface reduction rules to prevent common attack techniques observed in this threat:

  • Block Office applications from creating executable content
  • Block Office communication application from creating child processes
  • Block Win32 API calls from Office macros
6. Ensure that Microsoft Defender Antivirus is up to date and that real-time behavior monitoring is enabled.

The cryptocurrency market is a lucrative interest for cybercriminals. Targeted victims are identified via trusted channels to better the chance of attack. While hackers prefer targeting big organizations, smaller organizations can also become an easy target of interest. 






Read more »
Mac
Apple Cyber Security lazarus M1 Chips Mac

Lazarus Attacks Apple's M1 Chip, Lures Victims Via Fake Job Offers


New Attack by Lazarus

Advanced Persistent Threat (APT) Lazarus linked to North Korea is increasing its attack base with current operation In(ter)caption campaign, which targets Macs with M1 chip of Apple. The state-sponsored group continues to launch phishing attacks under the disguise of fake job opportunities. 

Threat experts at ESET (endpoint detection provider) alerted this week that they found a Mac executable disguised as a job details for an engineering manager position at the famous cryptocurrency exchange operator Coinbase. ESET's warning on twitter says that Lazarus posted the fake job offer to Virus total from Brazil. 

Operation In(ter)ception 

"The ongoing campaign and others from North Korea remain frustrating for government officials. The FBI blamed Lazarus for stealing $625 million in cryptocurrency from Ronin Network, which operates a blockchain platform for the popular NFT game Axie Infinity," reports DarkReading

Lazarus made the latest rebuild of the malware, Interception.dll, to deploy on Macs via loading three files- FinderFontsUpdater.app and safarifontsagent, fake Coinbase job offers and two executables. The binary can exploit Macs packed with Intel processors and with Apple's new M1 chipset. 

ESET experts began researching Operation In(ter)ception around three years back when the experts found attacks against military and aerospace companies. 

They observed that the operation's main goal was surveillance, but it also found incidents of the threat actors using a target's email account through a business email compromise (BEC) to finalize the operation. 

The interception.dll malware posts fake job offers to bait innocent victims, usually via LinkedIn. The Mac attack is the most recent one in a continuing aggressive front by Lazarus group to promote operation In(ter)ception, which has aggravated recently. ESET released a detailed white paper on the technique incorporated by Lazarus in 2020. 

It's an irony that the fake Coinbase job posting targets technically oriented people. The experts think that the threat actors were in direct contact, which means the victim was prompted to open whatever pop-up windows showed up on the screen to see the "dream job" offer from Coinbase. 

Apple revoked the certificate that would enable the malware to execute late last week after ESET alerted the company of the campaign. So now, computers with macOS Catalina v10.15 or later are protected, presuming the user has basic security awareness, saysPeter Kalnai, a senior malware researcher for ESET.


Read more »
Sanctions
APT cryptocurrency Cyber Crime lazarus Sanctions

North Korea Linked APT: US Sanctions Crypto Mixer Tornado Cash


The U.S Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned the crypto mixer service Tornado Cash. It was used by North Korean hackers linked to Lazarus APT Group. 

What is Crypto Mixers?

The mixers are crucial elements for threat actors that use it for money laundering, the mixer was used in laundering the funds stolen from victims. 

As per OFAC, cybercriminals used Tornado Cash to launder more than $7 Billion worth of virtual currency, which was created in 2019. The Lazarus APT group laundered more than $455 million money and stole in the biggest ever virtual currency heist to date. 

About the attack

It was also used in laundering over $96 million of malicious actors' funds received from the 24th June 2022 Harmony Bridge Heist and around $7.8 million from Nomad crypto heist recently. The sanction has been taken in accordance with Executive Order (E.O) 13694. 

"Today, Treasury is sanctioning Tornado Cash, a virtual currency mixer that launders the proceeds of cybercrimes, including those committed against victims in the United States,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”

The Sanctions

In May, the US department of treasury sanctioned another cryptocurrency mixer, Blender.io, it was used by Lazarus APT, a hacking group linked to North Korea. It was used for laundering money from Axie Infinity's Ronin Bridge. The treasury has for the first time sanctioned a virtual currency mixer. 

"Virtual currency mixers that assist criminals are a threat to U.S. national security. Treasury will continue to investigate the use of mixers for illicit purposes and use its authorities to respond to illicit financing risks in the virtual currency ecosystem.” concludes the announcement published by the U.S. Treasury Department. “Criminals have increased their use of anonymity-enhancing technologies, including mixers, to help hide the movement or origin of funds.”



