north korea - X-Industry - Red Sky Alliance2024-03-28T18:51:19Zhttps://redskyalliance.org/xindustry/feed/tag/north+koreaWeaponizing AI in Cyber-Attackshttps://redskyalliance.org/xindustry/weaponizing-ai-in-cyber-attacks2024-02-29T17:00:00.000Z2024-02-29T17:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12390146467,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12390146467,RESIZE_400x{{/staticFileLink}}" width="250" alt="12390146467?profile=RESIZE_400x" /></a>It is no longer theoretical; the world's major powers are working with large language models to enhance offensive cyber operations. Advanced persistent threats (APTs) aligned with China, Iran, North Korea, and Russia use large language models (LLMs) to enhance their operations. New blog posts from OpenAI and Microsoft reveal that five prominent threat actors have used OpenAI software for research, fraud, and other malicious purposes. After identifying them, OpenAI shuttered all their accounts. Though the prospect of AI-enhanced nation-state cyber operations might at first seem daunting, there is good news: none of these LLM abuses observed so far have been particularly devastating. "Current use of LLM technology by threat actors revealed behaviors consistent with attackers using AI as another productivity tool," Microsoft noted in its report. "Microsoft and OpenAI have not yet observed particularly novel or unique AI-enabled attack or abuse techniques resulting from threat actors' usage of AI. Current use of LLM technology by threat actors revealed behaviors consistent with attackers using AI as another productivity tool," Microsoft noted in its report. "Microsoft and OpenAI have not yet observed particularly novel or unique AI-enabled attack or abuse techniques resulting from threat actors' usage of AI."<a href="#_ftn1">[1]</a></p>
<p>The nation-state APTs using OpenAI today are among the world's most notorious. Consider the group Microsoft tracks as Forest Blizzard, but it is better known as Fancy Bear. The Democratic National Committee (DNC) – hacking; Ukraine-terrorizing; Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU)-affiliated military unit has been using LLMs for basic scripting tasks, file manipulation, data selection, multiprocessing, and so on as well as intelligence gathering, researching satellite communication protocols, and radar imaging technologies, likely as they pertain to the ongoing war in Ukraine.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/fancy-bear-imposters-us-election">https://redskyalliance.org/xindustry/fancy-bear-imposters-us-election</a></p>
<p>Two Chinese state actors have been ChatGPT-ing lately: Charcoal Typhoon (aka Aquatic Panda, ControlX, RedHotel, BRONZE UNIVERSITY), and Salmon Typhoon (aka APT4, Maverick Panda). The former has been making good use of AI for both pre-compromise malicious behaviors, gathering information about specific technologies, platforms, and vulnerabilities, generating and refining scripts, and generating social engineering texts in translated languages as well as post-compromise, performing advanced commands, achieving deeper system access, and gaining control in systems.</p>
<p>Salmon Typhoon has primarily focused on LLMs as an intelligence tool, sourcing publicly available information about high-profile individuals, intelligence agencies, internal and international politics, and more. It has also largely unsuccessfully attempted to abuse OpenAI to help develop malicious code and research stealth tactics.</p>
<p>Iran's Crimson Sandstorm (Tortoiseshell, Imperial Kitten, Yellow Liderc) is using OpenAI to develop phishing material emails pretending to be from an international development agency, for example, or a feminist group, as well as code snippets to aid their operations for web scraping, executing tasks when users sign in to an app, and so on.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/more-bad-kittens">https://redskyalliance.org/xindustry/more-bad-kittens</a></p>
<p>Finally, there is Kim Jong-Un's Emerald Sleet (Kimsuky, Velvet Chollima), which, like the other APTs, turns to OpenAI for basic scripting tasks, phishing content generation, and researching publicly available information on vulnerabilities, as well as expert think tanks, and government organizations concerned with defense issues and its nuclear weapons program.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/kimsuky-again">https://redskyalliance.org/xindustry/kimsuky-again</a></p>
<p>If these many malicious uses of AI seem helpful, but not science fiction-level relaxed, there's a reason why. "Threat actors that are effective enough to be tracked by Microsoft are likely already proficient at writing software," Joseph Thacker, principal AI engineer and security researcher at AppOmni, explains. "Generative AI is amazing, but it's mostly helping humans be more efficient rather than making breakthroughs. I believe those threat actors are using LLMs to write code (like malware) faster, but it's not noticeably impactful because they already have malware. They still have malware. They may be able to be more efficient, but at the end of the day, they aren't doing anything new yet."</p>
<p>Though cautious not to overstate its impact, Thacker warns that AI still offers advantages for attackers. "Bad actors will likely be able to deploy malware at a larger scale or on systems they previously didn't have support for. LLMs are pretty good at translating code from one language or architecture to another. So, I can see them converting their malicious code into new languages they previously weren't proficient in," he says. Further, "if a threat actor found a novel use case, it could still be in stealth and not detected by these companies yet, so it's not impossible. I have seen fully autonomous AI agents that can 'hack' and find real vulnerabilities, so if any bad actors have developed something similar, that would be dangerous." For those reasons, he adds, "Companies can remain vigilant. Keep doing the basics right."</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p> </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.darkreading.com/threat-intelligence/microsoft-openai-nation-states-are-weaponizing-ai-in-cyberattacks">https://www.darkreading.com/threat-intelligence/microsoft-openai-nation-states-are-weaponizing-ai-in-cyberattacks</a></p></div>Cyber-Attacks on Hospitalshttps://redskyalliance.org/xindustry/cyber-attacks-on-hospitals2024-02-26T17:00:00.000Z2024-02-26T17:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12389945471,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12389945471,RESIZE_400x{{/staticFileLink}}" width="250" alt="12389945471?profile=RESIZE_400x" /></a>Cybersecurity experts are warning that hospitals around the country are at risk for attacks like the one that is crippling operations at a premier Midwestern children’s hospital and that the US government is doing too little to prevent such breaches. Hospitals in recent years have shifted their use of online technology to support everything from telehealth to medical devices to patient records. Today, they are a favorite target for internet thieves who hold systems’ data and networks hostage for hefty ransoms, said John Riggi, the American Hospital Association’s cybersecurity adviser. “Unfortunately, the unintended consequence of using all this network- and internet-connected technology is that it expanded our digital attack surface,” Riggi said. “So, many more opportunities for bad guys to penetrate our networks.”<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/hive-hospitals">https://redskyalliance.org/xindustry/hive-hospitals</a></p>
<p>The assailants often operate from American adversaries such as Russia, North Korea, and Iran, where they enjoy big payouts from their victims and face little prospect of ever being punished. In November 2023, a ransomware attack on a healthcare chain that operates 30 hospitals and 200 health facilities in the United States forced doctors to divert patients from emergency rooms and postpone elective surgeries. Meanwhile, a rural Illinois hospital announced it was permanently closed last year because it could not recover financially from a cyberattack. The hackers went as far as posting photos and patient information of breast cancer patients who were receiving treatment at a Pennsylvania health network after the system was hacked last year.</p>
<p>Recently, one of the top children’s hospitals in the country, the Ann & Robert H. Lurie Children’s Hospital of Chicago, has been forced to put its phone, email, and medical record systems offline as it battles a cyberattack. The FBI has said it is investigating. Brett Callow, an analyst for the cybersecurity firm Emsisoft, counted 46 cyberattacks on hospitals last year, compared with 25 in 2022. The paydays for criminals have gotten bigger, too, with the average payout jumping from $5,000 in 2018 to $1.5 million last year. “Unless governments do something more meaningful, more significant than they have done to date, it’ll inevitably get worse,” Callow said.</p>
<p>Callow believes the government should ban cyberattack victims such as hospitals, local governments and schools from paying ransoms. “There’s so much money being paid into the ransomware system now there’s no way the problem is going to go away on itself simply,” he said. The dramatic increase in these online raids has prompted the nation’s top health agency to develop new rules for hospitals to protect themselves from cyber threats.</p>
<p>The Department of Health and Human Services said it will rewrite the rules for the Health Insurance Portability and Accountability Act, the federal law commonly called HIPPA that requires insurers and health systems to protect patient information to include new provisions that address cybersecurity later this year. The department is also considering new cybersecurity requirements attached to hospitals’ Medicaid and Medicare funding.</p>
<p>Most hospitals will struggle to protect themselves. Experts are worried about rural hospitals, for example, that may have difficulty cobbling together money to update their cybersecurity properly. HHS wants more money from Congress to tackle the issue, but Palm said the agency doesn’t have a precise dollar amount it seeks. Becoming the victim of a cyberattack is costly, too. The attacks can put hospitals’ networks offline for weeks or months, forcing hospitals to turn away patients.</p>
<p>In Chicago, Lurie Hospital’s network has been offline for two weeks. The hospital, which served more than 260,000 patients last year, has established a separate call center for patients’ needs and resumed some care. </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p> </p>
<p> </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/cyberattacks-on-hospitals-are-likely-to-increase-putting-lives-at-risk-experts-warn/">https://www.securityweek.com/cyberattacks-on-hospitals-are-likely-to-increase-putting-lives-at-risk-experts-warn/</a></p></div>And Who’s to Blame?https://redskyalliance.org/xindustry/and-who-s-to-blame2024-01-24T17:00:00.000Z2024-01-24T17:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12364606868,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12364606868,RESIZE_400x{{/staticFileLink}}" width="250" alt="12364606868?profile=RESIZE_400x" /></a>A recent article raised the question of whether North Korea was the perpetrator of the cyber-attacks against Sony Pictures in December 2014. Despite the difficulties typically associated with such activities, the US Federal Bureau of Investigation (FBI) quickly attributed (25 days) the attacks to North Korea, even though an enigmatic group calling itself “Guardians of Peace” took responsibility. Nevertheless, once the FBI official blamed North Korea, no one in the government appeared to question the call, getting behind the FBI’s claims. The official FBI statement did not reveal any substantial evidence to substantiate the content of its claim to share that “technical analysis” saw similar tools and infrastructure used by suspected North Korean actors as solidifying its determinations. Later, an article indicated that the National Security Agency (NSA) hacking operations against North Korea years before the Sony attack provided further insight that incriminated the Hermit Kingdom. Nevertheless, North Korea called the allegation slanderous and was subject to sanctions and a possible shutdown of its Internet in retaliation for Sony.<a href="#_ftn1">[1]</a></p>
<p>Before this instance, North Korea’s cyber activities had been somewhat limited. While new capabilities are always being developed, the best way to predict future behavior is to look at past behavior. in this instance, there had been little precedent that North Korea would execute an attack of this nature. When it had felt maligned, North Korea had traditionally turned to nuisance Distributed Denial-of-Service attacks (DDoS) to express its discontent, reserving its most disruptive attacks for its southern neighbor. North Korea has been consistent with using its cyber capabilities to signal, conduct espionage, and make money, with the latter two having been developed since the Sony attack. Disclosing stolen intellectual property and using wiper malware to hurt an adversary has not been the go-to form of cyber malfeasance that it has been before or has since.</p>
<p>It is not surprising that some have called into question whether North Korea was behind this attack, or at least all facets of it, and have expressed skepticism of the FBI’s position on the subject. Critics primarily thought that the evidence presented was essentially “circumstantial and self-referential,” relying at this point on tools and resources that were easily obtained and modified. The same source also offered that IP addresses and language settings within the malware pointed to North Korea as it believed it should.</p>
<p>Aside from the technical evidence, other pieces of information cast doubt on North Korea having sole culpability in the attack. The co-director and writer of the film was not targeted despite being instrumental in creating the content, an exciting choice for a government incensed over its depiction of its leader. But perhaps the most giant red flag came from a threat researcher who received stolen documents before and after the breach from a Russian hacker (who had worked for Russia’s Federal Security Service) and former FBI information. What’s more, this occurred after the leak had been “allegedly” controlled. Such evidence indeed suggested that at the very least, two sets of attackers targeted Sony, not just North Korea.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/noko-russians-cybercriminals-may-be-working-together">https://redskyalliance.org/xindustry/noko-russians-cybercriminals-may-be-working-together</a></p>
<p>This was not the first incident where attribution may have been levied before a proper and thorough investigation occurred and is not the sole purview of incidents involving the nation states, with many notable incidents quickly but incorrectly attributed in a rush to place blame. The following two notable examples exemplify rushed attribution that misidentified actors behind cyberattacks:</p>
<p>In 2022, two state-linked Chinese hacking groups used ransomware attacks to obfuscate the true intent of their operations to steal intellectual property and other sensitive information from high-profile Japanese and Western companies. These actors used a leak site like established ransomware groups to solidify the ruse further. One cybersecurity company thought the deployment of different ransomware variants over short periods of time and frequent changes to the ransomware were not consistent with traditional ransomware actors, pointing toward a possible state actor. Regardless, the link to state-affiliated actors remains murky as the group could either moonlight on the side of traditional cyber espionage work or be independent contractors looking to monetize their theft by selling it to a state or competitor.</p>
<p>In May 2015, threat actors executed an attack against TV5 Monde, a French television network, disrupting broadcasting for approximately three years and gaining unauthorized access to some of the network’s social media accounts. The attackers called themselves the Cyber Caliphate and affiliated with the Islamic State. French authorities reacted quickly, determining that the attack was in retaliation for France’s efforts against ISIS. However, several months after conducting a more thorough investigation, other possibilities were explored with evidence pointing toward the Russian military, not Islamic threat actor culpability. Western governments later confirmed these later suspicions.</p>
<p>The fact that attribution, especially against states, is even done with any confidence is surprising given that those that attribute both herald the sophistication associated with state actors while at the same time citing their carelessness as one of the reasons that they were able to be identified in the first place. Not to say that this is not possible but given the current environment with so many companies and governments tracking and publishing material on state cyber activities, one would think that the more sophisticated cyber powers would be executing more disciplined operations. But what is perhaps more interesting is that those who misattribute generally do not take responsibility or self-accountability for their mistakes. Rarely are corrections or justifications provided to correct the record as to why determinations were flawed.</p>
