Kimsuky | Breaking Cybersecurity News | The Hacker News

The North Korean threat actor known as  Kimsuky  has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems. "The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC)  said  in an analysis posted last week. The attack chains commence with an import declaration lure that's actually a malicious JSE file containing an obfuscated PowerShell script, a Base64-encoded payload, and a decoy PDF document. The next stage entails opening the PDF file as a diversionary tactic, while the PowerShell script is executed in the background to launch the backdoor. The malware, for its part, is configured to collect network information and other relevant data (i.e., host name, user name, and operating system version) and transmit the encoded details to a remote server. It's also capable of

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on Thursday sanctioned the North Korea-linked adversarial collective known as Kimsuky as well as eight foreign-based agents who are alleged to have facilitated sanctions evasion. The agents, the Treasury  said , helped in " revenue generation  and missile-related technology procurement that support the DPRK's weapons of mass destruction (WMD) programs." The sanctions against Kimsuky, which have been levied for gathering intelligence to support the regime's strategic objectives, come more than four years after the OFAC  imposed   similar measures  against the Lazarus Group and its offshoots  Andariel  and  BlueNoroff  in September 2019. The actions are in  response  to North Korea's launch of a military reconnaissance satellite late last month, the Treasury added. They also arrive a day after a virtual currency mixer service called Sinbad was  sanctioned  for processing stolen as

As work ebbs with the typical end-of-year slowdown, now is a good time to review user roles and privileges and remove anyone who shouldn't have access as well as trim unnecessary permissions. In addition to saving some unnecessary license fees, a clean user inventory significantly enhances the security of your SaaS applications. From reducing risk to protecting against data leakage, here is how you can start the new year with a clean user list.  How Offboarded Users  Still  Have Access to Your Apps When employees leave a company, they trigger a series of changes to backend systems in their wake. First, they are removed from the company's identity provider (IdP), which kicks off an automated workflow that deactivates their email and removes access to all internal systems. When enterprises use an SSO (single sign-on), these former employees lose access to any online properties – including SaaS applications – that require SSO for login.  However, that doesn't mean that former employee

The North Korean nation-state threat actor known as  Kimsuky  has been linked to a social engineering campaign targeting experts in North Korean affairs with the goal of stealing Google credentials and delivering reconnaissance malware. "Further, Kimsuky's objective extends to the theft of subscription credentials from NK News," cybersecurity firm SentinelOne  said  in a report shared with The Hacker News. "To achieve this, the group distributes emails that lure targeted individuals to log in on the malicious website nknews[.]pro, which masquerades as the authentic NK News site. The login form that is presented to the target is designed to capture entered credentials." NK News , established in 2011, is an American subscription-based news website that provides stories and analysis about North Korea. The disclosure comes days after U.S. and South Korean intelligence agencies  issued an alert  warning of Kimsuky's use of social engineering tactics to strik

U.S. and South Korean intelligence agencies have issued a new alert warning of North Korean cyber actors' use of social engineering tactics to strike think tanks, academia, and news media sectors. The "sustained information gathering efforts" have been attributed to a state-sponsored cluster dubbed  Kimsuky , which is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima. "North Korea relies heavily on intelligence gained from these spear-phishing campaigns," the agencies  said . "Successful compromises of the targeted individuals enable Kimsuky actors to craft more credible and effective spear-phishing emails that can be leveraged against sensitive, high-value targets." Acting in tandem, South Korea's Ministry of Foreign Affairs (MOFA)  imposed sanctions  on the North Korean hacking group and identified  two cryptocurrency addresses  used by the entity that have rece

The North Korean state-sponsored threat actor known as  Kimsuky  has been discovered using a new reconnaissance tool called  ReconShark  as part of an ongoing global campaign. "[ReconShark] is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros," SentinelOne researchers Tom Hegel and Aleksandar Milenkoski  said . Kimsuky  is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima. Active since at least 2012, the  prolific   threat actor  has been linked to  targeted   attacks  on non-governmental organizations (NGOs), think tanks, diplomatic agencies, military organizations, economic groups, and research entities across North America, Asia, and Europe. The latest intrusion set documented by SentinelOne leverages geopolitical themes related to North Korea's nuclear proliferat

German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as  Kimsuky  using rogue browser extensions to steal users' Gmail inboxes. The  joint advisory   comes  from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service (NIS). The intrusions are designed to strike "experts on the Korean Peninsula and North Korea issues" through spear-phishing campaigns, the agencies noted. Kimsuky , also known Black Banshee, Thallium, and Velvet Chollima, refers to a  subordinate element  within North Korea's Reconnaissance General Bureau and is known to "collect strategic intelligence on geopolitical events and negotiations affecting the DPRK's interests." Primary targets of interest include entities in the U.S. and South Korea, particularly singling out individuals working within the government, military

The North Korean espionage-focused actor known as Kimsuky has been observed using three different Android malware strains to target users located in its southern counterpart. That's according to findings from South Korean cybersecurity company S2W, which named the malware families FastFire, FastViewer, and FastSpy. "The FastFire malware is disguised as a Google security plugin, and the FastViewer malware disguises itself as 'Hancom Office Viewer,' [while] FastSpy is a remote access tool based on  AndroSpy ," researchers Lee Sebin and Shin Yeongjae  said . Kimsuky, also known by the names Black Banshee, Thallium, and Velvet Chollima, is believed to be tasked by the North Korean regime with a global intelligence-gathering mission, disproportionately targeting individuals and organizations in South Korea, Japan, and the U.S. This past August, Kaspersky unearthed a previously undocumented infection chain dubbed  GoldDragon  to deploy a Windows backdoor capable o

Russian Security Firm Kaspersky Lab has revealed that it has been following a sustained attack on South Korea by hackers seemingly based in North Korea.,  This new Cyber Espionage campaign dubbed "Kimsuky"  has targeted several South Korean think tanks. R esearchers believe the Kimsuky malware is most likely delivered via spear-phishing e-mails  and used multiple Dropbox email accounts "It's interesting that the drop box mail accounts iop110112@hotmail.com and rsh1213@hotmail.com are registered with the following "kim" names: kimsukyang and "Kim asdfa " The Kaspersky researchers revealed that the operation presents distinctive characteristics in its execution and logistics. The investigation started after the team of experts detected an unsophisticated spy program that communicated with it control server via a public e-mail server, an approach followed by too many amateur malware authors. Victims download a Trojan dropper which is used to download additional malwa