#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

North Korea | Breaking Cybersecurity News | The Hacker News

North Korean State-Sponsored Hackers Suspected in JumpCloud Supply Chain Attack

North Korean State-Sponsored Hackers Suspected in JumpCloud Supply Chain Attack

Jul 20, 2023 Cyber Attack / Supply Chain
An analysis of the indicators of compromise ( IoCs ) associated with the JumpCloud hack has uncovered evidence pointing to the involvement of North Korean state-sponsored groups, in a style that's reminiscent of the  supply chain attack targeting 3CX . The findings come from SentinelOne, which  mapped out  the infrastructure pertaining to the intrusion to uncover underlying patterns. It's worth noting that JumpCloud, last week,  attributed  the attack to an unnamed "sophisticated nation-state sponsored threat actor." "The North Korean threat actors demonstrate a high level of creativity and strategic awareness in their targeting strategies," SentinelOne security researcher Tom Hegel told The Hacker News. "The research findings reveal a successful and multifaceted approach employed by these actors to infiltrate developer environments." "They actively seek access to tools and networks that can serve as gateways to more extensive opportunitie
North Korean Hacker Group Andariel Strikes with New EarlyRat Malware

North Korean Hacker Group Andariel Strikes with New EarlyRat Malware

Jun 29, 2023 Vulnerability / Malware
The North Korea-aligned threat actor known as Andariel leveraged a previously undocumented malware called EarlyRat in phishing attacks, adding another piece to the group's wide-ranging toolset. "Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control (C2) server," Kaspersky  said  in a new report. Also called Silent Chollima and Stonefly, Andariel is associated with North Korea's Lab 110, a primary hacking unit that also houses  APT38  (aka BlueNoroff ) and other subordinate elements collectively tracked under the umbrella name  Lazarus Group .  The threat actor, besides conducting espionage attacks against foreign government and military entities that are of strategic interest, is known to  carry out cyber crime  as an extra source of income to the sanctions-hit nation. Some of the key cyber weapons in its arsenal include a ransomware strain referred to as  Maui  and numerous remote access t
How to Find and Fix Risky Sharing in Google Drive

How to Find and Fix Risky Sharing in Google Drive

Mar 06, 2024Data Security / Cloud Security
Every Google Workspace administrator knows how quickly Google Drive becomes a messy sprawl of loosely shared confidential information. This isn't anyone's fault; it's inevitable as your productivity suite is purposefully designed to enable real-time collaboration – both internally and externally.  For Security & Risk Management teams, the untenable risk of any Google Drive footprint lies in the toxic combinations of sensitive data, excessive permissions, and improper sharing. However, it can be challenging to differentiate between typical business practices and potential risks without fully understanding the context and intent.  Material Security, a company renowned for its innovative method of protecting sensitive data within employee mailboxes, has recently launched  Data Protection for Google Drive  to safeguard the sprawl of confidential information scattered throughout Google Drive with a powerful discovery and remediation toolkit. How Material Security helps organ
ScarCruft's Evolving Arsenal: Researchers Reveal New Malware Distribution Techniques

ScarCruft's Evolving Arsenal: Researchers Reveal New Malware Distribution Techniques

Mar 22, 2023 Cyber Threat Intelligence
The North Korean advanced persistent threat (APT) actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware onto targeted machines. According to multiple reports from  AhnLab Security Emergency response Center  ( ASEC ),  SEKOIA.IO , and  Zscaler , the development is illustrative of the group's continuous efforts to refine and retool its tactics to sidestep detection. "The group is constantly evolving its tools, techniques, and procedures while experimenting with new file formats and methods to bypass security vendors," Zscaler researchers Sudeep Singh and Naveen Selvan said in a new analysis published Tuesday.  ScarCruft, also tracked under the names APT37, Reaper, RedEyes, and Ricochet Chollima, has exhibited an increased operational tempo since the start of the year, targeting various South Korean entities for espionage purposes. It is known to be active since at least 2012. Last month, ASEC  disclosed  a
cyber security

