Search This Blog

Showing posts with label North Korean Hackers. Show all posts

US Intelligence Reveals Malware, Blames North Korea


The FBI (Federal Bureau of Investigation), US Cyber Command, and DHS (Department of Homeland Security) recently discovered a hacking operation that is supposed to originate from North Korea. To inform the public, the agencies issued a security statement which contains the information of the 6 malware that the North Korean Hackers are currently using.


US Cyber Command's subordinate unit, Cyber National Mission Force (CNMF), on its official twitter account published that the North Korean hackers are spreading the malware via phishing campaigns. The tweet says, "Malware attributed to #NorthKorea by @FBI_NCIJTF just released here: https://www.virustotal.com/gui/user/CYBERCOM_Malware_Alert …. This malware is currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions. #HappyValentines @CISAgov @DHS @US_CYBERCOM."

According to the US Cyber Command, the malware allows the North Korean hackers to sneak their way into infected systems and steal money. The funds stolen are then transferred back to North Korea, all of it done to avoid the economic sanctions imposed upon it. It is not the first time that the news of the North Korean government using hackers to steal money and cryptocurrency to fund its nuclear plans and missile programs, and avoid the economic sanctions have appeared. According to the reports of the US agencies, the 6 malware are Bistromath, Slickshoes, Crowdedflounder, Hotcroissant, Artfulpie, and Buffet line. The official website and twitter account of DHS, US Cyber Command, have complete details about the malware.

The US Alleges Lazarous Group for the Attack 

Cybersecurity and Infrastructure Security Agency (CISA) claims that the attack was carried away by the North Korean hacker group Lazarus. The group also works under an alias, Hidden Cobra, and is one of the largest and most active hackers' groups in North Korea. According to the DOJ (Department of Justice), Lazarus was also involved in the 2014 Sony hack, 2016 Bangladesh Bank Attack, and planning the 2017 WannaCry ransomware outbreak.

A new 'Name and Shame' approach 

Earlier, the US used to avoid issuing statements when it faced cybersecurity attacks. However, in the present times, it has adopted a new name and shame approach to deal with this issue. The US cybercommand, as observed, publishes about the malware publicly on its Twitter handle, along with the nation responsible. This didn't happen earlier.

Internet Explorer Targeted by North Korean Hackers: How to Stay Safe?



In a recent cybersecurity issue, some hackers from North Korea are attacking Internet Explorer by exploiting a vulnerability, which is said to be a zero-day flaw. The company Microsoft has not yet spoken on the issue and is still silent. 



Users should immediately stop using Internet Explorer for a while to stay safe from the hackers, suggest cybersecurity experts. If the users still prefer to use Microsoft software, they can download the latest Edge Browser by Microsoft. The Edge browser is safe from the attack as well as offers a better user experience while browsing than Internet Explorer. Other secured browsers include Google Chrome and Mozilla Firefox.

But if the users still want to use the traditional software, cybersecurity experts at Tom's Guide suggest downloading a limited time user account that is safe for any software modification.

Microsoft has scheduled to release its next security patch, not until the 11th of February, therefore, its a long wait before the latest update is issued.

Microsoft reveals the Flaw-

In an online advisory published on 17th January, Microsoft explained the vulnerability, saying the flaw allows the hacker to corrupt the memory and perform arbitrary coding. If achieved successfully, the hacker has full access to the system, the same as the genuine user.

"Let us imagine a scenario where the hacker hosts a website on the web, which is specially made to exploit the vulnerability via Internet Explorer, in this case, the hacker can lure the user to visit the website by sending him emails," says Microsoft.

Once the hacker has access to the admin user rights, the user system is hacked and the hacker has command over the system. He can modify the programs, install or delete any existing software or worse, delete important data.

The hackers are likely to be from North Korea-

One should not ignore this vulnerability because it has ties to hackers from North Korea. The attack on Internet Explorer seems to be similar to the one that affected the Mozilla firefox. Researchers at Qihoo 360 discovered the attack and accused Darkhotel, a group of hackers from North Korea, for carrying out this activity.

ISRO targeted by North Korean Hackers during Chandrayaan-2 Launch


According to the fresh news that has been coming from various experts, it has appeared that Chandrayaan-2 (also known as Mission Moon), a famous mission by the Indian Space Research Organisation (ISRO) was attacked by hackers from North Korea. It also appears that the attacks were organized using a malware named Dtrack, which is connected to a club of North Korean hackers managed by the administration. "The malware was identified by the Financial Institute and Research Centers in 18 Indian states," confirms the reports by Kaspersky, a cybersecurity firm.