Read more »
Spyware
attacks Breach Crypto cryptocurrency lazarus Lazarus Group malware Spyware

Hackers Used Fake LinkedIn Job Offer to Steal $625M

 

Earlier this year, Ronin Network (RON), the blockchain network behind the popular crypto games Axie Infinity and Axie DAO, experienced the greatest crypto attack against a decentralised financial network ever reported. 

The United States issued advice in May 2022, stating that highly competent hackers from North Korea were attempting to get work by posing as IT freelancers. The Axie Infinity attack was socially engineered, with the North Korean government-backed hacker organisation Lazarus into Sky Mavis' network by giving one of the company's workers a PDF file carrying malware. Lazarus' participation in such a high-profile breach should come as no surprise. 

In January 2022, analysts from several crypto security organizations concluded that North Korean hackers had stolen $1.3 billion from cryptocurrency exchanges throughout the world, with the famed Lazarus group as their top suspect. 

Axie Infinity Hack 

The employee, an ex-senior engineer at the firm, fell for the trap and opened the PDF, believing it was a high-paying job offer from another company. However, this firm did not exist in reality.

During the recruitment process, the ex-employee disclosed sensitive personal information that attackers utilised to steal from the organisation. Sky Mavis' staff are regularly threatened by sophisticated spear-phishing attempts on multiple social networks, according to the company. In this case, one person, who does not even work at Sky Mavis, was duped. 

How was Ronin hacked? 

According to The Block, at the time of the attack, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin. 

“The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” Sky Mavis stated.

To get access to the company's networks, the attacker needed to seize five out of nine validators. The spyware-laced PDF allowed the attacker to gain control of four validators and get entry to the community-run Axie DAO (Decentralized Autonomous Organization), from which they gained control of the fifth validator. After breaching the network, the attackers took $25 million in USDC stablecoin and 173,600 ether (about $597 million) from Axie Infinity's treasury, totaling $625 million in crypto. 

Nonetheless, the Ronin sidechain upped the number of validators to 11 to improve security, and Sky Mavis is reimbursing Axie Players who lost crypto as a result of the hack. In April 2022, the company raised $150 million in funding. 

The US administration alleges that the assault was carried out by the renowned North Korean hacking organisation Lazarus. This organisation specialises in such attacks. This is hardly Lazarus' first foray into the blockchain sector. However, Lazarus using social engineering to infiltrate a company's networks is unusual. In reality, the Slovak internet security company ESET notified LinkedIn users in June 2020 about Lazarus' involvement in a complex LinkedIn recruiting fraud targeting military and aerospace industries.
Read more »
lazarus
APT Cyber Attacks engineers lazarus

Job Seeking Engineers Have Become Lazarus Gang’s New Target

 

Amid operations sending malicious documentation to work-seekers, the renowned group Lazarus advanced persistent threat (APT) has been identified. In this case, defense companies are searching for jobs. 

As per a paper published online by AT&T Alien Labs, researchers monitored the activity of Lazarus for months with technical targets in the United States and Europe. 

According to the creator of the report, Fernando Martinez, emails from prominent defense contractors Airbus, General Motors (GM), and Rheinmetall have been sent to potential engineering recruits by the APT purport. 

Word documents with macros that implant malicious code in a victim's PC are included in the emails to prevent detection by changing the target computer settings. 

“The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros,” Martinez wrote. 

Lazarus's operation is the newest thing that targets the field of defense. In February, scientists attributed a 2020 spear-phishing campaign to the APT aiming to acquire key data by using advancing malware named ThreatNeedle from defense organizations. 

Indeed, with Microsoft Office Macros being used and third-party communications infrastructures being jeopardized, Lazarus is written all over the latest attacks that remain 'in line with the earlier Lazarus campaigns' as Martinez said. 

“Attack lures, potentially targeting engineering professionals in government organizations, showcase the importance of tracking Lazarus and their evolution,” he wrote. “We continue to see Lazarus using the same tactic, techniques, and procedures that we have observed in the past.” 

Researchers from AT&T Alien Labs have already seen Lazarus' activities, trying to attract victims to false Boeing and BAE systems jobs. Martinez noted that Twitter users were warned of the current campaign as Twitter users identified various papers related to Lazarus by Rheinmetall, GM, and Airbus from May to June this year. 