Uncover Critical Gaps in 7 Core Areas of Your Cybersecurity Program

websiteArmor PointCyber Security / Assessment
Turn potential vulnerabilities into strengths. Start evaluating your defenses today. Download the Checklist.
Kimsuky Hackers Spotted Using 3 New Android Malware to Target South Koreans

Kimsuky Hackers Spotted Using 3 New Android Malware to Target South Koreans

Oct 26, 2022
The North Korean espionage-focused actor known as Kimsuky has been observed using three different Android malware strains to target users located in its southern counterpart. That's according to findings from South Korean cybersecurity company S2W, which named the malware families FastFire, FastViewer, and FastSpy. "The FastFire malware is disguised as a Google security plugin, and the FastViewer malware disguises itself as 'Hancom Office Viewer,' [while] FastSpy is a remote access tool based on  AndroSpy ," researchers Lee Sebin and Shin Yeongjae  said . Kimsuky, also known by the names Black Banshee, Thallium, and Velvet Chollima, is believed to be tasked by the North Korean regime with a global intelligence-gathering mission, disproportionately targeting individuals and organizations in South Korea, Japan, and the U.S. This past August, Kaspersky unearthed a previously undocumented infection chain dubbed  GoldDragon  to deploy a Windows backdoor capable o
North Korean Hackers Weaponizing Open-Source Software in Latest Cyber Attacks

North Korean Hackers Weaponizing Open-Source Software in Latest Cyber Attacks

Sep 30, 2022
A "highly operational, destructive, and sophisticated nation-state activity group" with ties to North Korea has been weaponizing open source software in their social engineering campaigns aimed at companies around the world since June 2022. Microsoft's threat intelligence teams, alongside LinkedIn Threat Prevention and Defense, attributed the intrusions with high confidence to Zinc, a threat group affiliated with Lazarus which is also tracked under the name Labyrinth Chollima.  Attacks targeted employees in organizations across multiple industries, including media, defense and aerospace, and IT services in the U.S., the U.K., India, and Russia. The tech giant  said  it observed Zinc leveraging a "wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks." According to  CrowdStrike , Zinc "has been active since 2009 in operations aimed at collecting polit
Experts Uncover Details on Maui Ransomware Attack by North Korean Hackers

Experts Uncover Details on Maui Ransomware Attack by North Korean Hackers

Aug 10, 2022
The first ever incident possibly involving the ransomware family known as Maui occurred on April 15, 2021, aimed at an unnamed Japanese housing company. The disclosure from Kaspersky arrives a month after U.S. cybersecurity and intelligence agencies issued an  advisory  about the use of the ransomware strain by North Korean government-backed hackers to target the healthcare sector since at least May 2021. Much of the data about its modus operandi came from incident response activities and industry analysis of a Maui sample that revealed a lack of "several key features" typically associated with ransomware-as-a-service (RaaS) operations. Not only is Maui designed to be manually executed by a remote actor via a command-line interface, it's also notable for not including a ransom note to provide recovery instructions. Subsequently, the Justice Department  announced  the seizure of $500,000 worth of Bitcoin that were extorted from several organizations, including two he
North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts

North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts

Jul 30, 2022
A threat actor operating with interests aligned with North Korea has been deploying a malicious extension on Chromium-based web browsers that's capable of stealing email content from Gmail and AOL. Cybersecurity firm Volexity attributed the malware to an activity cluster it calls  SharpTongue , which is said to share overlaps with an  adversarial collective  publicly referred to under the name  Kimsuky . SharpTongue has a history of singling out individuals working for organizations in the U.S., Europe, and South Korea who "work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea," researchers Paul Rascagneres and Thomas Lancaster  said . Kimsuky 's use of rogue extensions in attacks is not new. In 2018, the actor was seen utilizing a Chrome plugin as part of a campaign called  Stolen Pencil  to infect victims and steal browser cookies and passwords. But the latest espionage effort is different
U.S. Offers $10 Million Reward for Information on North Korean Hackers