<p>Although some may claim that attribution has become more accessible due to technical and forensic capability advances, much of the technical analysis provided in publicly available reports remains the same, raising questions about all the evidence not being shared or that it may not exist in the first place. When attribution comes under more rigorous scrutiny, “trust us” is not enough to assuage skeptical observers, especially in today’s environment when there is an overwhelming lack of trust in the government, with as many as 80% of respondents to a think study survey believing that tech companies have too much power and influence over the government. Unfortunately, the rush to attribution has become commonplace mainly because there are no repercussions for being wrong. The government can hide behind classification issues while the private sector is not held accountable for being wrong.</p>
<p>It is interesting to note that states can and do regularly accuse others of cyber malfeasance, rarely sharing the evidence to support such claims or providing some but not at all of it. This suggests that states can use cyber attribution to serve other capacities, such as justifying governments to execute specific courses of action that they might not have otherwise, and without surrendering all of their evidence to protect “sources and methods.” As the 2018 Office of Director of National Intelligence “A Guide on Cyber Attribution” states, “Cyber attribution, or the identification of the actor responsible for a cyberattack, therefore is a critical step in formulating a national response to such attacks.” Barring any legal standard requirements frees up a state’s options considerably. Depending on the cyber incident, governments can then levy sanctions or, in the case of defending forward operations, engage in offensive activities under the umbrella of protecting themselves. </p>
<p>As the cyber environment continues to facilitate state and non-state actors to conduct attacks, it becomes increasingly important to differentiate one group from another, particularly if a state is looking to take an informed action. For this reason, there needs to be a higher bar other than what’s being provided to determine attribution and justify retaliation. The longer the global community does not press for tighter Internet accountability on state actors, the more liberties authoritarian and democratic states will take to pursue their own interests. Without a substantial pushback from citizens, there will be no need for any government to alter what it is doing or how the constituents perceive it they are mandated to protect.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.oodaloop.com/archive/2024/01/11/its-2024-time-to-have-attribution-standards-in-cyberspace/">https://www.oodaloop.com/archive/2024/01/11/its-2024-time-to-have-attribution-standards-in-cyberspace/</a></p></div>Kimsuky Hackers at Workhttps://redskyalliance.org/xindustry/kimsuky-hackers-at-work2024-01-05T11:00:00.000Z2024-01-05T11:00:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12345540085,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12345540085,RESIZE_400x{{/staticFileLink}}" width="250" alt="12345540085?profile=RESIZE_400x" /></a>Nation-state cyber threat actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines. The South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky. "A notable point about attacks that use AppleSeed is that similar methods of attack have been used for many years with no significant changes to the malware that are used together," the AhnLab Security Emergency Response Center (ASEC) said in an analysis published Thursday.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/intelligence-report-agriculture-food-industry">https://redskyalliance.org/xindustry/intelligence-report-agriculture-food-industry</a></p>
<p>Kimsuky, has been active for over a decade, is known for its targeting of a wide range of entities in South Korea, before expanding its focus to include other geographies in 2017. It was sanctioned by the U.S. government late last month for amassing intelligence to support North Korea's strategic objectives. The threat actor's espionage campaigns are realized through spear-phishing attacks containing malicious lure documents that, upon opening, culminate in the deployment of various malware families.<a href="#_ftn1">[1]</a></p>
<p>One such prominent Windows-based backdoor used by Kimsuky is AppleSeed (aka JamBog), a DLL malware which has been put to use as early as May 2019 and has been updated with an Android version as well as a new variant written in Golang called AlphaSeed.</p>
<p>AppleSeed is designed to receive instructions from an actor-controlled server, drop additional payloads, and exfiltrate sensitive data such as files, keystrokes, and screenshots. AlphaSeed, like AppleSeed, incorporates similar features but has some crucial differences as well. AlphaSeed was developed in Golang and uses chromedp for communications with the [command-and-control] server, in contrast to AppleSeed, which relies on HTTP or SMTP protocols. Chromedp is a popular Golang library for interacting with the Google Chrome browser in headless mode through the DevTools Protocol.</p>
<p>There is evidence to suggest the Kimsuky has used AlphaSeed in attacks since October 2022, with some intrusions delivering both AppleSeed and AlphaSeed on the same target system by means of a JavaScript dropper. Also deployed by the adversary are Meterpreter and VNC malware such as TightVNC and TinyNuke (aka Nuclear Bot), which can be leveraged to take control of the affected system.</p>
<p>The development comes as researchers have discovered a number of online personas on LinkedIn and GitHub likely used by North Korea's information technology (IT) workers to fraudulently obtain remote employment from companies in the U.S. and act as a revenue-generating stream for the regime and help fund its economic and security priorities. The personas often claimed to be proficient in developing several different types of applications and have experience working with crypto and blockchain transactions," the threat intelligence firm said in a report released earlier in December 2023. Further, all of the personas sought remote-only positions in the technology sector and were singularly focused on obtaining new employment. Many of the accounts are only active for a short period of time before they are disabled.</p>
<p>North Korean actors, in recent years, have launched a series of multi-pronged assaults, blending novel tactics and supply chain weaknesses to target blockchain and cryptocurrency firms to facilitate the theft of intellectual property and virtual assets. The prolific and aggressive nature of the attacks points to the different ways the country has resorted in order to evade international sanctions and illegally profit from the schemes.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html">https://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html</a></p></div>North Korean Hackershttps://redskyalliance.org/xindustry/north-korean-hackers-12023-12-19T13:00:00.000Z2023-12-19T13:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12330432501,RESIZE_180x180{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12330432501,RESIZE_180x180{{/staticFileLink}}" width="160" alt="12330432501?profile=RESIZE_180x180" /></a>Cisco's Talos security researchers report that the North Korea-linked hacking group Lazarus has been observed deploying Dlang malware in attacks against organizations in the manufacturing, agriculture, and physical security sectors. Released in 2001, Dlang, or simply D, is a multi-paradigm system programming language built upon the idea of C++ but drawing inspiration from C#, Eiffel, Java, Python, Ruby, and other high-level languages. Dlang is considered an uncommon programming language for malware development but has attracted malware developers, likely due to its versatility and easy learning curve. Dlang allows developers to cross-compile applications for multiple architectures.<a href="#_ftn1">[1]</a></p>
<p>Since March 2023, Lazarus, an advanced persistent threat (APT) actor sponsored by the North Korean government, has been observed using three malware families built using Dlang, namely the NineRAT and DLRAT remote access trojans (RATs) and the BottomLoader downloader.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/lazarus-group-still-deploys-remote-access-trojans">https://redskyalliance.org/xindustry/lazarus-group-still-deploys-remote-access-trojans</a></p>
<p>The malware families were used as part of Operation Blacksmith, in which Lazarus targeted systems unpatched against the infamous Log4Shell vulnerability (CVE-2021-44228) to deploy NineRAT against a South American agricultural organization and a European manufacturing business. The observed attacks overlap with activity attributed to Onyx Sleet, a North Korean group known as Plutonium and Andariel. However, a common consensus across the cybersecurity industry is that North Korean state-sponsored hackers operate under the Lazarus umbrella.</p>
<p>NineRAT, in use since May 2022 uses Telegram for receiving commands from its command-and-control (C&C) server, likely to evade detection. After deployment, the RAT achieves persistence and becomes the main method of interaction with the infected host. The malware can harvest system information, upgrade to a new version, stop its execution, uninstall, and upload files from the infected machine.</p>
<p>The BottomLoader downloader can obtain and execute a payload from a hardcoded URL and has been observed deploying the custom proxy tool HazyLoad against a European manufacturer and a South Korean physical security and surveillance firm. It was also designed to achieve persistence for newer versions or its dropped payloads by creating a URL file in the system’s Startup directory.</p>
<p>Lazarus’ third Dlang malware family is DLRAT, which functions as a downloader and backdoor. It includes hardcoded commands for system reconnaissance but can also execute commands to download and upload files, rename files, and delete itself from the machine.</p>
<p>As part of Operation Blacksmith, Lazarus was seen exploiting Log4Shell on internet-accessible VMware Horizon servers for initial access, followed by reconnaissance and the deployment of the HazyLoad implant. In some cases, a new user account was created for persistent access to the system. Lazarus also employed utilities such as ProcDump and MimiKatz for credential dumping, then deployed the NineRAT backdoor to the system.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/north-korean-hackers-developing-malware-in-dlang-programming-language/">https://www.securityweek.com/north-korean-hackers-developing-malware-in-dlang-programming-language/</a></p></div>Cyber Tricks Funding WMDhttps://redskyalliance.org/xindustry/cyber-tricks-funding-wmd2023-10-23T11:45:00.000Z2023-10-23T11:45:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12263649868,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12263649868,RESIZE_400x{{/staticFileLink}}" width="250" alt="12263649868?profile=RESIZE_400x" /></a>US officials say North Korea pulled off an elaborate plan to trick American companies into hiring thousands of skilled IT workers who later sent the money they earned back to be used for the country's weapons program. The FBI and the Justice Department (DOJ) said they shut down 17 websites that were used by IT worker to "defraud US and foreign businesses, evade sanctions and fund the development of the Democratic People’s Republic of Korea government’s weapons program." They also seized $1.5 million as part of the ongoing investigation, according to a press release Wednesday.</p>
<p>According to DOJ, North Korea hired IT workers who were sent to live abroad in countries like China and Russia, then used fake identities to get hired by U.S. companies. The workers would get hired as freelance remote employees by fooling many companies into believing they were based in the US. Tricks they used to do so included paying Americans to be able to use their home Wi-Fi. “The Democratic People’s Republic of Korea has flooded the global marketplace with ill-intentioned information technology workers to indirectly fund its ballistic missile program. The seizing of these fraudulent domains helps protect companies from unknowingly hiring these bad actors and potentially damaging their business,” reported the Special Agent in Charge of the FBI's St. Louis Division said.<a href="#_ftn1">[1]</a></p>
<p>FBI warns employers to be vigilant when hiring. The 17 sites that were shut down were created by some of the workers to look like legitimate US-based IT service companies, which helps them hide their identities and locations when they apply for US jobs.</p>
<p>This scheme, which went on for years, generated millions for North Korean agencies involved in country's weapons of mass destruction program, such as the Ministry of Defense. These programs are prohibited by the United Nations. Additionally DOJ said, the workers also would steal information and keep access to records so they can hack into systems later. The FBI warned employers that the scheme is prevalent and they should be vigilant about whom they hire. "Without due diligence, companies risk losing money or being compromised by insider threats they unknowingly invited inside their systems," it said.<a href="#_ftn2">[2]</a></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.msn.com/en-us/news/us/north-korean-it-workers-in-us-sent-millions-to-fund-weapons-program-officials-say/ar-AA1izW3s">https://www.msn.com/en-us/news/us/north-korean-it-workers-in-us-sent-millions-to-fund-weapons-program-officials-say/ar-AA1izW3s</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-action-disrupt-illicit-revenue-generation">https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-action-disrupt-illicit-revenue-generation</a></p></div>Crashed and Burned Part IIhttps://redskyalliance.org/xindustry/crashed-and-burned-part-ii2023-09-08T16:00:00.000Z2023-09-08T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12217947066,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12217947066,RESIZE_400x{{/staticFileLink}}" width="250" alt="12217947066?profile=RESIZE_400x" /></a>North Korea has some decent cyber operations aimed against its foes but can’t seem to figure out rocket propulsion. North Korea’s attempt to send a military spy satellite into orbit has failed for a second time. A North Korean representative reported that the launch took place in the early hours of 24 August 2023, the first day of a week-long launch window, but failed because of a problem with the rocket's third stage carrying the satellite. North Korea will try again in October 2023. “The flights of the first and second stages of the rocket were normal, but the launch failed due to an error in the emergency blasting system during the third-stage flight,” state-run KCNA said of the recent launch.</p>
<p>South Korea’s military said it detected the Sohae Satellite Launching Station launch at about 3:50 am local time (18:50 GMT on Wednesday) and tracked the rocket as it “traversed international airspace” over the Yellow Sea. About 10 minutes later, residents of Japan’s southernmost prefecture of Okinawa received emergency warnings advising them to take cover indoors. The emergency warning was lifted after about 20 minutes. Some of the debris may have landed in the Pacific, near the Philippines, according to Japanese broadcaster NHK.</p>
<p>A spy satellite is a priority of North Korean leader Kim Jong Un’s plan to modernize the country’s military and develop cutting-edge weapons. The first launch attempt in May 2023 also ended in disaster, with officials calling it their “gravest failure” and promising to try again.<a href="#_ftn1">[1]</a></p>
<p>In a televised press conference, Japanese Chief Cabinet Secretary Hirokazu Matsuno said the repeated missile launches threatened regional security. “We will strongly protest against North Korea and condemn it in the strongest possible terms,” he said.</p>
<p>South Korea’s National Security Council also condemned the launch, saying it breached United Nations Security Council resolutions banning Pyongyang’s use of ballistic missile technology. The United States echoed that statement and urged North Korea to refrain from “further threatening activity” and engage in serious diplomacy. “Space launch vehicles [SLVs] incorporate technologies that are identical to, and interchangeable with, those used in ballistic missiles, including intercontinental ballistic missiles [ICBMs],” a State Department spokesperson said in a statement.</p>
<p>During a phone call later, the three countries' foreign ministers agreed to consider unilateral sanctions in response to the launch, according to South Korea’s foreign ministry. The launch came days after the leaders of South Korea, Japan, and the US met in Washington, DC, and as US and South Korean forces conducted their annual Ulchi Freedom Shield military exercises.</p>
