north korea (28)

13134670668?profile=RESIZE_400xCryptocurrency-related businesses have been targets of North Korean-affiliated threat actors for some time now, with multiple campaigns aiming to steal funds and/or insert backdoor malware into targets. In April 2023, researchers detailed an APT campaign targeting macOS users with multi-stage malware that culminated in a Rust backdoor capable of downloading and executing further malware on infected devices. ‘RustBucket,’ as they labeled it, was attributed with strong confidence to the BlueNoroff

13027416478?profile=RESIZE_400xDespite current of law enforcement action to take down ransomware gangs, Secureworks has observed a 30% year-on-year rise in active ransomware groups.   In the eighth edition of the Secureworks annual State of The Threat Report[1], the firm identified 31 new groups that had entered the ransomware ecosystem in the last 12 months.  The report noted that while a few big players had previously dominated the threat landscape, it is now home to a broader set of emerging entities.[2]

The top four most

12959741680?profile=RESIZE_400xCybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments.  "The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews," ReversingLabs researcher Karlo Zanki said.  The activity has been assessed to be part of an ongoing VMConnect campaign that first came to light in August 2023.  There are indications that i

12934296672?profile=RESIZE_400xNorth Korean threat actors are expected to launch imminent attacks aimed at stealing funds from "organizations with access to large quantities of cryptocurrency-related assets or products," the FBI is warning, adding that the attacks will use particularly deceptive social engineering tactics, including highly personalized targeting that will appear extremely convincing.  In the last several months, federal officials have observed various state-sponsored actors from the DPKR conducting research o

12490423256?profile=RESIZE_400x

DEV#POPPER is a social engineering campaign that has been tracked recently by the Securonix Threat Research team.  Social engineering is a topic we have covered many times, but ultimately what it boils down to is that social engineering attacks are generally geared towards tricking victims into compromising themselves.  With that in mind, the primary target for the DEV#POPPER campaign appears to be software developers who are looking for work. 

Job interviews can be an effective cover for socia

12439541492?profile=RESIZE_400xThe Federal Bureau of Investigation (FBI), the U.S. Department of State, and the National Security Agency (NSA) are jointly issuing this advisory to highlight attempts by Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) Kimsuky cyber actors to exploit improperly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies to conceal social engineering attempts.  Without properly configured DMARC policies, malicious cyber actors are able to

12390146467?profile=RESIZE_400xIt is no longer theoretical; the world's major powers are working with large language models to enhance offensive cyber operations.  Advanced persistent threats (APTs) aligned with China, Iran, North Korea, and Russia use large language models (LLMs) to enhance their operations.  New blog posts from OpenAI and Microsoft reveal that five prominent threat actors have used OpenAI software for research, fraud, and other malicious purposes.  After identifying them, OpenAI shuttered all their accounts

12389945471?profile=RESIZE_400xCybersecurity experts are warning that hospitals around the country are at risk for attacks like the one that is crippling operations at a premier Midwestern children’s hospital and that the US government is doing too little to prevent such breaches.  Hospitals in recent years have shifted their use of online technology to support everything from telehealth to medical devices to patient records.  Today, they are a favorite target for internet thieves who hold systems’ data and networks hostage f

12364606868?profile=RESIZE_400xA recent article raised the question of whether North Korea was the perpetrator of the cyber-attacks against Sony Pictures in December 2014.  Despite the difficulties typically associated with such activities, the US Federal Bureau of Investigation (FBI) quickly attributed (25 days) the attacks to North Korea, even though an enigmatic group calling itself “Guardians of Peace” took responsibility.  Nevertheless, once the FBI official blamed North Korea, no one in the government appeared to questi

12345540085?profile=RESIZE_400xNation-state cyber threat actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines.  The South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky.  "A notable point about attacks that use AppleSeed is that similar methods of attack have been used for many years with no si

12330432501?profile=RESIZE_180x180Cisco's Talos security researchers report that the North Korea-linked hacking group Lazarus has been observed deploying Dlang malware in attacks against organizations in the manufacturing, agriculture, and physical security sectors.   Released in 2001, Dlang, or simply D, is a multi-paradigm system programming language built upon the idea of C++ but drawing inspiration from C#, Eiffel, Java, Python, Ruby, and other high-level languages.  Dlang is considered an uncommon programming language for m