Researchers have discovered that campaigns using the three new documents are comparable in communicating with the command and control but that they can do malicious activities in distinct ways. Lazarus has circulated two malicious documents related to the German defense and automotive industry engineering firm Rheinmetall. The second had "more elaborate content," which made it possible for victims to remain unnoticed, noted Martinez. 

One of the distinctive aspects of the macro in the original malicious document is to rename the Microsoft Docs command-line software Certutil to try and disguise its actions. 

“The macro executes the mentioned payload with an updated technique,” Martinez wrote. “The attackers are no longer using Mavinject, but directly executing the payload with explorer.exe, significantly modifying the resulting execution tree.” 

Owing to Lazarus' historically prolific behavior – called the "most active" threat group in 2020 by Kaspersky— the recent attack on technicians "is not expected to be the last," Martinez said. 

Attack tactics that may target technical experts in governmental organizations illustrate the relevance of Lazarus tracking and its progression, Martinez added.
Read more »
North Korean Hackers
Crytocurrency Cyber Fraud lazarus North Korean Hackers

Lazarus E-Commerce Attackers Adapt Web Skimming for Stealing Cryptocurrency

 

Cybercriminals with apparent ties to North Korea that hit e-commerce shops in 2019 and 2020 to steal payment card data also tested functionality for stealing cryptocurrency, according to the cybersecurity firm Group-IB. 

Group-IB's latest report builds on findings revealed in July 2020 by Dutch security firm Sansec, which reported that malicious infrastructure and, in many cases, the malware was being used for Magecart-style attack campaigns that had previously been attributed to the Lazarus Group. 

Lazarus - aka Hidden Cobra, Dark Seoul, Guardians of Peace, APT38, Bluenoroff, and a host of other names - refers to a group of hackers with apparent ties to the Pyongyang-based government officially known as the Democratic People's Republic of Korea, led by Kim Jong-Un.

Magecart-style attacks refer to using so-called digital card skimming or scraping tools - aka JavaScript sniffers - that they inject into victim organizations' e-commerce sites. Victims of such attacks have included jewelry and accessories retailer Claire's and Ticketmaster UK, among thousands of others. 

Researchers at Group-IB stated that after reviewing the attack campaign discovered by Sansec, it also found signs suggesting that attackers had been experimenting not just with stealing payment card data but also cryptocurrency.

Group-IB reports that it found the same infrastructure being used, together with a modified version of the same JavaScript sniffer - aka JS-sniffer - that Sansec described in its report. Group-IB has dubbed the cryptocurrency-targeting campaign Lazarus BTC Changer. 

The attackers appear to have stolen relatively little cryptocurrency via the sites' customers: just $9,000 worth of Ethereum and $8,400 worth of bitcoins, Group-IB reports. Group-IB says those stolen funds appeared to have been routed to bitcoin cryptocurrency wallets allegedly owned by CoinPayments.net, "a payment gateway that allows users to conduct transactions involving bitcoin, Ethereum, Litecoin, and other cryptocurrencies." 

Lazarus may have used the site to launder the stolen funds by moving them to other cryptocurrency exchanges or wallets. The cybersecurity firm notes that CoinPayment's "know your customer" policy could help identify the individuals who initiated the transactions. The service's user agreement stipulates that individuals attest that they are not operating in or on behalf of anyone in a prohibited jurisdiction, which includes North Korea.
Read more »
zero-day
ENKI Hackers Internet Explorer lazarus Vulnerability and Exploits zero-day

Hackers Used Internet Explorer Zero-Day Vulnerability To Target Security Researchers

 

In recent times, during the attacks against the security and vulnerability researchers in North Korea, an Internet Explorer zero-day vulnerability has been discovered. The zero-day vulnerability is a computer software vulnerability unknown to individuals who need to minimize the harm. Hackers may use the vulnerability to change computer systems, files, machines, and networks to the detriment of the vulnerability. 

Google announced last month that the Lazarus-sponsored state-based North Korean hacking community carried out attacks on security scholars in social engineers, wherein the hacking community used social networks as a tool to target security researchers and used custom backdoor malware. The Lazarus group is a North Korea based persistent threat group (APT), which has gained a lot of prominence in the preceding years as various CyberAttacks have been attributed to the threat group. 