<p>North Korea claims such drills are a rehearsal for war.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.stripes.com/theaters/asia_pacific/2023-08-28/north-korea-spy-satellite-recovery-11188402.html">https://www.stripes.com/theaters/asia_pacific/2023-08-28/north-korea-spy-satellite-recovery-11188402.html</a></p></div>Comrade in Cyber Armshttps://redskyalliance.org/xindustry/comrade-in-cyber-arms2023-08-31T16:00:00.000Z2023-08-31T16:00:00.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}12214542095,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12214542095,RESIZE_400x{{/staticFileLink}}" alt="12214542095?profile=RESIZE_400x" width="250" /></a>North Korean threat actors have caught Sentinel Lab's attention over the past year, providing us with fruitful insight into a variety of campaigns, such as <a href="https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/">new reconnaissance tools</a>, (<a href="https://s1.ai/SmoothOperator">multiple</a>) new <a href="https://www.sentinelone.com/labs/jumpcloud-intrusion-attacker-infrastructure-links-compromise-to-north-korean-apt-activity/">supply chain intrusions</a>, elusive <a href="https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/">multi-platform targeting</a>, and new sly <a href="https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/">social engineering tactics</a>. To add to that list, analysts looked at an intrusion into what might be considered a highly desirable strategic espionage mission, supporting North Korea’s contentious missile program.<a href="#_ftn1">[1]</a></p>
<p><strong>The Target Organization - </strong>While hunting and tracking suspected North Korean threat actors, we identified a leaked email collection containing an implant with characteristics related to previously reported DPRK-affiliated threat actor campaigns. A thorough investigation of the email archive revealed a larger intrusion, not fully recognized at the time by the compromised organization.</p>
<p>The victim organization is NPO Mashinostroyeniya (JSC MIC Mashinostroyenia, NPO Mash), a leading Russian manufacturer of missiles and military spacecraft. The organization’s parent company is JSC Tactical Missiles Corporation KTRV (Russian: АО «Корпорация Тактическое Ракетное Вооружение,» КТРВ). NPO Mashinostroyeniya is a <a href="https://www.opensanctions.org/entities/NK-6K5vGD6w9B3vCFRk7ZXwyE/">sanctioned</a> entity with highly confidential intellectual property on sensitive missile technology currently in use and under development for the Russian military.</p>
<p>Sentinel is highly confident that the emails related to this activity originate from the victim organization. Furthermore, no discernible signs of manipulation or technically verifiable inaccuracies are present in these emails. It’s essential to highlight that the leaked data comprises a substantial volume of emails unrelated to our current research scope. This suggests that the leak was likely accidental or resulted from an activity unrelated to our investigation's specific intrusion under scrutiny. However, this collection provides valuable background context for our understanding of their internal network design, security gaps, and even cases of activity by other attackers.</p>
<p><em><a href="{{#staticFileLink}}12214543271,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12214543271,RESIZE_710x{{/staticFileLink}}" alt="12214543271?profile=RESIZE_710x" width="625" /></a>Example of unrelated email alerts from Russian CERT to NPO Mash</em></p>
<p>In mid-May 2022, roughly a week before <a href="https://apnews.com/article/politics-asia-united-states-north-korea-8f0e8d644856425b35d4e6072c363db7">Russia vetoed a UN resolution</a> to impose new sanctions on North Korea for intercontinental ballistic missile launches that could deliver nuclear weapons, the victim organization internally flagged the intrusion. Internal NPO Mashinostroyeniya emails show IT staff exchanged discussions highlighting questionable communications between specific processes and unknown external infrastructure. The same day, the NPO Mashinostroyeniya staff also identified a suspicious DLL file in different internal systems. The month following the intrusion, NPO Mashinostroyeniya engaged with their AV solution’s support staff to determine why this and other activity was not detected.</p>
<p>After examining the emails and an in-depth investigation into the two separate sets of suspicious activity, analysts have successfully established a correlation between each cluster of activity and a respective threat actor amounting to a more significant network intrusion than the victim organization realized.</p>
<p><strong>North Korean Overlap - </strong>During the Sentinel investigation, it identified the suspicious file in question as a version of the OpenCarrot Windows OS backdoor, previously <a href="https://exchange.xforce.ibmcloud.com/collection/OpenCarrot-Malware-Identified-in-Financial-Sector-Activity-6686a880f7e2e8cd808d2835633b31fb">identified</a> by IBM XForce as part of Lazarus group activities. As a feature-rich, configurable, versatile backdoor, the malware is a strong enabler of the group’s operations. With a wide range of supported functionality, OpenCarrot enables full compromise of infected machines and the coordination of multiple infections across a local network. The OpenCarrot variant we analyzed supports proxying C2 communication through the internal network hosts and directly to the external server, which supports the strong possibility of a network-wide compromise.</p>
<p>Additionally, we discovered the suspicious network traffic discussed in emails is the compromise of the business’ Linux email server, hosted publicly at vpk. npomash[.]ru (185.24.244[.]11). At the time of discovery, the email server was beaconing outbound to the infrastructure we now attribute to the ScarCruft threat actor. ScarCruft is commonly attributed to North Korea’s state-sponsored activity, targeting high-value individuals and organizations near-globally. The group is also referred to as <a href="https://www.youtube.com/watch?v=qCwHwfFmMfI">Inky Squid, APT37, or Group123</a> and often showcases a variety of technical capabilities for their intrusions. While we cannot confirm the initial access method and implant running on the email server at the time of discovery, analysts linked malware loading tools and techniques involving this infrastructure set to those seen in <a href="https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/">previously reported</a> ScarCruft activity using the RokRAT backdoor.</p>
<p>This intrusion gives rare insight into sensitive DPRK cyberespionage campaigns and an opportunity to expand our understanding of the relationship and goals between various North Korean cyber threat actors. Considering their growing relationship, it also highlights a potential rift in relations between Russia and North Korea.</p>
<p>This engagement establishes connections between two distinct DPRK-affiliated threat actors, suggesting the potential for shared resources, infrastructure, implants, or access to victim networks. Moreover, we acknowledge the possibility that the assigned task of an intrusion into NPO Mashinostroyeniya might have warranted targeting by multiple autonomous threat actors due to its perceived significance.</p>
<p><strong>OpenCarrot Backdoor Activity - </strong>The OpenCarrot sample analyzed is implemented as a Windows service DLL file, intended to execute persistently. In line with typical practices of the Lazarus group, OpenCarrot is subject to continuous, not necessarily incremental, changes. The file has a compilation timestamp of Wednesday, Dec. 01, 2021. Although the threat actors could have manipulated the timestamp, given the proximity to the May 2022 suspected intrusion date, the timestamp is likely authentic. The confidence in this assessment also increases through the infrastructure analysis below.</p>
<p>The OpenCarrot variant we analyzed implements over 25 backdoor commands with a wide range of functionality representative of Lazarus group backdoors. In this case, supported functionality includes:</p>
<ul>
<li>Reconnaissance: File and process attribute enumeration, scanning and ICMP-pinging hosts in IP ranges for open TCP ports and availability.</li>
<li>Filesystem and process manipulation: Process termination, DLL injection, and file deletion, renaming, and timestamping.</li>
<li>Reconfiguration and connectivity: Managing C2 communications, including terminating existing and establishing new comms channels, changing malware configuration data stored on the filesystem, and proxying network connections.</li>
</ul>
<p>The OpenCarrot sample displays further characteristics often seen among Lazarus Group malware. Consecutive integers index its backdoor commands, a common trait of Lazarus group malware. In addition to integer-indexed commands, the developers implement string-indexed sub-commands.</p>
<p><br /> <a href="{{#staticFileLink}}12214543681,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12214543681,RESIZE_584x{{/staticFileLink}}" alt="12214543681?profile=RESIZE_584x" width="512" /></a><em>Backdoor command indexing</em></p>
<p>Keeping with their <a href="https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html">typical</a> <a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf">mode</a> of operations, the malware is intended to execute as a Windows service and exports the ServiceMain function. OpenCarrot implements executable code in a section named .vlizer, indicating the use of code virtualization for obfuscation. The .vlizer section is <a href="https://github.com/horsicq/Detect-It-Easy/blob/cde836bf7f4255ace4776b1e4602f45748a15af9/db/PE/Oreans%20CodeVirtualizer.2.sg#L12">associated</a> with the Oreans <a href="https://www.oreans.com/CodeVirtualizer.php">Code Virtualizer</a> code protection platform, a functional subset of <a href="https://www.oreans.com/Themida.php">Themida</a>. As previously <a href="https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf">observed</a> in Themida-protected Lazarus group malware, some code segments of the OpenCarrot variant we analyzed are not protected.</p>
<p>As part of its initialization process, OpenCarrot ingests configuration data from a file whose name is composed of the service name in whose context the malware executes and the dll.mui extension. The configuration data contains encryption-protected C2 information. The use of configuration files with the DLL. mui extension is a long-standing theme among Lazarus group <a href="https://www.trendmicro.com/en_us/research/18/k/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america.html">malware</a>, mimicking a lesser-known <a href="https://learn.microsoft.com/en-us/windows/win32/intl/mui-resource-management">standard Windows file</a> extension used to denote application resources and externalities. OpenCarrot implements relatively long sleep periods. To avoid remaining idle for too long whenever the user of the infected machine is active, OpenCarrot implements a mechanism to exit its sleep state earlier than instructed. If the malware is instructed to sleep for 15 seconds or more, it then monitors in 15-second intervals for inserting new drives, such as USBs. If such an event occurs, the malware exits its sleep state before the configured sleep time elapses. A variant of this technique has been previously <a href="https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf">observed</a> in the <a href="https://www.cisa.gov/news-events/analysis-reports/ar20-133c">Pebbledash</a> malware.</p>
<p><br /> <a href="{{#staticFileLink}}12214543888,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12214543888,RESIZE_584x{{/staticFileLink}}" alt="12214543888?profile=RESIZE_584x" width="512" /></a><em>Disk drive monitoring</em></p>
<p>OpenCarrot’s versatility is evident with its support of multiple communication methods with C2 servers. The malware dispatches commands for execution based on attacker-provided data originating not only from remote C2 servers but also from local processes through named pipes and incoming connections to a TCP port on which OpenCarrot listens.</p>
<p><strong>Infrastructure Analysis - </strong>North Korean nexus of threat actors is known for not maintaining the OPSEC of their campaigns. A characteristic lack of segmentation allows researchers to amass <a href="https://www.mandiant.com/resources/blog/north-korea-supply-chain">unique insights</a> across various unreported activities. Infrastructure connections in particular, often allow us to track the evolution of their campaigns over long periods. Sentinel linked the NPO Mashinostroyeniya email discussing suspicious networking communication as active C2 communications occurring through 192.169.7[.]197 and 5.134.119[.]142. The internal host, the organization’s Red Hat email server, was actively compromised and communicated with the attacker's malicious infrastructure. A review of all details concludes the threat actor was likely operating on this server for an extensive period before the internal team’s discovery.</p>
<p><em><a href="{{#staticFileLink}}12214544671,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12214544671,RESIZE_710x{{/staticFileLink}}" alt="12214544671?profile=RESIZE_710x" width="622" /></a>Email between NPO Mash Employees sharing beaconing process details</em></p>
<p>This malicious infrastructure was served via CrownCloud (Australia) and OhzCloud (Spain) VPS hosting providers. During the intrusion, the two domains centos-packages[.]com and redhat-packages[.]com were resolving to those C2 IP addresses. The lab assesses that this particular infrastructure cluster became active in November 2021 and was immediately paused on the same day of NPO Mashinostroyeniya’s intrusion discovery in May 2022. This finding may indicate the intrusion was a high priority and closely monitored by the operators.</p>
<p><em><a href="{{#staticFileLink}}12214545058,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12214545058,RESIZE_710x{{/staticFileLink}}" alt="12214545058?profile=RESIZE_710x" width="632" /></a>Infrastructure and Timeline</em></p>
<p>A relationship can be observed between this cluster of activity and a more recent ScarCruft campaign. Following the intrusion, operators immediately killed their C2 server when the victim identified the suspicious traffic in May 2022; the centos-packages[.]com domain use was paused until it began resolving to 160.202.79[.]226 in February 2023. 160.202.79[.]226 is a QuickPacket VPS (US) hosting IP also being shared with the domain dallynk[.]com and others used by ScarCruft for malware delivery and C2 initiated through malicious documents.</p>
<p>Further, the domain dallynk[.]com follows the theme <a href="https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/">we’ve previously reported</a> in which DPRK-associated threat actors impersonate Daily NK, a prominent South Korean online news outlet that provides independent reporting on North Korea.</p>
<p>The collection of activity stemming from the dallynk[.]com domain contains malware loading tools and techniques matching those seen in <a href="https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/">previously reported</a> ScarCruft activity using the RokRAT backdoor. Similarities in server configuration history can also link to lower-confidence BlueNoroff relationships.</p>
<p><em><a href="{{#staticFileLink}}12214545661,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12214545661,RESIZE_710x{{/staticFileLink}}" alt="12214545661?profile=RESIZE_710x" width="624" /></a>Infrastructure ScarCruft Link</em></p>
<p>While conducting this research, analysts <a href="https://www.sentinelone.com/labs/jumpcloud-intrusion-attacker-infrastructure-links-compromise-to-north-korean-apt-activity/">first publicly identified</a> the link between the JumpCloud intrusion and North Korean threat actors. One detail immediately struck us was the domain theme similarities, such as centos-pkg[.]org / centos-repos[.]org (JumpCloud), and centos-packages[.]com (NPO Mash). This detail is superficial and not strong enough alone to base direct clustering. Still, alongside other aforementioned North Korean threat actor connections, it stokes our curiosity for the particulars of the threat actors’ infrastructure creation and management procedures.</p>
<p>Lastly, Sentinel advises particular care into how this infrastructure is further attributed when reviewed historically. For example, the C2 server IP address 192.169.7[.]197 was used between January and May 2022 by the DPRK-linked threat actor; however, that same IP was used by the Arid Viper/Desert Falcon APT in 2020, <a href="https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf">first reported by Meta Threat Investigators</a>. Arid Viper is associated with Palestinian interests, conducting activity throughout the Middle East. Analysts assess the Arid Viper activity as unrelated to our findings, and the infrastructure overlap is simply an example of commonly reused dubious VPS hosting providers. This further highlights the importance of associating active timeframes with IP-based indicators.</p>
<p><strong>Conclusion - </strong>With high confidence, Sentinel attributes this intrusion to threat actors independently associated with North Korea. Based on our assessment, this incident is a compelling illustration of North Korea’s proactive measures to covertly advance its missile development objectives, as evidenced by its direct compromise with a Russian Defense-Industrial Base (DIB) organization.</p>
<p>The convergence of North Korean cyber threat actors represents a profoundly consequential menace warranting comprehensive global monitoring. Operating as a cohesive cluster, these actors consistently undertake various campaigns motivated by various factors. In light of these findings, addressing and mitigating this threat with utmost vigilance and strategic response is crucial.</p>