12263649868?profile=RESIZE_400xUS officials say North Korea pulled off an elaborate plan to trick American companies into hiring thousands of skilled IT workers who later sent the money they earned back to be used for the country's weapons program.  The FBI and the Justice Department (DOJ) said they shut down 17 websites that were used by IT worker to "defraud US and foreign businesses, evade sanctions and fund the development of the Democratic People’s Republic of Korea government’s weapons program."  They also seized $1.5 m

12217947066?profile=RESIZE_400xNorth Korea has some decent cyber operations aimed against its foes but can’t seem to figure out rocket propulsion.  North Korea’s attempt to send a military spy satellite into orbit has failed for a second time.  A North Korean representative reported that the launch took place in the early hours of 24 August 2023, the first day of a week-long launch window, but failed because of a problem with the rocket's third stage carrying the satellite.  North Korea will try again in October 2023.  “The f

12214542095?profile=RESIZE_400xNorth Korean threat actors have caught Sentinel Lab's attention over the past year, providing us with fruitful insight into a variety of campaigns, such as new reconnaissance tools, (multiple) new supply chain intrusions, elusive multi-platform targeting, and new sly social engineering tactics.  To add to that list, analysts looked at an intrusion into what might be considered a highly desirable strategic espionage mission, supporting North Korea’s contentious missile program.[1]

The Target Orga

12167769290?profile=RESIZE_400xIn recent news, the cloud-based IT management service JumpCloud publicly shared details gathered from the investigation into an intrusion on their network. Alongside the updated details, the organization shared a list of associated indicators of compromise (IOCs), noting attribution to an unnamed “sophisticated nation-state sponsored threat actor.”  Reviewing the newly released indicators of compromise, we associate the cluster of threat activity to a North Korean state sponsored APT.[1]  The IO

11303748863?profile=RESIZE_400xUS and South Korean intelligence agencies have issued a new alert warning of North Korean cyber actors' use of social engineering tactics to strike think tanks, academia, and news media sectors.  The "sustained information gathering efforts" have been attributed to a state-sponsored cluster called Kimsuky, which is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima.  Active guys…..  "North Korea relies heavily on in

11025972064?profile=RESIZE_400xIn the era of cyber wars, AI, and drones, wars are still being fought with 20th-century weapons that require massive amounts of ammunition.  Russia is sending a delegation to North Korea to offer food in exchange for weapons, US national security spokesman.  He said any arms deal between North Korea and Russia would violate UN Security Council resolutions.  The US has previously accused North Korea of supplying arms to the Russian military in Ukraine and the Wagner group of Russian mercenaries.

10913167469?profile=RESIZE_400xSometimes, good intentioned research can actually benefit adversaries.  Recently when a US-based foreign affairs analyst, received an email from the Director of the “38 North think-tank” to commission an article, it seemed to be business as usual.  The sender was actually a suspected North Korean spy seeking information, according to those involved and three cybersecurity researchers.

Instead of infecting his computer and stealing sensitive data, as hackers typically do, the sender appeared to b

10754604654?profile=RESIZE_400xIn light of all of the Russian ransomware attacks on organizations worldwide, a dose of Schadenfreude is a welcome sign.  For our non-German readers: “Schadenfreude is the experience of pleasure, joy, or self-satisfaction that comes from learning of or witnessing the troubles, failures, or humiliation of another (especially an adversary). It is a borrowed word from German, with no direct translation, that originated in the 18th century.”

An unknown threat actor has been targeting Russian entitie

10661601053?profile=RESIZE_400xThe US Justice Department announced on 19 July 2022 through a complaint filed in the US District of Kansas to forfeit cryptocurrency paid as ransom to North Korean hackers or otherwise used to launder such ransom payments.  In May 2022, the Federal Bureau of Investigation (FBI) filed a sealed seizure warrant for the funds worth approximately half a million dollars.  The seized funds include ransoms paid by health care providers in Kansas and Colorado.  “Thanks to rapid reporting and cooperation