#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Lazarus Hackers | Breaking Cybersecurity News | The Hacker News

Protecting Your Microsoft IIS Servers Against Malware Attacks

Protecting Your Microsoft IIS Servers Against Malware Attacks

Sep 08, 2023 Server Security / Penetration Testing
Microsoft Internet Information Services (IIS) is a web server software package designed for Windows Server. Organizations commonly use Microsoft IIS servers to host websites, files, and other content on the web. Threat actors increasingly target these Internet-facing resources as low-hanging fruit for finding and exploiting vulnerabilities that facilitate access to IT environments.  Recently, a slew of activity by the advanced persistent threat (APT) group Lazarus has focused on finding vulnerable Microsoft IIS servers and infecting them with malware or using them to distribute malicious code. This article describes the details of the malware attacks and offers actionable suggestions for protecting Microsoft IIS servers against them.  An Overview on Microsoft IIS Servers IIS was first introduced with Windows NT 3.51 as an optional package back in 1995. Since then, it has seen several iterations, improvements, and features added to align with the evolving Internet, including support
Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach

Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach

Apr 22, 2023 Supply Chain / Cyber Threat
Lazarus, the prolific North Korean hacking group behind the cascading  supply chain attack targeting 3CX , also breached two critical infrastructure organizations in the power and energy sector and two other businesses involved in financial trading using the trojanized X_TRADER application. The new findings, which come courtesy of  Symantec's Threat Hunter Team , confirm earlier suspicions that the X_TRADER application compromise affected more organizations than 3CX. The names of the organizations were not revealed. Eric Chien, director of security response at Broadcom-owned Symantec, told The Hacker News in a statement that the attacks took place between September 2022 and November 2022. "The impact from these infections is unknown at this time – more investigation is required and is on-going," Chien said, adding it's possible that there's "likely more to this story and possibly even other packages that are trojanized." The development comes as Ma
How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

Mar 21, 2024SaaS Security / Endpoint Security
In today's digital-first business environment dominated by SaaS applications, organizations increasingly depend on third-party vendors for essential cloud services and software solutions. As more vendors and services are added to the mix, the complexity and potential vulnerabilities within the  SaaS supply chain  snowball quickly. That's why effective vendor risk management (VRM) is a critical strategy in identifying, assessing, and mitigating risks to protect organizational assets and data integrity. Meanwhile, common approaches to vendor risk assessments are too slow and static for the modern world of SaaS. Most organizations have simply adapted their legacy evaluation techniques for on-premise software to apply to SaaS providers. This not only creates massive bottlenecks, but also causes organizations to inadvertently accept far too much risk. To effectively adapt to the realities of modern work, two major aspects need to change: the timeline of initial assessment must shorte
Norway Seizes $5.84 Million in Cryptocurrency Stolen by Lazarus Hackers

Norway Seizes $5.84 Million in Cryptocurrency Stolen by Lazarus Hackers

Feb 20, 2023 Cyber Crime / Cryptocurrency
Norwegian police agency Økokrim has announced the seizure of 60 million NOK (about $5.84 million) worth of cryptocurrency stolen by the Lazarus Group in March 2022 following the Axie Infinity Ronin Bridge hack. "This case shows that we also have a great capacity to follow the money on the blockchain, even if the criminals use advanced methods," the Oslo-based crime-fighting unit  said  in a statement. The development comes more than 10 months after the U.S. Treasury Department  implicated  the North Korea-backed hacking group for the theft of $620 million from the Ronin cross-chain bridge. Then in September 2022, the U.S. government  announced  the recovery of more than $30 million worth of cryptocurrency, representing 10% of the stolen funds. Økokrim said it worked with international law enforcement partners to pursue and piece together the money trail, thereby making it more difficult for criminal actors to carry out money laundering activities. "This is money th
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
Microsoft Alerts Cryptocurrency Industry of Targeted Cyberattacks

Microsoft Alerts Cryptocurrency Industry of Targeted Cyberattacks

Dec 07, 2022 Cryptocurrency / Threat Intelligence
Cryptocurrency investment companies are the target of a developing threat cluster that uses Telegram groups to seek out potential victims. Microsoft's Security Threat Intelligence Center (MSTIC) is tracking the activity under the name  DEV-0139 , and builds upon a recent report from Volexity that attributed the same set of attacks to North Korea's  Lazarus Group . "DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members," the tech giant  said . The adversary subsequently impersonated another cryptocurrency investment company and invited the victim to join a different Telegram chat group under the pretext of asking for feedback on the trading fee structure used by exchange platforms across VIP tiers. It's worth pointing out that the  VIP program  is  designed  to  reward   high-volume traders  with exclusive trading fee incentives and discount
North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs

North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs

Sep 27, 2022
The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system. In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto[.]com have been used to mount the attacks. The latest disclosure builds on previous findings from Slovak cybersecurity firm ESET in August, which  delved  into a similar phony job posting for the Coinbase cryptocurrency exchange platform. Both these fake job advertisements are just the latest in a series of attacks dubbed  Operation In(ter)ception , which, in turn, is a constituent of a broader campaign tracked under the name  Operation Dream Job . Although the exact distribution vector for the malware remains unknown, it's suspected that potential targets are singled out via direct messages on the business networking site Linke
North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns

North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns

Sep 07, 2022
The prolific North Korean nation-state actor known as the Lazarus Group has been linked to a new remote access trojan called  MagicRAT . The previously unknown piece of malware is said to have been deployed in victim networks that had been initially breached via successful exploitation of internet-facing VMware Horizon servers, Cisco Talos said in a report shared with The Hacker News. "While being a relatively simple RAT capability-wise, it was built with recourse to the  Qt Framework , with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely," Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura  said . Lazarus Group , also known as APT38, Dark Seoul, Hidden Cobra, and Zinc, refers to a cluster of financial motivated and espionage-driven  cyber activities  undertaken by the North Korean government as a means to sidestep sanctions imposed on the country and meet its strategic objectives
FBI Warns Investors to Take Precautions with Decentralized Financial Platforms

FBI Warns Investors to Take Precautions with Decentralized Financial Platforms

Aug 30, 2022
The U.S. Federal Bureau of Investigation (FBI) on Monday warned of cyber criminals increasingly exploiting flaws in decentralized finance (DeFi) platforms to plunder cryptocurrency. "The FBI has observed cyber criminals exploiting vulnerabilities in the smart contracts governing DeFi platforms to steal investors' cryptocurrency," the agency  said  in a notification. Attackers are said to have used different methods to hack and steal cryptocurrency from DeFi platforms, including initiating flash loans that trigger exploits in the platforms' smart contracts and exploiting signature verification flaws in their token bridge to withdraw all investments. The agency has also observed criminals defrauding the platforms by manipulating cryptocurrency price pairs – assets that can be traded for each other on an exchange – by exploiting a series of vulnerabilities to bypass  slippage checks  and steal roughly $35 million in digital funds. It further said that the threat ac
Hackers Exploiting VMware Horizon to Target South Korea with NukeSped Backdoor

Hackers Exploiting VMware Horizon to Target South Korea with NukeSped Backdoor

May 20, 2022
The North Korea-backed Lazarus Group has been observed leveraging the  Log4Shell vulnerability  in VMware Horizon servers to deploy the NukeSped (aka Manuscrypt) implant against targets located in its southern counterpart. "The attacker used the Log4j vulnerability on VMware Horizon products that were not applied with the security patch," AhnLab Security Emergency Response Center (ASEC)  said  in a new report. The intrusions are said to have been first discovered in April, although  multiple threat actors , including those aligned with  China  and  Iran , have employed the same approach to further their objectives over the past few months. NukeSped is a backdoor that can perform various malicious activities based on commands received from a remote attacker-controlled domain. Last year, Kaspersky disclosed a spear-phishing campaign aimed at stealing critical data from defense companies using a NukeSped variant called  ThreatNeedle . Some of the key functions of the bac
Lazarus Group Behind $540 Million Axie Infinity Crypto Hack and Attacks on Chemical Sector

Lazarus Group Behind $540 Million Axie Infinity Crypto Hack and Attacks on Chemical Sector

Apr 16, 2022
The U.S. Treasury Department has implicated the North Korea-backed Lazarus Group (aka Hidden Cobra) in the theft of $540 million from video game Axie Infinity's Ronin Network last month. On Thursday, the Treasury  tied  the Ethereum  wallet address  that received the stolen digital currency to the threat actor and sanctioned the funds by adding the address to the Office of Foreign Assets Control's (OFAC) Specially Designated Nationals ( SDN ) List. "The FBI, in coordination with Treasury and other U.S. government partners, will continue to expose and combat the DPRK's use of illicit activities – including cybercrime and cryptocurrency theft – to generate revenue for the regime," the intelligence and law enforcement agency  said  in a statement. The cryptocurrency heist, the second-largest cyber-enabled theft to date, involved the siphoning of 173,600 Ether (ETH) and 25.5 million USD Coins from the Ronin cross-chain bridge, which allows users to transfer their
North Korean Hackers Stole Millions from Cryptocurrency Startups Worldwide

North Korean Hackers Stole Millions from Cryptocurrency Startups Worldwide

Jan 14, 2022
Operators associated with the Lazarus sub-group BlueNoroff have been linked to a series of cyberattacks targeting small and medium-sized companies worldwide with an aim to drain their cryptocurrency funds, in what's yet another financially motivated operation mounted by the prolific North Korean state-sponsored actor. Russian cybersecurity company Kaspersky, which is tracking the intrusions under the name " SnatchCrypto ," noted that the campaign has been running since at 2017, adding the attacks are aimed at startups in the FinTech sector located in China, Hong Kong, India, Poland, Russia, Singapore, Slovenia, the Czech Republic, the U.A.E., the U.S., Ukraine, and Vietnam. "The attackers have been subtly abusing the trust of the employees working at targeted companies by sending them a full-featured Windows backdoor with surveillance functions, disguised as a contract or another business file," the researchers  said . "In order to eventually empty the v
Cybersecurity Resources