<p><strong>Indicators</strong></p>
<p><em>MD5:<br /> </em>9216198a2ebc14dd68386738c1c59792<br /> 6ad6232bcf4cef9bf40cbcae8ed2f985<br /> d0f6cf0d54cf77e957bce6dfbbd34d8e<br /> 921aa3783644750890b9d30843253ec6<br /> 99fd2e013b3fba1d03a574a24a735a82<br /> 0b7dad90ecc731523e2eb7d682063a49<br /> 516beb7da7f2a8b85cb170570545da4b</p>
<p><em>SHA1:<br /> </em>07b494575d548a83f0812ceba6b8d567c7ec86ed<br /> 2217c29e5d5ccfcf58d2b6d9f5e250b687948440<br /> 246018220a4f4f3d20262b7333caf323e1c77d2e<br /> 8b6ffa56ca5bea5b406d6d8d6ef532b4d36d090f<br /> 90f52b6d077d508a23214047e680dded320ccf4e<br /> f483c33acf0f2957da14ed422377387d6cb93c4d<br /> f974d22f74b0a105668c72dc100d1d9fcc8c72de</p>
<ul>
<li>redhat-packages[.]com<br /> centos-packages[.]com<br /> dallynk[.]com<br /> yolenny[.]com<br /> 606qipai[.]com<br /> asplinc[.]com<br /> or[.]kr</li>
<li>169.7[.]197<br /> 160.202.79[.]226<br /> 96.9.255[.]150<br /> 5.134.119[.]142</li>
</ul>
<p> </p>
<p>This article is presented at no charge for educational and informational purposes only.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com</p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/">https://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/</a></p></div>Cloud Jumpinghttps://redskyalliance.org/xindustry/cloud-jumping2023-08-08T16:20:00.000Z2023-08-08T16:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12167769290,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12167769290,RESIZE_400x{{/staticFileLink}}" alt="12167769290?profile=RESIZE_400x" width="250" /></a>In recent news, the cloud-based IT management service JumpCloud publicly shared details gathered from the investigation into an intrusion on their network. Alongside <a href="https://jumpcloud.com/blog/security-update-incident-details">the updated details</a>, the organization shared a <a href="https://jumpcloud.com/support/july-2023-iocs">list of associated indicators of compromise</a> (IOCs), noting attribution to an unnamed “sophisticated nation-state sponsored threat actor.” Reviewing the newly released indicators of compromise, we associate the cluster of threat activity to a North Korean state sponsored APT.<a href="#_ftn1">[1]</a> The IOCs are linked to a wide variety of activity we attribute to DPRK, overall centric to the supply chain targeting approach seen in <a href="https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/">previous campaigns</a>.</p>
<p>Infrastructure Analysis - Based on the IOCs shared by JumpCloud, we were able to analyze the threat actor’s infrastructure. The following list is our starting point:</p>
<p><strong>Domains</strong></p>
<table width="100%">
<tbody>
<tr>
<td width="33%">
<p>alwaysckain.com</p>
</td>
<td width="33%">
<p>canolagroove.com</p>
</td>
<td width="33%">
<p>centos-pkg.org</p>
</td>
</tr>
<tr>
<td width="33%">
<p>centos-repos.org</p>
</td>
<td width="33%">
<p>datadog-cloud.com</p>
</td>
<td width="33%">
<p>datadog-graph.com</p>
</td>
</tr>
<tr>
<td width="33%">
<p>launchruse.com</p>
</td>
<td width="33%">
<p>nomadpkg.com</p>
</td>
<td width="33%">
<p>nomadpkgs.com</p>
</td>
</tr>
<tr>
<td width="33%">
<p>primerosauxiliosperu.com</p>
</td>
<td width="33%">
<p>reggedrobin.com</p>
</td>
<td width="33%">
<p>toyourownbeat.com</p>
</td>
</tr>
<tr>
<td width="33%">
<p>zscaler-api.org</p>
</td>
<td width="33%"> </td>
<td width="33%"> </td>
</tr>
</tbody>
</table>
<p><strong>IP Addresses</strong></p>
<table width="100%">
<tbody>
<tr>
<td width="33%">
<p>51.254.24.19</p>
</td>
<td width="33%">
<p>185.152.67.39</p>
</td>
<td width="33%">
<p>70.39.103.3</p>
</td>
</tr>
<tr>
<td width="33%">
<p>66.187.75.186</p>
</td>
<td width="33%">
<p>104.223.86.8</p>
</td>
<td width="33%">
<p>100.21.104.112</p>
</td>
</tr>
<tr>
<td width="33%">
<p>23.95.182.5</p>
</td>
<td width="33%">
<p>78.141.223.50</p>
</td>
<td width="33%">
<p>116.202.251.38</p>
</td>
</tr>
<tr>
<td width="33%">
<p>89.44.9.202</p>
</td>
<td width="33%">
<p>192.185.5.189</p>
</td>
<td width="33%">
<p>162.241.248.14</p>
</td>
</tr>
<tr>
<td width="33%">
<p>179.43.151.196</p>
</td>
<td width="33%">
<p>45.82.250.186</p>
</td>
<td width="33%">
<p>162.19.3.23</p>
</td>
</tr>
<tr>
<td width="33%">
<p>144.217.92.197</p>
</td>
<td width="33%">
<p>23.29.115.171</p>
</td>
<td width="33%">
<p>167.114.188.40</p>
</td>
</tr>
<tr>
<td width="33%">
<p>91.234.199.179</p>
</td>
<td width="33%"> </td>
<td width="33%"> </td>
</tr>
</tbody>
</table>
<p>By <a href="https://www.sentinelone.com/labs/putting-things-in-context-timelining-threat-campaigns/">mapping out</a> this infrastructure, it is possible to show the links between the diverse set of IP addresses and pick up various patterns.</p>
<p>Triggering alerts on 192.185.5[.]189 alone is ill advised, as it is a shared hosting server for many domains and not an indicator of malicious activity by itself. </p>
<p>However, toyourownbeat[.]com shares an SSL certificate with skylerhaupt[.]com, indicating a potential relationship in owner.</p>
<p>The indicator 144.217.92[.]197 shared by JumpCloud does not host any domains from the list they shared, but we can see one similar through the use of passive DNS data: npmaudit[.]com, which was also just recently <a href="https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/">shared</a> by GitHub in an alert of their own.</p>
<p>Based on public details available as of this writing, it’s unclear if the GitHub alert originated from the JumpCloud incident or if they are separate efforts by the same attacker.</p>
<p><em><a href="{{#staticFileLink}}12167789875,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12167789875,RESIZE_584x{{/staticFileLink}}" alt="12167789875?profile=RESIZE_584x" width="500" /></a>Infrastructure Map Noting JumpCloud links</em></p>
<p>Moving on to IP address 23.29.115[.]171, we can see through PDNS data that the domain npm-pool[.]org is related.</p>
<p>Notably, this domain is quite similar to the NPM theme of domains shared in the GitHub alert.</p>
<p><em><a href="{{#staticFileLink}}12167811081,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12167811081,RESIZE_584x{{/staticFileLink}}" alt="12167811081?profile=RESIZE_584x" width="500" /></a>Infrastructure Map Noting JumpCloud and GitHub Overlap</em></p>
<p>While the following is not a strong indicator of attribution alone, it’s noteworthy that specific patterns in how the domains are constructed and used follow a similar pattern to other DPRK linked campaigns we track. Indicators with suspected actor association, but unverified as of this writing, include junknomad[.]com and insatageram[.]com (registered with jeanettar671belden[@]protonmail[.]com). Additional pivots of potential interest can be made through other IPs, including 167.114.188[.]40, and to a variety of low confidence attacker-associated infrastructure.</p>
<p>Following the profile of the associated infrastructure from both the JumpCloud intrusion and the GitHub security alert, we can expand to further associated threat activity. For example, we can see clear links to other NPM and “package” themed infrastructure we associate with high to medium confidence, as noted in the list below. This list further expands thanks to the findings and blog from <a href="https://blog.phylum.io/sophisticated-ongoing-attack-discovered-on-npm/">Phylum in late June</a>.</p>
<ul>
<li>npmjscloud[.]com</li>
<li>npmcloudjs[.]com</li>
<li>nodepkg[.]com</li>
<li>dadiwarm[.]com</li>
<li>189.145[.]247</li>
<li>npmjsregister[.]com</li>
<li>44.178[.]222</li>
<li>tradingprice[.]net</li>
<li>bi2price[.]com</li>
</ul>
<p>Trivial pivots from here can be made to similar behaving infrastructure linked to <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a">TraderTraitor</a>, as noted by GitHub, plus those of <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a">AppleJeus</a> such as <a href="https://www.cisa.gov/news-events/analysis-reports/ar21-048a">Celas Trade Pro</a> via celasllc[.]com.</p>
<p>Conclusion - It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks. The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions. The DPRK demonstrates a profound understanding of the benefits derived from meticulously selecting high-value targets as a pivot point to conduct supply chain attacks into fruitful networks.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<ul>
<li><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></li>
</ul>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.sentinelone.com/labs/jumpcloud-intrusion-attacker-infrastructure-links-compromise-to-north-korean-apt-activity/">https://www.sentinelone.com/labs/jumpcloud-intrusion-attacker-infrastructure-links-compromise-to-north-korean-apt-activity/</a></p></div>Kimsuky Againhttps://redskyalliance.org/xindustry/kimsuky-again2023-06-04T12:10:00.000Z2023-06-04T12:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11303748863,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11303748863,RESIZE_400x{{/staticFileLink}}" alt="11303748863?profile=RESIZE_400x" width="250" /></a>US and South Korean intelligence agencies have issued a new alert warning of North Korean cyber actors' use of social engineering tactics to strike think tanks, academia, and news media sectors. The "sustained information gathering efforts" have been attributed to a state-sponsored cluster called Kimsuky, which is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima. Active guys….. "North Korea relies heavily on intelligence gained from these spear-phishing campaigns," the agencies said. "Successful compromises of the targeted individuals enable Kimsuky actors to craft more credible and effective spear-phishing emails that can be leveraged against sensitive, high-value targets."<a href="#_ftn1">[1]</a></p>
<p>Kimsuky refers to an ancillary element within North Korea's Reconnaissance General Bureau (RGB) and is known to collect tactical intelligence on geopolitical events and negotiations affecting the regime's interests. It has been known to be active since at least 2012. "These cyber actors are strategically impersonating legitimate sources to collect intelligence on geopolitical events, foreign policy strategies, and security developments of interest to the DPRK on the Korean Peninsula," said the NSA’s director of Cybersecurity. This includes journalists, academic scholars, think tank researchers, and government officials, with the ruse primarily designed to single out individuals working on North Korean matters like foreign policy and politics.</p>
<p>The goal of the Kimsuky's cyber programs, the officials said, is to gain illicit access as well as provide stolen data and valuable geopolitical insight to the North Korean government. Kimsuky has been observed leveraging open-source information to identify potential targets of interest and subsequently craft their online personas to appear more legitimate by creating email addresses that resemble email addresses of real individuals they seek to impersonate.</p>
<p>The adoption of spoofed identities is a tactic embraced by other state-sponsored groups and is seen as a ploy to gain trust and build rapport with the victims. The adversary is also known to compromise the email accounts of the impersonated individuals to concoct convincing email messages. "DPRK [Democratic People's Republic of Korea] actors often use domains that resemble common internet services and media sites to deceive a target," according to the advisory. "Kimsuky actors tailor their themes to their target's interests and will update their content to reflect current events discussed among the community of North Korea watchers."</p>
<p>Besides using multiple personas to communicate with a target, the electronic missives come with bearing with password-protected malicious documents, either attached directly or hosted on Google Drive or Microsoft OneDrive.</p>
<p>The lure files, when opened, urge the recipients to enable macros, resulting in the provision of backdoor access to the devices through malware such as BabyShark. Additionally, the persistent access is weaponized to stealthily auto-forward all emails landing in a victim's inbox to an actor-controlled email account. Another tell-tale sign is the use of "fake but realistic versions of actual websites, portals, or mobile applications" to harvest login credentials from victims.</p>
<p>The development comes weeks after cybersecurity firm SentinelOne detailed Kimsuky's use of custom tools like ReconShark (an upgraded version of BabyShark) and RandomQuery for reconnaissance and information exfiltration.</p>
<p>Earlier this March of this year, German and South Korean government authorities sounded the alarm about cyber-attacks mounted by Kimsuky that entail the use of rogue browser extensions to steal users' Gmail inboxes.</p>
<p>The alert also follows sanctions imposed by the US Treasury Department against four entities and one individual who are involved in malicious cyber activities and fundraising schemes that aim to support North Korea's strategic priorities.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2023/06/north-koreas-kimsuky-group-mimics-key.html">https://thehackernews.com/2023/06/north-koreas-kimsuky-group-mimics-key.html</a></p></div>Food for Ammunitionhttps://redskyalliance.org/xindustry/food-for-ammunition2023-04-10T16:00:00.000Z2023-04-10T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}11025972064,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11025972064,RESIZE_400x{{/staticFileLink}}" width="250" alt="11025972064?profile=RESIZE_400x" /></a>In the era of cyber wars, AI, and drones, wars are still being fought with 20th-century weapons that require massive amounts of ammunition. Russia is sending a delegation to North Korea to offer food in exchange for weapons, US national security spokesman. He said any arms deal between North Korea and Russia would violate UN Security Council resolutions. The US has previously accused North Korea of supplying arms to the Russian military in Ukraine and the Wagner group of Russian mercenaries. Pyongyang earlier denied the claims. Mr. Kirby told a news conference the US had new information about a deal. "We also understand that Russia is seeking to send a delegation to North Korea and that Russia is offering North Korea food in exchange for munitions," he said. The security spokesperson said the US closely monitored the situation and the alleged deal.<a href="#_ftn1">[1]</a></p>
<p>North Korea is one of the poorest countries in the world and has experienced chronic food shortages for decades, including a devastating famine in the mid-to-late 1990s. In February 2023, experts warned the country, which has one of the most authoritarian governments in the world, was facing a critical food crisis due to a significant drop in production worsened by poor weather, strict border controls, and the effect of international sanctions. Satellite imagery from South Korean authorities indicates that the North produced 180,000 tons less food in 2022 than in 2021.</p>
<p>In late March 2023, the US Treasury blacklisted a Slovak man in a separate case for acting as a broker between Russia and North Korea. The treasury said Ashot Mkrtychev, 56, had arranged sales and organized deals that would enable North Korea to ship weapons to Russia in late 2022 and early 2023. In return, Pyongyang received cash, commercial aircraft, commodities, and raw materials, they said. Placing Mr. Mkrtychev on the sanctions blacklist means American businesses cannot deal with him, and it freezes his US assets.</p>
<p>North Korea is apparently moving to sell millions of rockets and artillery shells, likely from its old stock to its Cold War ally Russia. Russia has called a US intelligence report on the purchasing plan “fake.” But US officials say it shows Russia’s desperation with the war in Ukraine and that Moscow could buy additional military hardware from North Korea. North Korea reportedly intends to sell the ammunitions to Moscow are likely copies of Soviet-era weapons that can fit Russian launchers. But there are still questions about the quality of the supplies and how much they could actually help the Russian military.</p>
<p>Blocked by international sanctions and export controls, Russia August 2022 bought Iranian-made drones that US officials said had technical problems. For Russia, North Korea is likely another good option for its ammunition supply, because the North keeps a significant stockpile of shells, many of them copies of Soviet-era ones.</p>
<p>North Korea “may represent the single biggest source of compatible legacy artillery ammunition outside of Russia, including domestic production facilities to further supplies,” said a research associate for defense and military analysis at the International Institute for Strategic Studies.</p>
<p>The Korean Defense Network in South Korea said both North and South Korea split along the world’s most heavily fortified border for more than 70 years, keeping tens of millions of artillery shells each. He said North Korea would likely sell older shells that it wants to replace with newer ones for multiple rocket launch systems or sophisticated missiles in its front-line Army bases.</p>