It is also said that the same malware was used to direct hacks on Kudankulam nuclear factory. The National Cyber Coordination Center that attempts to protect the nation from harmful cyber invasions recently received critical information from a US cybersecurity firm regarding the hack. It said that Kunankulam Nuclear Plant's master domain controllers alongside the ISRO were attacked by the hackers. Following this incident, Kaspersky's specialists detected the malware and notified the issue to the Indian government before the Chandrayaan-2 landing.

"The hack was organized using very simple and basic techniques like phishing emails, an unedited browser, and poor security that resulted in allowing the hackers to easily invade the devices," says Yash Kadakia in an interview, founder, Security Brigade, a cybersecurity firm in Mumbai. He further adds that a similar server was used to send spams to superior nuclear experts at the Nuclear Plant in Kudankulam which was also aimed by the hackers to pick other experts at ISRO later.

About Dtrack Malware- 
Generated by North Korean Hackers, the Dtrack malware provides a full command that permits the hackers to obtain data from the device. The virus can misuse devices with weak privacy and passwords. If the virus invades a device, it can obtain critical information like catalogs, IDs, user history, and IP addresses. "A high number of DTrack attacks were discovered. The hack was carried by Lazarus that has become a major concern for big corporations," said Konstantin Zykov about the virus who is a Researcher at Kaspersky Cybersecurity, at an event in Delhi.

US issues warning against malware 'Electricfish' linked with North Korea








The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued a joint security warning about a new malware called "Electricfish,’’ which is allegedly linked to a state-sponsored North Korean cyberattack group.

The investigators uncovered the malware while they were tracking the activities of Hidden Cobra, it is believed that the group is sponsored by the North Korean government. 

The warning released by the US Computer Emergency Readiness Team on Thursday says that the malware is a 32-bit Windows executable program. After reverse engineering the sample, the malware was found to contain a custom protocol which permits traffic to be funneled between source and destination IP addresses.

‘’The malware implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) addressaa. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.’’

‘’The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network,’’ read warning. 


The whole list of Indicators of Compromise (IOC) for Electricfish can be downloaded here

Russian Hacking Trouble for the Cyber World



According to data analysis by computer security company CrowdStrike, Russian hacking attack team spares only 19 minutes to the victim to respond to the attack. The next fastest group were North-Koreans who took two hours to jump to the next server to spread the attack,the third on the list comes Chinese attackers who on average gives four hours to the victim to foil their target attack.

Statistically the calculated time is coined as  “dubbed time“ and is the time attacker takes to jump from one network to another to spread the attack. Introducing the concept, CrowdStrike wrote in its report “shows how much time defenders have on average to detect an initial intrusion, investigate it and eject the attacker before sensitive data can be stolen or destroyed.”

According to the author, Pete Singer, the new analysis is eye-opening, "These stats are driven by a whole variety of factors, among them the skills and capability, the relative risk each is making in their likelihood of getting caught and the consequences. No matter how you look at it, an average of 18 minutes is quite amazing given the scale."

The Russians hackers have attacked many defense and military establishments throughout Europe and NATO since last year. Russian hackers were alleged to attack PyeongChang Winter Olympic Games in 2018.

Chris Krebs, DHS Cybersecurity and Infrastructure Security Agency Director, told defenseone.com recently, “We are doubling down on election security in advance of the 2020 election. Despite what some of the reporting might be, election security and countering foreign influence efforts aren’t going anywhere.”

According to a research from Arizona state University, researchers revealed that the exploiting a known vulnerability depended greatly on the country of the attacker.For Instance, the researchers looked at the Dark Web chat rooms , If attackers were discussing  vulnerabilities in National Database and If the hackers discussing the bug were Chinese, the chances to exploit the vulnerability in question was nine percent, But if the conversation was between Russians, then the probability of exploiting vulnerability is forty percent.

Infamous North Korean Hacking Group Steals $571 Million in Cryptocurrency


The North Korean Hacking Group, Lazarus has managed once more to embezzle more than a billion dollars in cryptocurrency. The group has purportedly done such sorts of thefts since January 2017, amassing an enormous $571 million from the attacks. This was in accordance with an article published on Friday by The Next Web as well as the coming yearly report from the cybersecurity vendor Group-IB.