The threat actors have developed comprehensive online "security researcher" personas who then use social media to connect with renowned security researchers to contribute to the vulnerability and exploit growth to execute their attacks. 

In this regard, the attackers have sent malignant Visual Studio Projects and links to the website that hosts the exploit kits to install backdoors in the computers of the researchers. Microsoft also announced that it had monitored the assault and saw Lazarus exchanging MHTML files containing malicious java scripts with the researchers. The server command and control at the time of the investigation was down and therefore no further payloads were investigated by Microsoft. 

Recently in this social-engineering campaign, South Korean cybersecurity company ENKI claimed that Lazarus attacked MHTML files on their squad. Although the attacks were ineffective, they analyzed payloads downloaded from MHT files and found that they contained a vulnerability exploit for Internet Explorer. 

MHT/MHTML is a file format that is used by Internet Explorer to store a web page and services in one file. MHT / MHTML file is sometimes also known as MIME HTML. The MHT file transmitted to ENKI investigators was confirmed to be an exploit of Chrome 85 RCE and called "Chrome_85_RCE_Full_Exploit_Code.mht." 

On further executing the MHT/MHTML file, Internet Explorer will automatically start to display the MHT file contents. ENKI stated that a malicious javascript would download two payloads with one containing a zero-day version of Internet Explorer if the execution of the script was allowed. ENKI has affirmed that they have reported the bug to Microsoft and for which they were later contacted by a Microsoft employee. 

Concerning the aforementioned incident, Microsoft has said that they have investigated every aspect of the report and will surely provide an update in near future, “Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible.”
Read more »
lazarus
Cyber Attacks Hacker attack Kaspersky lazarus

Kaspersky has reported hacker attacks on COVID-19 researchers

The hacker group Lazarus attacked the developers of the coronavirus vaccine: the Ministry of Health and a pharmaceutical company in one of the Asian countries

Kaspersky Lab reported that the hacker group Lazarus has launched two attacks on organizations involved in coronavirus research. The targets of the hackers, whose activities were discovered by the company, were the Ministry of Health in one of the Asian countries and a pharmaceutical company.

According to Kaspersky Lab, the attack occurred on September 25. Hackers used the Bookcode virus, as well as phishing techniques and compromising sites. A month later, on October 27, the Ministry of Health servers running on the Windows operating system was attacked. In the attack on the Ministry, according to the IT company, the wAgent virus was used. Similarly, Lazarus previously infected the networks of cryptocurrency companies.

"Two Windows servers of a government agency were compromised on October 27 by a sophisticated malware known to Kaspersky Lab as wAgent. The infection was carried out in the same way that was previously used by the Lazarus group to penetrate the networks of cryptocurrency companies," said Kaspersky Lab.

Both types of malware allow attackers to gain control over an infected device. Kaspersky Lab continues its investigation.

"All companies involved in the development and implementation of the vaccine should be as ready as possible to repel cyber attacks," added Kaspersky Lab.

The Lazarus group is also known as APT38. The US Federal Bureau of Investigation (FBI) reported that their activities are sponsored by the DPRK authorities.

Recall that in July, the National Cyber Security Centre (NCSC) and similar departments of the United States and Canada accused the hacker group APT29, allegedly associated with the Russian special services, in an attempt to steal information about the coronavirus vaccine. Dmitry Peskov, press secretary of the Russian President, denied the Kremlin's involvement in the break-ins.

Read more »
Malware Attack
ESET lazarus malware Malware Attack

ESET has revealed a new series of Lazarus attacks

Experts of the antivirus company ESET have discovered a series of attacks, behind which is one of the most famous North Korean groups, Lazarus. The hackers targeted users of government and banking websites in South Korea. The cybercriminals used an unusual mechanism to deliver the malware, disguising themselves as stolen security software and digital certificates.

The spread of the Lazarus virus was facilitated by the fact that South Korean Internet users are often asked to install additional security programs when visiting government websites or Internet banking websites, explained the head of the investigation, Anton Cherepanov.

"The WIZVERA VeraPort integration installation program is widespread in South Korea. After installation, users can download the necessary software for a specific website. This scheme is usually used by the South Korean government and banking websites. For some of these sites, the presence of WIZVERA VeraPort is mandatory,” said Mr. Cherepanov.

Attackers used illegally obtained code signing certificates to inject malware samples. And one of these certificates was issued to a firm specializing in security - the American branch of a South Korean security company.