<p>North Korea’s greater reliance on nuclear weapons and guided missiles may also remove the need for many of its older, unguided artillery shells that once played a prominent role, said an expert with the Carnegie Endowment for International Peace. But a senior security expert at the California-based think tank Rand said most of the artillery rounds to be sent to Russia are likely to be ammunition for small arms, such as AK-47 rifles or machine guns. “It’s not millions of artillery shells and rockets that’s more than the likely consumption. It could be millions of small arms rounds,” he said.</p>
<p>According to an IISS assessment, North Korea has an estimated 20,000 artillery pieces, including multiple rocket launchers in service, which Dempsey described as “significantly more than any other country in the world.” North Korea’s state media have called its artillery guns “the first arm of the People’s Army and the most powerful arm in the world” that can reduce an enemy’s position into “a sea of flames.”</p>
<p>But its old artillery systems, whose ammunition will likely be supplied to Russia, have a reputation for poor accuracy. North Korea’s artillery bombardment of South Korea’s front-line Yeonpyeong Island in 2010 killed four people. Only 80 of the 300-400 weapons North Korea should have fired likely hit their target. Half of the North Korean shells launched fell into the waters before reaching the island. “That is miserable artillery performance. The Russians may experience the same thing, which will not make them very happy,” he said.</p>
<p>Observers doubt the usefulness of North Korean ammunition for the Russian campaign in Ukraine, which they say has depleted the military. There have been photos of barrel-busted Russian guns on social media. In July 2022, a senior US defense official told reporters that Russia was launching tens of thousands of artillery rounds each day and couldn’t keep it up forever. “While substantial stockpiles likely still exist, they may be increasingly infringing on those reserved for the contingency of a wider future conflict,” a researcher said.</p>
<p>Western sanctions have significantly affected Russia's ability to replace used-up or destroyed weapons in its war on Ukraine. The sanctions have prompted Russia to turn to other countries for sources.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>• Reporting: https://www. redskyalliance. org/<br />• Website: https://www. wapacklabs. com/<br />• LinkedIn: https://www. linkedin. com/company/64265941</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bbc.com/news/world-europe-65131117">https://www.bbc.com/news/world-europe-65131117</a></p></div>No Good Deed goes Unpunishedhttps://redskyalliance.org/xindustry/no-good-deed-goes-unpunished2022-12-19T13:05:00.000Z2022-12-19T13:05:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10913167469,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10913167469,RESIZE_400x{{/staticFileLink}}" alt="10913167469?profile=RESIZE_400x" width="250" /></a>Sometimes, good intentioned research can actually benefit adversaries. Recently when a US-based foreign affairs analyst, received an email from the Director of the “38 North think-tank” to commission an article, it seemed to be business as usual. The sender was actually a suspected North Korean spy seeking information, according to those involved and three cybersecurity researchers.</p>
<p>Instead of infecting his computer and stealing sensitive data, as hackers typically do, the sender appeared to be trying to elicit his thoughts on North Korean security issues by pretending to be 38 North director Jenny Town. "I realized it wasn't legit once I contacted the person with follow up questions and found out there was, in fact, no request that was made, and that this person was also a target," said the analyst. "So, I figured out pretty quickly this was a widespread campaign."</p>
<p>This email instance is part of a new and previously unreported campaign by a suspected North Korean hacking group, according to the cybersecurity experts, five such targeted individuals and emails seen by journalists. Many cybersecurity experts suspect the hackers are targeting people who are influential in foreign governments to better understand where Western policy is headed on North Korea.</p>
<p>The hacking group, which researchers call Thallium or Kimsuky, among other names, has long used “spear-phishing” emails that trick targets into giving up passwords or clicking attachments or links that load malware. It also appears to simply ask researchers or other experts to offer opinions or write reports. According to emails recently seen, among the other issues raised, were China’s reaction in the event of a new nuclear test; and whether a "quieter" approach to North Korean "aggression" might be warranted. "The attackers are having a ton of success with this very, very simple method," said the Microsoft Threat Intelligence Center (MSTIC), who added that the new tactic first emerged in January. "The attackers have completely changed the process." MSTIC said it had identified "multiple" North Korea experts who have provided information to a Thallium attacker account.</p>
<p>A 2020 report by US government cybersecurity agencies said Thallium has been operating since 2012 and "is most likely tasked by the North Korean regime with a global intelligence gathering mission." Thallium has historically targeted government employees, think tanks, academics, and human rights organizations, according to Microsoft.<a href="#_ftn1">[1]</a> "The attackers are getting the information directly from the horse's mouth, if you will, and they don't have to sit there and make interpretations because they're getting it directly from the expert," MS said.</p>
<p>North Korean hackers are well-known for attacks netting millions of dollars, targeting Sony Pictures over a film seen as insulting to its leader, and stealing data from pharmaceutical and defense companies, foreign governments, and others.</p>
<p>North Korea's embassy in London did not respond to a request for comment, but it has denied being involved in cybercrime. In other attacks, Thallium and other hackers have spent weeks or months developing trust with a target before sending malicious software, said the principal threat intelligence analyst at BAE Systems Applied Intelligence. </p>
<p>But according to Microsoft, the group now also engages with experts in some cases without ever sending malicious files or links even after the victims respond. This tactic can be quicker than hacking someone's account and wading through their emails, bypasses traditional technical security programs that would scan and flag a message with malicious elements, and allows the spies direct access to the experts' thinking, MS said. "For us as defenders, it's really, really hard to stop these emails," he said, adding that in most cases it comes down to the recipient being able to figure it out. BAE said some messages purporting to be from her had used an email address that ended in ".live" rather than her official account, which ends in ".org", but had copied her full signature line. In one case, she said, she was involved in a surreal email exchange in which the suspected attacker, posing as her, included her in a reply.</p>
<p>A fellow with Defense Priorities and a columnist for several newspapers, said the emails he has received were written as if a researcher were asking for a paper submission or comments on a draft. "They were quite sophisticated, with think tank logos attached to the correspondence to make it look as if the inquiry is legitimate," he said. About three weeks after receiving the faked email from 38 North, a separate hacker impersonated him, emailing other people to look at a draft, he said. That email, which DePetris shared with Reuters, offers US$300 for reviewing a manuscript about North Korea's nuclear program and asks for recommendations for other possible reviewers. MS said the hackers never paid anyone for their research or responses and would never intend to.</p>
<p>Impersonation is a common method for spies around the world, but as North Korea's isolation has deepened under sanctions and the pandemic. Western intelligence agencies believe Pyongyang has become particularly reliant on cyber campaigns, one security source in Seoul said, speaking on condition of anonymity to discuss intelligence matters.</p>
<p>In a March 2022 report, a panel of experts that investigates North Korea's UN sanctions evasions listed Thallium's efforts as among activities that "constitute espionage intended to inform and assist" the country's sanctions avoidance. Town said in some cases, the attackers have commissioned papers, and analysts had provided full reports or manuscript reviews before realizing what had happened.</p>
<p>Defense Priorities said the hackers asked him about issues he was already working on, including Japan's response to North Korea's military activities. Another email, purporting to be a reporter from Japan's Kyodo News, asked a 38 North staffer how they thought the war in Ukraine factored in North Korea's thinking, and posed questions about US, Chinese, and Russian policies. "One can only surmise that the North Koreans are trying to get candid views from think tankers in order to better understand US policy on the North and where it may be going," they said.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.reuters.com/world/asia-pacific/north-korean-cyber-spies-deploy-new-tactic-tricking-foreign-experts-into-writing-2022-12-12/">https://www.reuters.com/world/asia-pacific/north-korean-cyber-spies-deploy-new-tactic-tricking-foreign-experts-into-writing-2022-12-12/</a></p></div>Woody RAT is Gnawing at Russiahttps://redskyalliance.org/xindustry/woody-rat-is-gnawing-at-russia2022-08-07T18:34:56.000Z2022-08-07T18:34:56.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10754604654,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10754604654,RESIZE_400x{{/staticFileLink}}" width="250" alt="10754604654?profile=RESIZE_400x" /></a>In light of all of the Russian ransomware attacks on organizations worldwide, a dose of Schadenfreude is a welcome sign. For our non-German readers: “Schadenfreude is the experience of pleasure, joy, or self-satisfaction that comes from learning of or witnessing the troubles, failures, or humiliation of another (especially an adversary). It is a borrowed word from German, with no direct translation, that originated in the 18th century.”</p>
<p>An unknown threat actor has been targeting Russian entities with a newly discovered remote access trojan called Woody RAT for at least a year as part of a spear-phishing campaign.<a href="#_ftn1">[1]</a> The advanced custom backdoor is said to be delivered via either of two methods: archive files or Microsoft Office documents leveraging the now-patched "Follina" support diagnostic tool vulnerability (CVE-2022-30190) in Windows.</p>
<p>Like other implants engineered for espionage-oriented operations, Woody RAT has a wide range of features that enables the threat actor to remotely commandeer and steal sensitive information from the infected systems. This malicious software that has been targeting Russian organizations. The mysterious group attempted to strike a Russian aerospace and defense entity known as OAK.</p>
<p>The Woody RAT enables remote control over infected devices. It can perform a broad range of commands and functions extract a wide variety of system data, like the operating system version and architecture, computer name, PowerShell information, user accounts and privileges, network data, and running processes. It can also gather personal information, like names, types, formats, permissions, etc. The RAT can download files and even take screenshots. The Woody RAT also can upload files and launch them. This allows cybercriminals can install Trojans, ransomware, and other malware. "The earliest versions of this RAT were typically archived into a ZIP file pretending to be a document specific to a Russian group," according to researchers exposed in a recent report. "When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload.”</p>
<p>Attacks leveraging the Windows flaw as part of this campaign first came to light on 7 June 2022, when researchers from the MalwareHunterTeam disclosed the use of a document named "Памятка.docx" (which translates to "Memo.docx") to deliver a CSS payload containing the trojan. The document allegedly offers best security practices for passwords and confidential information, among others, while acting as a decoy for dropping the backdoor. Besides encrypting its communications with a remote server, Woody RAT is equipped with capabilities to write arbitrary files to the machine, execute additional malware, delete files, enumerate directories, capture screenshots, and gather a list of running processes.</p>
<p>Also embedded within the malware are two .NET-based libraries named WoodySharpExecutor and WoodyPowerSession that can be used to run .NET code and PowerShell commands received from the server, respectively. In addition, the malware makes use of the process hollowing technique to inject itself into a suspended Notepad process and deletes itself from the disk to evade detection from security software installed on the compromised host.</p>
<p><a href="{{#staticFileLink}}10754604075,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10754604075,RESIZE_400x{{/staticFileLink}}" width="324" alt="10754604075?profile=RESIZE_400x" /></a> </p>
<table width="100%">
<tbody>
<tr>
<td>
<p>Figure 1. Malwarebytes</p>
</td>
</tr>
</tbody>
</table>
<p>Researchers have yet to attribute the attacks to a specific threat actor, citing lack of solid indicators linking the campaign to a previously known group, although Chinese and North Korean nation-state collectives have targeted Russia in the past. This is interesting as a “rat” is also considered someone who desert one's party, side, or cause. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2022/08/new-woody-rat-malware-being-used-to.html">https://thehackernews.com/2022/08/new-woody-rat-malware-being-used-to.html</a></p></div>US Seizes Ransom from North Korean Ransomware Actorshttps://redskyalliance.org/xindustry/us-seizes-ransom-from-north-korean-ransomware-actors2022-07-21T12:52:29.000Z2022-07-21T12:52:29.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10661601053,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10661601053,RESIZE_400x{{/staticFileLink}}" width="250" alt="10661601053?profile=RESIZE_400x" /></a>The US Justice Department announced on 19 July 2022 through a complaint filed in the US District of Kansas to forfeit cryptocurrency paid as ransom to North Korean hackers or otherwise used to launder such ransom payments. In May 2022, the Federal Bureau of Investigation (FBI) filed a sealed seizure warrant for the funds worth approximately half a million dollars. The seized funds include ransoms paid by health care providers in Kansas and Colorado. “Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said a Deputy Attorney General at the International Conference on Cyber Security. “Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain. The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”<a href="#_ftn1">[1]</a></p>
<p>According to court documents, in May 2021, North Korean hackers used a ransomware strain called Maui to encrypt the files and servers of a medical center in the District of Kansas. After more than a week of being unable to access encrypted servers, the Kansas hospital paid approximately $100,000 in Bitcoin to regain the use of their computers and equipment. Because the Kansas medical center notified the FBI and cooperated with law enforcement, the FBI was able to identify the never-before-seen North Korean ransomware and trace the cryptocurrency to China-based money launderers.</p>
<p>Then, as a result, in April 2022, the FBI observed an approximately $120,000 Bitcoin payment into one of the seized cryptocurrency accounts identified thanks to the cooperation of the Kansas hospital. The FBI’s investigation confirmed that a medical provider in Colorado had just paid a ransom after being hacked by actors using the same Maui ransomware strain. In May 2022, the FBI seized the contents of two cryptocurrency accounts that had received funds from the Kansas and Colorado health care providers. The District of Kansas then began proceedings to forfeit the hackers’ funds and return the stolen money to the victims. “Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business,” said an Assistant Attorney General of the Justice Department’s National Security Division. “The reimbursement to these victims of the ransom shows why it pays to work with law enforcement.”</p>
<p>“These sophisticated criminals are constantly pushing boundaries to search for ways to extort money from victims by forcing them to pay ramsons in order to regain control of their computer and record systems,” said the US Attorney for the District of Kansas. “What these hackers don’t count on is the tenacity of the U.S. Justice Department in recovering and returning these funds to the rightful owners.”</p>
<p>“The FBI is dedicated to working with our federal and private sector partners to disrupt nation state actors who pose a critical cyber threat to the American people,” said the FBI Cyber Division Assistant Director. “Today’s success demonstrates the result of reporting to the FBI and our partners as early as possible when you are a victim of a cyber-attack; this provides law enforcement with the ability to best assist the victim. The US government will continue to pursue these malicious cyber actors, such as these North Korean hackers, who threaten the American public regardless of where they may be and work to successfully retrieve ransom payments where possible.”</p>