The claims made by some South Korean officials in February express that the North Korean hackers likely stole millions of dollars' worth in cryptocurrency in the year 2017.

Since the beginning of last year, the greatest contribution that could be made in hacking outfits has been done by Lazarus, which stole $571 million in cryptocurrency. Their greatest plunder - $534 million originated from a solitary attack led earlier in January 2018.

As indicated by the eminent cybersecurity unit Group IB the hacking outfits are more acclimated with utilizing techniques extending from spear phishing to social engineering and malware introduction to compromising cryptocurrency exchange networks.

"After the local network is successfully compromised, the hackers browse the local network to find work stations and servers used working with private cryptocurrency wallets," says the summary of an annual report prepared by the unit detailing the situation of hi-tech cybercrime trends across the globe. It also indicates that $882 million in cryptocurrency was stolen from exchanges in total from 2017 to 2018.

Massive phishing groups, as the report stated, are exploiting the users' fear of missing out a major opportunity, baiting them to invest their resources into unauthentic projects on knockoff websites.
Group IB additionally states that the quantity of attacks focusing on crypto trades is probably going to rise further, with hackers of more conventional financial institutions, like the banks are being attracted to the space looking for enormous increases.

All the more worryingly, these thefts are prognosticated to increment similarly as with time, more and more aggressive hacking groups are likely to move towards cryptocurrency.

South Korean Newspaper Reports North Korean Hackers Behind Attacks on Cryptocurrency Exchanges

Chosun Ilbo, a major South Korean newspaper, on Saturday reported that according to a South Korean spy agency, North Korean Hackers were behind the theft of about $6.99 million (7.6 billion won) worth of cryptocurrencies this year, which now amount to almost $82.7 million (90 billion won).

The report said that these attacks included the theft of cryptocurrencies from accounts at exchanges Yapizon (now called Youbit), and Coinis, in April and September.

According to the report by the newspaper, the leaks of the personal information of about 36,000 accounts from Bitthumb, a major cryptocurrency exchange, in June were also connected with North Korean hackers, as discovered by the country’s National Intelligence Service (NIS).

Again citing NIS, Chosun Ilbo also reported that these hackers had demanded around $5.5 million (6 billion won) in return for deleting the stolen information.

These hackers were also responsible for another attack on about 10 other exchanges in October which was stopped by Korea Internet Security Agency (KISA), as per the report.

The newspaper also reported that according to NIS, the malware used in the emails to hack the exchanges were made with a similar method to the one used in hacking Sony Pictures in 2014 and the Central Bank of Bangladesh in 2016 and that the email ids used in the attacks were also North Korean.

South Korea hit by cyber attack.




Yesterday South Korea was hit by a massive cyber attack . The attack disturbed the functioning of three banks and two TV channels. The bank were hit such that no financial transactions can be made.

The TV channels were affected by locking their computers hence not allowing the TV channels to edit or function to full efficiency.The attack points towards North Korea which only days ago said it will attack South Korea.

The attacks originated from China but this might simply be because the IP's from North Korea are not allowed in South Korean Cyberspace ,so the hackers  could have used compromised computers in China to bypass that restriction and also to hide their real location.

Unlike other "disruption" attacks which rely on DDOS this was done using a malware called "DarkSeoul" which "locked" the systems.

These sort of attacks are more dangerous because when you block the DDOS attack the servers will get back to "normal" with minimum effort but a virus attack takes much longer to recover from and even then you cant be really sure that the computers are fully clean.

This recent attack shows that the need for a strong "physical" army is not needed to bring down an another country. A few experienced hackers can do the work of a massive army. 

30 North Korean hackers steal millions of dollars from online gaming sites

North Korea stands accused by its southern rival of operating an elaborate hacking network that allegedly broke into online sites hosted in South Korea and stole prize points worth almost £3.7m ($6m).South Korean police claim $6m was stolen after 30 hackers from the North infiltrated online game servers in Seoul. Whereas North Korea has denied allegations by South Korea that it engaged in a computer hacking scheme to steal millions of dollars from online gaming sites.

South Korean police recently arrested five suspects they say were recruited to work in China alongside more than 30 hackers from North Korea. The hackers allegedly broke into gaming sites and stole gaming points worth around $6 million. The North has been accused several times in recent years of mounting cyber attacks on the South. Pyongyang has denied all the allegations.

[source]