"Hackers disguised Lazarus malware samples as legitimate programs. These samples have the same file names, icons and resources as legitimate South Korean software," said Peter Kalnai, who was involved in the investigation of the attack.

ESET's analysis once again demonstrated the non-standard nature of the methods of intrusion, encryption and configuration of the network infrastructure, which has become the business card of Lazarus hackers.

It is worth noting that on November 13, Microsoft representatives reported that, according to their data, in recent months, three APT groups attacked at least seven companies engaged in COVID-19 research and vaccine development. The Russian-speaking group Strontium (Fancy Bear, APT28, and so on), as well as North Korean Zinc (Lazarus) and Cerium, are blamed for these attacks.

Hacker group Zinc (aka Lazarus) mainly relied on targeted phishing campaigns, sending potential victims emails with fictitious job descriptions and posing as recruiters.

Read more »
lazarus
Cyber Attacks Hackers News Kaspersky lazarus

Experts found targeted attacks by hackers from North Korea on Russia


 Kaspersky Lab revealed that the well-known North Korean hacker group Lazarus has become active in Russia. The attackers attack through applications for cryptocurrency traders in order to steal data for access to the wallets and exchanges. In addition, the group collects research and industrial data.

 Experts believe that hackers are particularly interested in the military-space sphere, energy and IT, and the interest in bitcoin can be explained by the need for North Korea  to bypass sanctions

 The first cases of Lazarus targeted attacks on Russia appeared at the beginning of last year. According to Kaspersky Lab,  since at least spring 2018 Lazarus has been carrying out attacks using the advanced MATA framework. Its peculiarity is that it can hack a device regardless of what operating system it runs on — Windows, Linux or macOS.

 According to Kaspersky Lab, the victims of MATA include organizations located in Poland, Germany, Turkey, South Korea, Japan and India, including a software manufacturer, a trading company and an Internet service provider.

 Several waves of attacks have been detected this year. So, this month, Lazarus attacks were discovered in Russia, during which the backdoor Manuscrypt was used. This tool has similarities to MATA in the logic of working with the command server and the internal naming of components.

 "After studying this series of attacks, we conclude that the Lazarus group is ready to invest seriously in the development of tools and that it is looking for victims around the world," said Yuri Namestnikov, head of the Russian research center Kaspersky Lab.

 According to Andrey Arsentiev, head of Analytics and Special Projects at InfoWatch Group, Lazarus is one of the politically motivated groups. It is supported by the North Korean authorities and is necessary for this state: cybercrimes are committed to obtain funds for developing weapons, buying fuel and other resources. He explained that the anonymous nature of the cryptocurrency market makes it possible to hide transactions, that is, by paying for various goods with bitcoin, North Korea can bypass the sanctions,

 Kaspersky Lab noted that data from organizations involved in research related to the coronavirus vaccine is currently in high demand in the shadow market.
Read more »
North Korean Hackers
Cyber Attacks lazarus malware North Korean Hackers

Discovery of a New Malware Framework and Its Linkages with a North Korean Hacker Group



The discovery of a brand new malware framework and its linkages with a North Korean hacker group has heightened the panic within the digital world. Kaspersky, the cybersecurity company has already alerted the SOC groups of the discovery.

Referred to as  "MATA," the framework has been being used since around April 2018, principally to help in attacks intended to steal customer databases and circulate ransomware.

The framework itself gives its controllers the adaptability to target Windows, Linux, and macOS and comprises of a few components including loader, orchestrator, and plugins.

Kaspersky associated its utilization to the North Korean group "Lazarus”, which has been engaged for a considerable length of time in 'cyber-espionage' and sabotage and, by means of its Bluenoroff subgroup, endeavors to collect illegal funds for its Pyongyang masters.

The group was even pegged for WannaCry, just as refined attacks on financial institutions including the notorious $81m raid of Bangladesh Bank. Kaspersky senior researcher, Seongsu Park, contended that the most recent attacks connected to Lazarus display its eagerness to invest serious resources to create new malware toolsets in the chase for money and data.

“Furthermore, writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on. This approach is typically found among mature APT groups” he added later.

“We expect the MATA framework to be developed even further and advise organizations to pay more attention to the security of their data, as it remains one of the key and most valuable resources that could be affected.”