<p>“Today’s (19 July) announcement reiterates the FBI and Justice Department’s continued commitment to working with our critical infrastructure and private sector partners to identify and dismantle cyber threats, including new and emerging ransomware variants,” said the Special Agent in Charge of the FBI Kansas City Field Division. “Because of swift reporting by the victim medical center, action was taken to lessen the loss to the victim company, as well as identify the malware deployed, preventing additional cyber-attacks. The relationship between the FBI and our private sector partners are critical to discover, disrupt and dismantle cyber threats to our nation’s infrastructure.”</p>
<p>On 6 July 2022, based on information obtained during the Department’s investigation, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury issued a joint cybersecurity advisory regarding the North Korean threat to US health care and public health sector organizations, which included indicators of compromise and mitigation advice. The FBI is the lead agency investigating this case.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and offer technical reports like this from pour friends at Microsoft. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.justice.gov/opa/pr/justice-department-seizes-and-forfeits-approximately-500000-north-korean-ransomware-actors">https://www.justice.gov/opa/pr/justice-department-seizes-and-forfeits-approximately-500000-north-korean-ransomware-actors</a></p></div>Looking for a New Job?https://redskyalliance.org/xindustry/looking-for-a-new-job2022-03-29T13:24:37.000Z2022-03-29T13:24:37.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10246398860,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10246398860,RESIZE_400x{{/staticFileLink}}" width="250" alt="10246398860?profile=RESIZE_400x" /></a>Proofpoint released a new report this week about fake job emails being sent by threat actors, noting that they are seeing nearly 4,000 similar phishing emails each day. Bad actors are using the promise of easy money to steal personal data or trick victims into committing money laundering. “These types of threats can cause people to lose their life savings or be tricked into participating in a criminal operation unknowingly,” said Proofpoint. “They are very concerning for universities especially, and Proofpoint detects and blocks thousands of employment fraud threats weekly that could harm their students and faculty.”</p>
<p>Proofpoint shared specific examples that included fake job offers from United Nations Children’s Fund (UNICEF) and fashion brands like Zaful and Fashion Nova. The phishing emails all have legitimate-looking corporate branding, compromised/spoofed university addresses, Google Forms, fake checks and more.<a href="#_ftn1">[1]</a></p>
<p>Proofpoint noted that the cybercriminals are exploiting the massive employment changes brought on by the COVID-19 pandemic to lure job seekers into clicking on malicious emails and links. Many of the emails seen by Proofpoint experts feature criminals posing as recruiters or employers offering jobs ranging from caregivers to administrative assistants, models, or rebate processors. “Some may initially start by collecting money allegedly for administrative fees or passport services, but that’s typically done to weed out applicants and is not usually the end goal. Additionally, participation in these schemes could result in a victim facing criminal charges for working as a money mule,” Proofpoint explained. “Of the job themed threats recently identified by Proofpoint, nearly 95% are targeted to educational institutions, mainly colleges and universities. Although most targets are in the United States, threat actors occasionally target European and Australian entities as well.”</p>
<p>Researchers noted that recent FBI reports have found that victims of these attacks lost a combined total of at least $62 million in 2020. Facts that should not be ignored. In one case study, Proofpoint analysts observed a threat actor spoofing a university email address and offering an executive personal assistant role at UNICEF. The email referenced a COVID-19 relief program and had a link to a Google Form that asked people to enter their information. After the researcher shared their information in the Google Form, the threat actor emailed them and sent several fake cashier checks before asking for money in return.</p>
<p>In January, UNICEF released a warning about these kinds of job offer scams, noting that they never charge fees during the recruitment process and will never request banking information. Proofpoint shared similar guidance, noting that no job will send payment before an employee’s first day.</p>
<p>Last week, Google released a security report highlighting that North Korean threat actors were running a similar scam, using fake job offers to spread malware at 10 different news outlets, domain registrars, web hosting providers and software vendors.</p>
<p>Common Sense is Instinct, Enough of it is Genius. Everyone has common sense. Use it when looking for jobs on the Internet. If the job sounds too good, it is probably a fake job. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Our analysts agree with the CSP and tough cyber security regulations for better network and Internet protections. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/hackers-send-almost-4000-fake-job-offer-emails-every-day-report/">https://therecord.media/hackers-send-almost-4000-fake-job-offer-emails-every-day-report/</a></p></div>Stealing Millions, yet a Twist of Fatehttps://redskyalliance.org/xindustry/stealing-millions-yet-a-twist-of-fate2022-02-08T18:13:21.000Z2022-02-08T18:13:21.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10081515890,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10081515890,RESIZE_400x{{/staticFileLink}}" width="250" alt="10081515890?profile=RESIZE_400x" /></a>It is estimated that North Korea (KP) is continuing to steal hundreds of millions of dollars from financial institutions and cryptocurrency firms and exchanges. This stolen currency is an important source of funding for its nuclear and missile programs, UN experts said in a report quoting cyber specialists. The panel of experts said that according to an unnamed government, North Korean “cyber-actors stole more than $50 million between 2020 and mid-2021 from at least three cryptocurrency exchanges in North America, Europe and Asia, probably reflecting a shift to diversify its cybercrime operations.”</p>
<p>Investigators are saying that in 2021 the North Korean “cyber-actors stole a total of $400 million worth of cryptocurrency through seven intrusions into cryptocurrency exchanges and investment firms.” These cyberattacks “made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations’ internet-connected ‘hot’ wallets into DPRK (KP)-controlled addresses,” the panel said, using the initials of the country’s official name, the Democratic People’s Republic of Korea. The cryptocurrency funds stolen by the DPRK cyber actors “go through a careful money laundering process in order to be cashed out,”″ the panel of experts monitoring sanctions on North Korea said in the report to the UN Security Council.<a href="#_ftn1">[1]</a></p>
<p>In 2021, the panel quoted an unidentified country saying North Korea’s “total theft of virtual assets from 2019 to November 2020 is valued at approximately $316.4 million.” In the executive summary of the new report, the experts said North Korea has continued to develop its nuclear and ballistic missile programs. “Although no nuclear tests or launches of ICBMs were reported, KP continued to develop its capability for production of nuclear fissile materials,” the panel said. Those reactive materials, uranium or plutonium, are crucial for a nuclear reaction.</p>
<p>The experts noted “a marked acceleration” of North Korean missile launches through January that used a variety of technology and weapons. The experts said North Korea “continued to seek material, technology and know-how for these programs overseas, including through cyber means and joint scientific research.”</p>
<p>A year ago, the same investigative panel said North Korea had modernized its nuclear weapons and ballistic missiles by ignoring UN sanctions, using cyber-attacks to help finance its programs and continuing to seek material and technology overseas for its arsenal including in Iran. “Cyber-attacks, particularly on cryptocurrency assets, remain an important revenue source” for Kim Jong Un’s government. In addition to its recent launches, North Korea has threatened to lift its four-year moratorium on more serious weapons tests such as nuclear explosions and launches of intercontinental ballistic missiles. The UN Security Council initially imposed sanctions on North Korea after its first nuclear test explosion in 2006 and toughened them in response to further nuclear tests and the country’s increasingly sophisticated nuclear and ballistic missile programs.</p>
<p>North Korea’s blockade aimed at preventing COVID-19 resulted in “historically low levels” of people and goods entering and leaving the country. Legal and illegal trade including in luxury goods “has largely ceased” though cross-border rail traffic resumed in early January, the panel said. The panel has previously made clear that North Korea remains able to evade sanctions and to illicitly import refined petroleum, access international banking channels and carry out “malicious cyber activities.” UN sanctions ban North Korean coal exports and the experts said in the new report that although coal exports by sea increased in the second half of 2021, “they were still at relatively low levels. The quantity of illicit imports of refined petroleum increased sharply in the same period, but at a much lower level than in previous years,” the panel said, adding that direct deliveries by non-North Korea tankers has ceased and only tankers from the North delivered oil, “a marked change of methodology” probably in response to COVID-19 measures. The experts said North Korea also continues to evade maritime sanctions “by deliberately obfuscated financial and ownership networks.”</p>
<p>While the humanitarian situation in the country continues to worsen, the panel said the almost complete lack of information from the country makes it difficult to determine the “unintended humanitarian consequences of UN sanctions affecting the civilian population.”</p>
<p>In a twist of fate, North Korea loses Internet again. North Korea has experienced an Internet outage that may have been caused by a cyber-attack. The country lost internet access for approximately six hours last week. The incident was the second outage to hit North Korea in the past two weeks. Perhaps the APT hacking in the KP are poking the wrong countries.</p>
<p>A cybersecurity researcher who monitors various North Korean web and email servers from a location in Britain said the latest outage could have resulted from distributed denial-of-service (DDoS) attack. Describing the recent incident, the source said: “When someone would try to connect to an IP address in North Korea, the internet would literally be unable to route their data into the country.”</p>
<p>Within a few hours of the suspected DDoS attack, servers supporting email were back up and running. Additional disruption and downtime continued to impact individual web servers of institutions, including North Korea’s ministry of foreign affairs, the Air Koryo airline, and Naenara the official portal for the North Korean government.</p>
<p>Seoul-based news site NK Pro, which monitors events in North Korea, reported that log files and network records indicated that websites ending in .kp and hosted on North Korean web domains were mostly unreachable. The reason given for this was that North Korea’s Domain Name System (DNS) had ceased to communicate the routes that data packets are meant to take.<a href="#_ftn2">[2]</a></p>
<p>A similar incident occurred in North Korea on 14 January 2022. The server outage was “the result of some form of network stress rather than something like a power cut.” The result was that no traffic was being sent to or from North Korea at the apex of the recent attack. “It’s common for one server to go offline for some periods of time, but these incidents have seen all web properties go offline concurrently. It is not common to see their entire internet dropped offline,” said a trusted reporter. “During the incidents, operational degradation would build up first with network timeouts, then individual servers going offline and then their key routers dropping off the Internet.” The US has been blamed by North Korea for the continued service outages.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p> </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/un-experts-north-korea-stealing-millions-cyber-attacks">https://www.securityweek.com/un-experts-north-korea-stealing-millions-cyber-attacks</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.oodaloop.com/briefs/2022/01/27/north-korea-loses-internet-in-suspected-cyber-attack/">https://www.oodaloop.com/briefs/2022/01/27/north-korea-loses-internet-in-suspected-cyber-attack/</a></p></div>Does It Really Matter?https://redskyalliance.org/xindustry/does-it-really-matter2021-05-18T12:51:55.000Z2021-05-18T12:51:55.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}8941840492,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8941840492,RESIZE_400x{{/staticFileLink}}" width="250" alt="8941840492?profile=RESIZE_400x" /></a>Recently a trusted cyber professional of Red Sky Alliance, with close to 40 years in the business said, “As cyber technology grew in the last thirty plus years, our international community sacrificed security for convenience.” So true. </p>
<p>Now we ask: if a Russian cyber-criminal group<a href="#_ftn1">[1]</a> or the North Korean military hacks<a href="#_ftn2">[2]</a> your company, places ransomware on your network because of corporate carelessness and then demands millions to unlock your valuable data - at that point - does it really matter who committed the malware attack? Your company has come to a screeching halt. Now you have a devastating financial loss that may have been prevented. </p>
<p>The US Department of Defense (DoD), Cyber Policy division, recently stated, "The line between nation-state and criminal actors is increasingly blurry as nation-states turn to criminal proxies as a tool of state power, then turn a blind eye to the cyber-crime perpetrated by the same malicious actors." This statement was provided during a hearing on 14 May 2021 before the US House of Representatives, Armed Services Committee.</p>
<p>The DoD policy division explained the Russian security services are commonly known to leverage the activities of cyber criminals and often defend them from prosecution for crimes committed for personal benefit. Many believe this is exactly what happened with the recent Colonial Pipeline cyber-attack (Darkside group). "We have also seen some states allow their government hackers to moonlight as cyber criminals. This is not how responsible states behave in cyberspace, nor can responsible states condone shielding of this criminal behavior."</p>
<p>For US authorities, knowing who is responsible for malicious cyber behavior is important because it determines how to response and to whom to target. When non-state actors are engaging in financially motivated crimes it is the US Federal Bureau of Investigation (FBI) and the US Department of Justice (DOJ) who are responsible for pursuing those cyber criminals. "The challenge I think that we have is that when those attacks first come across the network and impact us, when we see that malicious activity, it's always a challenge of attribution to be able to pull it apart and figure out who are the state actors and who are the non-state actors, [and] which elements of government would then be tasked with the lead to disrupt that activity varies based on location and whether or not they are criminal or not," a DoD representative explained. </p>
<p>While the FBI and DOJ handle criminal activities inside the US, it is the role of US Military Cyber Command to focus on cyber threats against the homeland from adversary nation-states. State sponsored hackers are the focus of the Cybercom and National Security Agency (NSA). One area where the role of Cybercom proved important was in the 2020 national election. The security of the 2020 election was ensured through the Election Security Group, which is a combined effort of Cybercom and NSA.<a href="#_ftn3">[3]</a> "We built on lessons from earlier operations and honed partnerships with the FBI, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), sharing information with those who needed it as fast as possible. To protect the 2020 elections," Cybercom said, "Cybercom conducted more than two dozen operations to get ahead of foreign threats before they were able to interfere with or influence elections. I'm proud of the work the command and the election security group performed as part of a broader government effort to deliver a safe, secure, 2020 election," a Cybercom chief boasted.</p>
<p>With the recent hack of the Colonial Pipeline Company by ransomware actors, many believe the Russian government had knowledge of the attack. However, some researchers think that the Darkside actor(s) possibly angered nation-state hacking groups, who are now turning their backs on Darkside and attempting to disband them in retaliation for drawing such an international spotlight on the criminal ransomware industry. Darkside created a serious wound that will not heal easily. </p>
