Category: DPRK

Cyber-espionage group uses Chrome extension to infect victims

In what appears to be a first on the cyber-espionage scene, a nation-state-backed hacking group has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers.

This is the first time an APT (Advanced Persistent Threat –an industry term for nation-state hacking groups) has been seen (ab)using a Chrome extension. A pending report by the ASERT team at Netscout reveals the details of a spear-phishing campaign that’s been pushing a malicious Chrome extension since at least May 2018. Researchers said they found evidence suggesting that the group may be based in North Korea.

Read more about the cyber-espionage campaign on ZDNet.

2019 Security And Defence Predictions

It’s the time of the year for cybersecurity predictions. This time, Suzanne Spaulding, former DHS Under Secretary and Nozomi Networks advisor believes that in 2019, provides her insights.

The things that have been holding back Russia, China, North Korea and Iran from a critical infrastructure attack on the U.S. could shift. When it comes to nation state threats on U.S. critical infrastructure, we think of four key actors: Russia, China, Iran and North Korea. Each country has been held back from attacking the U.S. for different reasons. Think about a graph with an x and y axis. The x axis represents capabilities and the y axis represents destructive intent. At the moment, Russia and China have the highest capabilities, but they fall lower on the scale of destructive intent.

Read more about Suzanne Spaulding’s predictions and learn why she believes hackers from Russia, China, North Korea or Iran may launch a critical infrastructure attack on the US in 2019, on Information Security Buzz.

Internet Explorer scripting engine becomes North Korean APT’s favorite target in 2018

Internet Explorer’s scripting engine was the favorite target of a North Korean cyber-espionage group this year, after the hackers deployed two zero-days, but also crafted new exploits for two other older vulnerabilities. The group’s name is DarkHotel, a cyber-espionage group that McAfee and many other cyber-security firms have already linked to the Pyongyang regime.

The group has been active since 2007, but it was publicly exposed in 2014. Despite being ousted in public reports, DarkHotel didn’t stop its attacks.

Read more about the recent activity of the DarkHotel APT on ZDNet.

Symantec Uncovers North Korean Group’s ATM Attack Malware

Researchers from Symantec have uncovered the malware tool North Korea’s infamous Lazarus Group has been using since 2016 to empty millions of dollars in cash from ATMs belonging to mostly small and midsize banks in Asia and Africa.

In a report this week, the security vendor described the malware as designed to intercept and approve fraudulent ATM cash withdrawal requests before they reach a bank’s underlying switch application server that processes them.

Read more about the Lazarus Group ATM malware on DarkReading.

North Korea continues to hack computers to mine cryptocurrency

North Korea is hacking computers to mine cryptocurrency to bring extra cash into the country, according to South Korea’s intelligence service. North Korean hackers also continue to hack computers in South Korea and abroad to steal confidential information, the state intelligence agency said in a parliamentary audit, Yonhap News reported.

A U.S. cybersecurity firm revealed in January that it found computers installed with malware, suspected to have been implanted by North Korean hackers, to mine for cryptocurrency Monero and send it to Kim Il Sung University in Pyongyang, according to Chosun Ilbo. Cryptocurrency has emerged as an alternative source of money for the cash-strapped North Korean regime amid tightening international sanctions.

Read more about the North Korean cryptojacking campaigns on UPI.

Destructive Cyberattacks Spiked in Q3

New data gathered from more than three dozen providers of incident response services reveals a disturbing increase in the past quarter of destructive cyberattacks targeting US organizations. It is not clear whether the attacks—many of them from countries like China, Russia, and North Korea—are a response to the current geopolitical climate, or demonstrate punitive attempts by attackers to hide their tracks after being discovered.

Either way, the implications of the trend are serious for enterprises, says Tom Kellermann, chief security officer at Carbon Black, the security vendor behind the report. Between the second and third quarters of this year, there was a three-fold increase in destructive attacks where adversaries deleted or encrypted data, destroyed logs and backups, and caused system outages in ways designed to paralyze victims.

Read more about the findings of the Carbon Black report on DarkReading.

Analysis of North Korea’s Internet Traffic Shows a Nation Run Like a Criminal Syndicate

Recorded Future has published a series of analyses on North Korea’s most senior leadership’s use of the internet. As the last report of the series, it demonstrates how adaptable this leadership has become in both using and monetizing its use of the internet.

Cryptocurrencies are known to be used by North Korea as a form of foreign exchange. North Korean cybercriminals are thought to be behind many raids on cryptocurrency exchanges in recent years. Recorded Future now believes the country has also been involved in at least two cryptocurrency scams.

Read more about the analysis by Recorded Future on SecurityWeek.

How To Prevent Your Business Becoming Collateral Damage Of Geopolitical Cyber Conflict

Mention cyberwarfare and most businesses tend to sigh and move on to something less weighted down with the baggage of hyperbole. This is a huge mistake. While there are plenty of opinions out there as to what the concept of cyberwarfare should mean in theory, in the real-world the distinctions between a cyberwar play and a cybercriminal attack are precious few.

The cyberwarfare label can make a threat look far removed from something that a mainstream business might imagine being a target for. However, state sponsored actors and cybercriminals often use the same techniques.

Read more about how organizations can stay safe given the blurring of tactics used by nation states and cybercriminals alike, on Forbes.

Defense, security and the real enemies

The three nations that are the largest cyber threats to the United States are, in no particular order, North Korea, Russia and China. They have been reverse-engineering our technology for a number of years, dating back to the beginning of the Cold War. The originators of some of the most devastating cyber-attacks have been based in these three countries, such as WannaCry and mass cryptocurrency theft (North Korea), Petya/NotPetya (Russia), and multiple data breaches (China).

The end of the Cold War meant that the countries that threatened American democracy didn’t go away. They adapted to use technology to attack us instead. Now that the extent of these attacks is being made known, we have two choices, according to CSO’s Mitchell Parker. Either we can continue to do little, or own and accept what’s happened and improve our situation.

Read more about Mitchell Parker’s insights on CSO.

Targeted attacks on crypto exchanges resulted in a loss of $882 million

Group-IB has estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534 million in crypto was stolen.

In most cases, cybercriminals, while attacking cryptocurrency exchanges, use traditional tools and methods, such as spear phishing, social engineering, distribution of malware, and website defacement.

Read more about the findings of the Group-IB report on Help Net Security.