The security vendor encouraged the SOC teams to get to the most recent threat intelligence feeds, install dedicated security on all Windows, macOS and Linus endpoints, and to back-up regularly.

The framework seems to have been deployed in a wide variety of scenarios, focusing on e-commerce firms, software developers, and ISPs across Poland, Germany, Turkey, Korea, Japan, and India.

Read more »
Web Skimming
Cybersecurity Hidden Cobra lazarus Magecart Web Skimming

Hackers Attack Online Stores Stealing Credit Card Data, Experts Allege North Korea


According to the recent findings, there has been an incident of web skimming attacks on the European and American online store websites. The hackers responsible for the attacks are likely to be state-sponsored from North Korea. Research conducted by cybersecurity experts at Sansec reveals that the web skimming attacks that broke into the online retail stores started in May 2019. APT Lazarus and Hidden Cobra hacking groups were responsible for the attacks, planting payment skimmers to breach the security.



According to the new research, the hackers have now increased their activities. They have now set a larger target area and attack online stores using a skimming script, which steals the customer's banking credentials during the checkout stage. The researchers from Sansec claim that the attacks were carried out by Hidden Cobra because a similar hacking pattern was used in their previous attacks.

 What is Magecart Attack? 
It is a web skimming attack in which hackers can steal banking credentials from the user and credit card details. However, in this incident, Hidden Cobra, after gaining access, launched a large scale attack on big online retail stores. Once hackers have unauthorized access, they deploy fake scripts on the websites' checkout pages. The skimmer then stores all the credentials that the user types during the checkout stage and sends it to the main Hidden Cobra servers. According to Sances data, in millions of online stores, up to 100 stores' websites are compromised on an average every day.

"To monetize the skimming operations, HIDDEN COBRA developed a global exfiltration network. This network utilizes legitimate sites that were hijacked and repurposed to serve as disguises for criminal activity. The system is also used to funnel the stolen assets so that they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, including a modeling agency8 from Milan, a vintage music store9 from Tehran, and a family-run book store10 from New Jersey," says the Sansec report. Experts have now linked various attacks since 2019 to Hidden Cobra, say that the threat actors are very likely to be state-sponsored.
Read more »
US
Cybersecurity lazarus North Korean Hackers US

US Intelligence Reveals Malware, Blames North Korea


The FBI (Federal Bureau of Investigation), US Cyber Command, and DHS (Department of Homeland Security) recently discovered a hacking operation that is supposed to originate from North Korea. To inform the public, the agencies issued a security statement which contains the information of the 6 malware that the North Korean Hackers are currently using.


US Cyber Command's subordinate unit, Cyber National Mission Force (CNMF), on its official twitter account published that the North Korean hackers are spreading the malware via phishing campaigns. The tweet says, "Malware attributed to #NorthKorea by @FBI_NCIJTF just released here: https://www.virustotal.com/gui/user/CYBERCOM_Malware_Alert …. This malware is currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions. #HappyValentines @CISAgov @DHS @US_CYBERCOM."

According to the US Cyber Command, the malware allows the North Korean hackers to sneak their way into infected systems and steal money. The funds stolen are then transferred back to North Korea, all of it done to avoid the economic sanctions imposed upon it. It is not the first time that the news of the North Korean government using hackers to steal money and cryptocurrency to fund its nuclear plans and missile programs, and avoid the economic sanctions have appeared. According to the reports of the US agencies, the 6 malware are Bistromath, Slickshoes, Crowdedflounder, Hotcroissant, Artfulpie, and Buffet line. The official website and twitter account of DHS, US Cyber Command, have complete details about the malware.

The US Alleges Lazarous Group for the Attack 

 Cybersecurity and Infrastructure Security Agency (CISA) claims that the attack was carried away by the North Korean hacker group Lazarus. The group also works under an alias, Hidden Cobra, and is one of the largest and most active hackers' groups in North Korea. According to the DOJ (Department of Justice), Lazarus was also involved in the 2014 Sony hack, 2016 Bangladesh Bank Attack, and planning the 2017 WannaCry ransomware outbreak.

A new 'Name and Shame' approach 

 Earlier, the US used to avoid issuing statements when it faced cybersecurity attacks. However, in the present times, it has adopted a new name and shame approach to deal with this issue. The US cybercommand, as observed, publishes about the malware publicly on its Twitter handle, along with the nation responsible. This didn't happen earlier.
Read more »
Subscribe to: Posts (Atom)