<p>Ask truck and cars drivers in the US living in southeastern states if they care why the attack happened or who committed it. Even after the pseudo-identification of the criminals were exposed; people could not get gas and many STILL cannot get gas. They don’t really care who committed the attack, yet they mad and now want retribution. Darkside screwed up big time. </p>
<p>Good cyber security posture is a necessity and if employed properly will drastically reduce your vulnerabilities against cyber threats. Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has been helping companies since 2013 with proactive approaches to cyber security. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p><strong><br /> Weekly Cyber Intelligence Briefings</strong>:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/">https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://portswigger.net/daily-swig/beyond-lazarus-north-korean-cyber-threat-groups-become-top-tier-reckless-adversaries">https://portswigger.net/daily-swig/beyond-lazarus-north-korean-cyber-threat-groups-become-top-tier-reckless-adversaries</a></p>
<p><a href="#_ftnref3">[3]</a> <a href="https://www.defense.gov/Explore/News/Article/Article/2618386/in-cyber-differentiating-between-state-actors-criminals-is-a-blur/">https://www.defense.gov/Explore/News/Article/Article/2618386/in-cyber-differentiating-between-state-actors-criminals-is-a-blur/</a></p></div>State Sponsored Cyber Criminals Work Against All of Ushttps://redskyalliance.org/xindustry/state-sponsored2021-04-29T19:49:26.000Z2021-04-29T19:49:26.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}8872293089,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8872293089,RESIZE_400x{{/staticFileLink}}" alt="8872293089?profile=RESIZE_400x" width="250" /></a>China, Russia, North Korea, and Iran continue to pose significant cybersecurity threats to the US, because each is capable of launching disruptive attacks, according to a report published 13 April 2021 by the Office of the Director of National Intelligence.</p>
<p>Threats include disinformation campaigns that target elections and try to undermine democratic institutions as well as aggressive hacking campaigns, such as the SolarWinds supply chain attack, according to the report. In many cases, criminal gangs that maintain mutually beneficial relationships with nation-states pose a threat to the US, the report notes.<a href="#_ftn1">[1]</a></p>
<p>"Foreign states use cyber operations to steal information, influence populations, and damage industry, including physical and digital critical infrastructure," according to the unclassified document. "Although an increasing number of countries and non-state actors have these capabilities, we remain most concerned about Russia, China, Iran, and North Korea."</p>
<p>The Office of the Director of National Intelligence released the "Annual Threat Assessment of the US Intelligence Community" report Tuesday ahead of several congressional hearings scheduled this week that will examine a range of threats to the US. The first of these hearings is scheduled for this week before the US Senate Select Committee on Intelligence, and the leaders of the FBI, CIA, and the National Security Agency are slated to testify.</p>
<p>The report follows a pair of assessments released in March by ODNI and the Department of Homeland Security that confirmed Russia and Iran attempted to interfere in the 2020 presidential election through disinformation campaigns. But the agencies also found no attempt by foreign hackers to directly manipulate vote tabulations or results.</p>
<p>Previous reports over the last several years have also pointed to China, Russia, North Korea and Iran as posing the most significant cyber threats to US citizens and the federal government. "Beijing, Moscow, Tehran, and Pyongyang have demonstrated the capability and intent to advance their interests at the expense of the United States and its allies, despite the pandemic," ODNI says in its new report.</p>
<p>The report also notes that as these four nations attempt more aggressive cyber campaigns, other nation-states could be emboldened to attempt similar operations.</p>
<p>China: The nation's cyber capabilities, as well as its investment in newer technologies, continue to grow. As a result, China is capable of launching "localized, temporary disruptions to critical infrastructure" in the US-China also conducts cyber intrusions that affect US citizens beyond the country's borders, including hacking journalists and stealing personal information.</p>
<p>Russia: This country continues to target critical infrastructure, including undersea cables and industrial control systems. "Russia almost certainly considers cyberattacks an acceptable option to deter adversaries, control escalation and prosecute conflicts," ODNI says in the report, which notes the nation was likely responsible for the SolarWinds supply chain attack.</p>
<p>North Korea: While its cyber capabilities are not as expansive as Russia's or China's, North Korea can disrupt US critical infrastructure as well as software supply chains. The country is focused on targeting financial institutions and cryptocurrency exchanges both in the US and elsewhere.</p>
<p>Iran: This nation has ramped up its cyber operations and can now target US infrastructure. Iran is spreading disinformation and conducting more sophisticated cyber espionage campaigns, ODNI says.</p>
<p>The report also builds on the assessments released earlier this year that several of these countries are seeking to undermine faith in US democratic institutions and elections through the use of disinformation as well as by attacking journalists and religious minorities.</p>
<p>"Democracies will continue to debate how to protect privacy and civil liberties as they confront domestic security threats and contend with the perception that free speech may be constrained by major technology companies," the report states. "Authoritarian and illiberal regimes, meanwhile, probably will point to democracies’ embrace of these tools to justify their own repressive programs at home and malign influence abroad."</p>
<p>Red Sky Alliance has been analyzing and documenting these types of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org">https://redskyalliance.org</a> at no charge. Many past tactics are often dusted off and reused in current malicious campaigns. Red Sky Alliance can provide actionable cyber intelligence and weekly blacklists to help protect your network. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p><strong><br /> Weekly Cyber Intelligence Briefings</strong>:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bankinfosecurity.com/intelligence-report-4-nations-pose-serious-cyberthreat-to-us-a-16394">https://www.bankinfosecurity.com/intelligence-report-4-nations-pose-serious-cyberthreat-to-us-a-16394</a></p></div>Are North Korean Hackers Offering you a New Job?https://redskyalliance.org/xindustry/north-korean-hackers2020-11-13T17:54:40.000Z2020-11-13T17:54:40.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}8157700677,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8157700677,RESIZE_400x{{/staticFileLink}}" alt="8157700677?profile=RESIZE_400x" width="250" /></a>A cyberespionage campaign aimed at aerospace and defense sectors to install data gathering implants on victims' machines for purposes of surveillance and data exfiltration may have been more sophisticated than previously thought. The use of job of employment ads and postings have the recent bait for unsuspecting victims.</p>
<p>The attacks, which targeted IP-addresses belonging to internet service providers (ISPs) in Australia, Israel, Russia, and defense contractors based in Russia and India, involved a previously undiscovered spyware tool called Torisma to stealthily monitor its victims for continued exploitation. Tracked under the codename of "Operation North Star" by McAfee researchers, initial findings into the campaign in July revealed the use of social media sites, spear-phishing, and weaponized documents with fake job offers to trick employees working in the defense sector to gain a foothold on their organizations' networks.</p>
<p>The attacks have been attributed to infrastructure and TTP's (Techniques, Tactics, and Procedures) previously associated with Hidden Cobra, an umbrella term used by the US government to describe all North Korean state-sponsored hacking groups. Microsoft has referred to this group as Zinc. Since 2009, Hidden Cobra actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. The US Federal Bureau of Investigation says that the Lazarus Group is a North Korean "state-sponsored hacking organization."</p>
<p>Lazarus Group is a cybercrime group made up of an unknown number of individuals. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them over the last decade. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and a wide array of methods used when conducting an operation</p>
<p>The development continues the trend of North Korea, a heavily sanctioned country, leveraging its arsenal of threat actors to support and fund its nuclear weapons programs by perpetuating malicious attacks on US defense and aerospace contractors. While the initial analysis suggested the implants were intended to gather basic victim information so as to assess their value, the latest investigation into Operation North Star exhibits a "degree of technical innovation" designed to remain hidden on compromised systems.</p>
<p>Not only did the campaign use legitimate job recruitment content from popular US defense contractor websites to lure targeted victims into opening malicious spear-phishing email attachments, the attackers compromised and used genuine websites in the US and Italy, an auction house, a printing company, and an IT training firm to host their command-and-control (C2) capabilities. "Using these domains to conduct C2 operations likely allowed them to bypass some organizations' security measures because most organizations do not block trusted websites," McAfee researchers Christiaan Beek and Ryan Sherstibitoff reported.</p>
<p>What is more, the first-stage implant embedded in the Word documents would go on to evaluate the victim system data (date, IP Address, User-Agent, etc.) by cross-checking with a predetermined list of target IP addresses to install a second implant called Tourism, all the while minimizing the risk of detection and discovery. This specialized monitoring implant is used to execute custom shellcode, in addition to actively monitoring for new drives added to the system as well as remote desktop connections. "This campaign was interesting in that there was a particular list of targets of interest, and that list was verified before the decision was made to send a second implant, either 32 or 64 bits, for further and in-depth monitoring," the researchers said. "Progress of the implants sent by the C2 was monitored and written in a log file that gave the adversary an overview of which victims were successfully infiltrated and could be monitored further."</p>
<p>During these difficult times of the pandemic and increased levels of unemployment, please be cautious of job offers and online recruiters. Working from home adds additional vulnerabilities for job hunters. Ensure that you are current with your security services and schedule automatic software updates. </p>
<p><strong>Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization. Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports.</strong></p>
<p><strong>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </strong></p>
<p><strong>Weekly Cyber Intelligence Briefings: </strong></p>
<p><strong><a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></strong></p>
<ul>
<li><strong>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></strong></li>
<li><strong>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></strong></li>
<li><strong>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></strong></li>
</ul>
<p> </p></div>Cyber Threat to the Homeland – October 2020https://redskyalliance.org/xindustry/cyber-threat-to-the-homeland-october-20202020-10-07T20:27:25.000Z2020-10-07T20:27:25.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}8011615880,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8011615880,RESIZE_400x{{/staticFileLink}}" width="250" alt="8011615880?profile=RESIZE_400x" /></a>Our friends from the US Department of Homeland Security have provided an open source Threat Assessment for October 2020 - which is Cyber Security Awareness Month. The following is the Cyber Threat Assessment Section. </p>
<p>Cyber threats to the Homeland from both nation-states and non-state actors will remain acute. U.S. critical infrastructure faces advanced threats of disruptive or destructive cyber-attacks. Federal, state, local, tribal and territorial governments, as well as the private sector, will experience an array of cyber-enabled threats designed to access sensitive information, steal money, and force ransom payments.</p>
<p><strong>Nation State Threats</strong></p>
<p><strong>Russia</strong>—which possesses some of the most sophisticated cyber capabilities in the world— can disrupt or damage U.S. critical infrastructure networks via cyber-attacks. Russian state-affiliated actors will continue targeting U.S. industry and all levels of government with intrusive cyber espionage to access economic, policy, and national</p>
<p>security information to further the Kremlin’s strategic interests.</p>
<ul>
<li>Russia probably can conduct cyber-attacks that would result in at least localized effects over hours to days and probably is developing capabilities that would cause more debilitating effects.</li>
<li>We expect Russian cyber actors to use a range of capabilities including social engineering, publicly known software and hardware vulnerabilities, poorly configured networks, and sophisticated “zero-day” attacks that exploit security weaknesses in software.</li>
<li>Under Russian law, the Federal Security Service (FSB) can compel Russian firms doing business in the United States—or Russians working with U.S. firms—to comply with FSB information sharing and operational mandates, presenting additional routes for cyber espionage.</li>
</ul>
<p><strong>China </strong></p>
<p>China already poses a high cyber espionage threat to the Homeland and Beijing’s cyber-attack capabilities will grow. Chinese cyber actors almost certainly will continue to engage in wide-ranging cyber espionage to steal intellectual property2 and personally identifiable information (PII) from U.S. businesses and government agencies to bolster their civil-military industrial development, gain an economic advantage, and support intelligence operations. China possesses an increasing ability to threaten and potentially disrupt U.S. critical infrastructure.</p>
<ul>
<li>We expect China’s cyber operations against U.S. companies to focus on the critical manufacturing, defense industrial base, energy, healthcare, and transportation sectors.</li>
<li>Beijing has targeted information technology and communications firms whose products and services support government and private-sector networks worldwide, while concurrently advocating globally for Chinese information technology companies that could serve as espionage platforms.</li>
<li>Under China’s 2017 National Intelligence Law, Beijing can compel businesses based in China and Chinese citizens living abroad to provide intelligence to the Chinese government.</li>
<li>We remain concerned about China’s intent to compromise U.S. critical infrastructure to cause disruption or destruction.</li>
<li>China’s efforts to dominate the 5G world pose new challenges to U.S. efforts to national security, privacy, resistance to malign influence, and human rights. The exponential increases in speed, connectivity, and productivity could render American systems particularly vulnerable to Chinese cyber threats. While Russia and China are the most capable nation-state cyber adversaries,</li>
</ul>
<p><strong>Iran and North Korea</strong></p>
<p>Iranian and North Korean cyber actors also pose a threat to U.S. systems, networks, and information. Iran continues to present a cyber espionage threat and is developing access in the Homeland that could be repurposed for destructive cyber-attacks. North Korean cyber capabilities, while sophisticated, probably will remain confined to criminal threats – ‘The Cyber Threat’ to the US Homeland generation of revenue. If Pyongyang’s intent changes, however, it probably could quickly build capabilities to conduct broader espionage activity or threaten infrastructure with disruptive cyber-attacks.</p>
<p><strong>Cybercrime</strong></p>
<p>Cybercriminals increasingly will target U.S. critical infrastructure to generate profit, whether through ransomware, e-mail impersonation fraud, social engineering3, or malware. Underground marketplaces that trade in stolen information and cyber tools will continue to thrive and serve as a resource, even for sophisticated foreign adversaries.</p>
<ul>
<li>Ransomware attacks—which have at least doubled since 2017—often are directed against critical infrastructure entities at the state and local level by exploiting gaps in cybersecurity.</li>
<li>Victims of cybercriminal activity in 2018 reported over $2.7 billion in losses—more than twice the amount lost in 2017. This figure does not represent the full scope of loss because some victims do not report incidents.</li>
</ul>
<p><strong><a href="{{#staticFileLink}}8011616875,RESIZE_400x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}8011616875,RESIZE_400x{{/staticFileLink}}" width="300" alt="8011616875?profile=RESIZE_400x" /></a>Cyber Threat to the U.S. Democratic Processes</strong></p>
<p>Some state or non-state actors likely will seek to use cyber means to compromise or disrupt infrastructure used to support the 2020 U.S. Presidential election and the 2020 U.S. Census. Given the national importance of these events, any related cyber activities—or mere claims of compromise—might fuel influence operations aimed at depressing voter turnout or census participation, misinforming about democratic processes, or shaping perceptions about the integrity or outcome of the election or census.</p>
<ul>
<li>Advanced persistent threat or other malicious cyber actors likely will target election-related infrastructure as the 2020 Presidential election approaches, focusing on voter PII, municipal or state networks, or state election officials directly. Operations could occur throughout the 2020 election cycle—through pre-election activities, Election Day, and the post-election period.</li>
<li>Adversaries’ cyber capabilities vary greatly— as does the cyber defensive posture of electoral boards to stymie such actors. Adversaries could attempt a range of election interference, activities, including efforts to target voter registration systems; to compromise election system supply chains; to exploit poor cybersecurity practices on protected election systems or networks; or to hack official election websites or social media accounts.</li>
<li>Unidentified cyber actors have engaged in suspicious communications with the U.S. Census public-facing network over at least the last year, including conducting vulnerability scans and attempting unauthorized access. Cyber activity directed at the U.S. Census could include attempts to gain illicit access to census-gathered bulk data; to alter census registration data; to compromise the census infrastructure supply chain; or conducting denial-of-service attacks.</li>
</ul>
<p>__________________________________________________________________</p>
<p>Red Sky Alliance supports the installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</p>
<p>What can you do to better protect your organization today?</p>
<ul>
<li>All data in transmission and at rest should be encrypted.</li>
<li>Proper data back-up and off-site storage policies should be adopted and followed.</li>
<li>Implement 2-Factor authentication company wide. (Read MFA)</li>
<li>Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org</li>
<li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.</li>
<li>Institute cyber threat and phishing training for all employees, with testing and updating.</li>
<li>Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.</li>
<li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li>
<li>Ensure that all software updates and patches are installed immediately.</li>
<li>Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. </li>
<li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li>
</ul>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.</p>
<p>Articles about the cyber threat groups mentioned in this report can be found at <a href="https://redskyalliance.org">https://redskyalliance.org</a> There is no charge for access to these reports.</p>
<p>Our services can help protect with attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p> </p></div>NoKo & Russians Cybercriminals May be Working Togetherhttps://redskyalliance.org/xindustry/noko-russians-cybercriminals-may-be-working-together2020-10-02T17:36:45.000Z2020-10-02T17:36:45.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}7993726679,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}7993726679,RESIZE_400x{{/staticFileLink}}" width="250" alt="7993726679?profile=RESIZE_400x" /></a>Cyber threat researchers have examined security incidents over the past several years that appear to connect North Korea's Lazarus Group with Russian speaking attackers. A recent analysis has examined reports from years of security incidents to pinpoint links between Lazarus Group, historically tied to North Korea, and Russian-speaking cybercriminals.</p>
<p>In a summary of his findings, Mark Arena, CEO of security firm Intel 471, holds two generally accepted assumptions: that Lazarus Group is tied to North Korea, and that TrickBot, TA505, and Dridex are connected to Russian-speaking cybercriminals. During the analysis, Arena explored public and open sources from security researchers who published information on threat activity.</p>
<p>The report concludes North Korean attackers are likely active in the cybercriminal underground and maintain relationships with high-level Russian-speaking cybercriminals. Further, malware believed to be used by, and likely written by, North Korean attackers were "very likely" distributed using network accesses held by Russian-speaking cybercriminals.</p>
<p>"[There's] the link between TrickBot and the operators behind TrickBot pretty clearly selling accesses to financial institutions to the North Koreans," says Arena. "And the fact that getting access to the TrickBot operators – figuring out who they are and who you contact for that – you have to be pretty vetted from a cybercriminal perspective."</p>
<p>TrickBot is a malware distribution framework not advertised on any open or invite-only criminal forum or marketplace. It is only accessible to top-tier criminals with a proven reputation gained through involvement with buying and selling products and services in the criminal underground. The ability of North Korean attackers to communicate with TrickBot's operators and customers would mean they are considered top-tier cybercriminals themselves.</p>
<p>Dr. Greg Rattray, partner and founder for Next Peak LLC, and former NSC director for cybersecurity at the White House, agrees. Rattray calls Lazarus Group the "quintessential scary, emerging strategic actor." While who they are is a little indeterminate, "they are a group with real capability" and nation-state grade tools, which they will use to achieve any number of goals.</p>
<p>"Any organized group uses the least necessary tools," says Rattray, who has previously run the red team and offensive operations. Lazarus Group is capable of using the tools necessary to achieve any number of goals aligning with what the North Korean regime wants, he adds. TrickBot is one of them. SentinelOne researchers spotted Lazarus Group using TrickBot to deploy its own malware samples onto the network of a business targeted with the Anchor attack toolset.</p>
<p>TrickBot infections normally begin with successful phishing campaigns. This attack-type makes cyber threat training/testing/awareness programs important for all employees. Based on findings from SentinelOne and several other research teams, Intel 471 assesses a likely link between TrickBot operators and North Korean attackers. TrickBot seems to be a source of compromised access that North Korean actors can use, and the people controlling it seems well-versed in identifying compromised organizations for follow-up attack activity, whether it is through Anchor or other intrusion tools like Metasploit, Cobalt Strike, or Empire.</p>
<p>The TrickBot link was the strongest discovered between North Korean attackers and Russian-speaking cybercriminals. Arena estimates this activity has been ongoing for over a year, though despite the length of time, it is unclear whether the Russian speaking actors know they are selling to North Korean attackers, who he says are also speaking in Russian.</p>
<p>Intel 471 also explored potential connections between North Korean attackers and TA505, as well as links to Dridex. They concluded while TA505 may have historically worked with North Korean attackers on occasion, it does not seem to have happened recently. No link was found between North Korea and Dridex.</p>
<p>So how do North Korea and Russian-speaking attackers benefit from such a collaboration? As always, follow the money. Arena starts with Russia, "What they gain out of it is their access to a team or group of people [who] are specialized in hacking banks and stealing huge amounts of money," he explains.</p>
<p>If Russian speaking attackers sell access to a financial institution, for example, there could be a monetary incentive if the intrusion is successful. The North Korean actors who steal the funds may be required to pay a percentage to the Russians if they are successful in stealing large sums of money.</p>
<p>For North Korea, the benefit is a source of access to financial institutions. While they likely have the capability to social engineer their way into a bank, the process is time-consuming. "If they're able to leverage accesses in the underground from other criminals, that's just something they don't have to do themselves," Arena adds.</p>
<p>From a cybercrime perspective, Russia is "leaps and bounds" ahead of other regions, which makes it an appealing collaborator. While some Russian speaking actors are motivated by espionage, the groups, in this case, are purely motivated by financial gain - a goal that aligns them with North Korean attackers. Their primary focus is on organizations with lower levels of security, for example, Rattray points to the attack on the Bank of Bangladesh, conducted by APT 38, an attack group that emerged as its own entity from the Lazarus Group. The rise of APT 38 coincided with international economic sanctions against North Korea and resulting in economic pressures.</p>
<p>This was one of a large number of attacks against weak nodes in the payment system. Attackers did not get inside the SWIFT organization but inside the people who use SWIFT to transfer major sums. "That's a transformational type of risk," he adds. "If we can't be confident that endpoints in the SWIFT system are not going to be corrupted and move tens, if not hundreds, of millions of dollars in fraudulent transactions, people start to get worried."</p>
<p>Getting inside the Bank of Bangladesh and living in there long enough to figure out how to push a fraudulent payment, is something an intelligence agency might do, Rattray points out. While he does not track specific attack groups, he says there is collaboration with Russian-speaking actors would be a "logical evolution" for the group. "Lazarus Group has and will continue to use the tools and techniques necessary for the mission," he says. "They operate like an intelligence service." The group has proved itself highly capable, and willing, to do the highest end of bad things, and their agility in doing so is an asset.</p>
<p><strong>Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports. </strong></p>
<p><strong>The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</strong></p>
<p><strong>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com. </strong></p>
<p><strong>Red Sky Alliance can help protect against attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</strong></p>
<p><strong>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a></strong></p>
<ul>
<li><strong>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></strong></li>
<li><strong>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></strong></li>
<li><strong>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></strong></li>
</ul>
<p><strong> </strong></p></div>The BeagleBoyz are not a new “Boy Band”https://redskyalliance.org/xindustry/the-beagleboyz-are-not-a-new-boy-band2020-08-31T18:54:32.000Z2020-08-31T18:54:32.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}7756134874,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}7756134874,RESIZE_400x{{/staticFileLink}}" width="250" alt="7756134874?profile=RESIZE_400x" /></a>The Cybersecurity and Infrastructure Security Agency (CISA) and other US agencies have issued a warning about increases in bank e-thefts worldwide organized by a hacking group called "BeagleBoyz." Researchers believe this group has ties to the North Korean government. The BeagleBoyz group is a subset of the North Korean-backed hacking collective known as the Lazarus Group or Hidden Cobra. The report with details of how the BeagleBoyz have made off with an estimated $2 billion in funds and cryptocurrency since 2015, along with details on how financial institutions can protect themselves against their known patterns of attack. The subgroup, active since at least 2014, works to provide the government, which faces economic sanctions, with illicit funds, according to the joint alert. Along with the theft of massive amounts of money that the United Nations believes is used for North Korea's nuclear weapons and ballistic missile programs, the e-robberies also pose a serious risk to financial institutions' reputations, their operations, and public confidence in banking.</p>
<p>The security firm F-Secure reports that the Lazarus Group recently targeted an employee of a cryptocurrency exchange with a fake job offer to insert malware and steal virtual currency. The group has used a variety of approaches to gaining initial access: Spear phishing, watering holes, social engineering, malicious files, and even contracted third-party hacking groups have been used for initial penetration. Once inside a network, the BeagleBoyz use a wide variety of approaches to meet their objectives, establish a persistent presence, evade defense, and harvest credentials of privileged users.</p>
<p>In its latest campaign, this hacking group has used a variety of malicious tools and malware to target banks and other organizations. The threat actors typically use compromised remote access to gain an initial foothold in a network. Once the hackers have penetrated a network, they attempt to conduct an ATM cash-out scheme and use money mules to collect the funds. Additionally, the BeagleBoyz group conducts fraudulent money transfers through SWIFT the global money-transfer network.</p>
<p>The BeagleBoyz group is believed to be responsible for a series of attacks against banks since 2016 that CISA calls "FASTCash.” Researchers also believe the BeagleBoyz group played a role in the theft of $81 million from Bangladesh Bank in 2016.</p>
<p>"As opposed to typical cybercrime, the group likely conducts well-planned, disciplined and methodical cyber operations more akin to careful espionage activities," according to the joint alert from the US agencies. "Their malicious cyber operations have netted hundreds of millions of US dollars and are likely a major source of funding for the North Korean regime. The group has always used a calculated approach, which allows them to sharpen their tactics, techniques, and procedures while evading detection."</p>
<p>VMware says that North Korean hackers have learned much of their craft from their Russian counterparts and have grown more sophisticated over the years. "They are truly formidable as they are the benefactors of tech transfer from the Russian dark web forums. It is imperative that the financial sector recognize that they have true situational awareness per the unique interdependencies of the sector and are willing to leverage counter incident response and destructive attacks to burn the evidence."</p>
<p>A VMware report indicates a BeagleBoyz hacking attempt typically starts with a spear-phishing email that targets specific bank employees. Or the hacking group uses a watering hole attack, which involves compromising legitimate websites and installing malware to target site visitors.</p>
<p>In the latest series of attacks, the BeagleBoyz group is also deploying social engineering techniques, such as fake job offers that target employees. The joint advisory notes: "Toward the end of 2018 through 2019 and in early 2020, the BeagleBoyz demonstrated the use of social engineering tactics by carrying out job application themed phishing attacks using publicly available malicious files."</p>
<p>This hacking group relies on other cybercriminal groups, such as TA505, to help gain the initial access into systems using commodity malware. Once a system gets compromised, the other group then hands overs access to BeagleBoyz for exploitation. To gain a foothold within a targeted network, the hackers use a number of techniques, including emailing malicious attachments that contain malware; exploiting weakness, bugs, and vulnerabilities in internet-facing systems; stealing credentials of a specific user or service account; and breaching third-party organizations that have access to the primary target's network, according to the alert.</p>
<p>The hacking group also deploys its own malware throughout compromised devices and networks. This includes trojans, such as Hoplight, identified in 2019. The malware comprises several proxy applications that are part of a "phone home" operation run by the hackers. The trojan can disguise the traffic that is sent back to its command-and-control server, the alert notes.</p>
<p>Malware such as Hoplight and another variant called CrowdedFlouder work with the hacking group's command-and-control infrastructure to assist with the exfiltration of data, which includes compressing and encrypting files to evade detection. </p>
<p>Red Sky Alliance can help protect with attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a></p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul></div>