U.S. Offers $10 Million Reward for Information on North Korean Hackers

Jul 28, 2022
The U.S. State Department has announced rewards of up to $10 million for any information that could help disrupt North Korea's cryptocurrency theft, cyber-espionage, and other illicit state-backed activities. "If you have information on any individuals associated with the North Korean government-linked malicious cyber groups (such as Andariel, APT38, Bluenoroff, Guardians of Peace, Kimsuky, or Lazarus Group) and who are involved in targeting U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act, you may be eligible for a reward," the department  said  in a tweet. The amount is double the bounty the agency  publicized  in March 2022 for specifics regarding the financial mechanisms employed by state-sponsored actors working on behalf of the North Korean government. The development comes a week after the Justice Department  disclosed  the seizure of $500,000 worth of Bitcoin from North Korean hackers who extorted digital payments by using a new r
North Korean Hackers Targeting Small and Midsize Businesses with H0lyGh0st Ransomware

North Korean Hackers Targeting Small and Midsize Businesses with H0lyGh0st Ransomware

Jul 15, 2022
An emerging threat cluster originating from North Korea has been linked to developing and using ransomware in cyberattacks targeting small businesses since September 2021. The group, which calls itself H0lyGh0st after the ransomware payload of the same name, is being tracked by the Microsoft Threat Intelligence Center under the moniker DEV-0530, a designation assigned for unknown, emerging, or a developing group of threat activity. Targeted entities primarily include small-to-midsize businesses such as manufacturing organizations, banks, schools, and event and meeting planning companies. "Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims," the researchers  said  in a Thursday analysis. "The group's standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange
U.S. Warns Against North Korean Hackers Posing as IT Freelancers

U.S. Warns Against North Korean Hackers Posing as IT Freelancers

May 18, 2022
Highly skilled software and mobile app developers from the Democratic People's Republic of Korea (DPRK) are posing as "non-DPRK nationals" in hopes of landing freelance employment in an attempt to enable the regime's  malicious cyber intrusions . That's according to a  joint advisory  from the U.S. Department of State, the Department of the Treasury, and the Federal Bureau of Investigation (FBI) issued on Monday. Targets include financial, health, social media, sports, entertainment, and lifestyle-focused companies located in North America, Europe, and East Asia, with most of the dispatched workers situated in China, Russia, Africa, and Southeast Asia. The goal, the U.S. agencies warn, is to generate a constant stream of revenue that sidesteps international sanctions imposed on the nation and help serve its economic and security priorities, including the development of nuclear and ballistic missiles. "The North Korean government withholds up to 90 perce
U.S. Sanctions Cryptocurrency Mixer Blender for Helping North Korea Launder Millions

U.S. Sanctions Cryptocurrency Mixer Blender for Helping North Korea Launder Millions

May 07, 2022
The U.S. Treasury Department on Friday moved to sanction virtual currency mixer Blender.io, marking the first time a mixing service has been subjected to economic blockades. The move signals continued efforts on the part of the government to prevent North Korea's Lazarus Group from laundering the funds stolen from the  unprecedented hack of Ronin Bridge  in late March. The newly imposed sanctions, issued by the U.S. Office of Foreign Assets Control (OFAC), target 45 Bitcoin addresses linked to Blender.io and four new wallets linked to Lazarus Group, an advanced persistent with ties to the Democratic People's Republic of Korea (DPRK). "Blender was used in processing over $20.5 million of the illicit proceeds," the Treasury  said , adding it was utilized by DPRK to "support its malicious cyber activities and money-laundering of stolen virtual currency." Cryptocurrency mixers, also called  tumblers , are privacy-focused services that allow users to move cr
Ethereum Developer Jailed 63 Months for Helping North Korea Evade Sanctions

Ethereum Developer Jailed 63 Months for Helping North Korea Evade Sanctions

Apr 14, 2022
A U.S. court has sentenced former Ethereum developer Virgil Griffith to five years and three months in prison and pay a $100,000 fine for conspiring with North Korea to help use cryptocurrencies to circumvent sanctions imposed on the country. "There is no question North Korea poses a national security threat to our nation, and the regime has shown time and again it will stop at nothing to ignore our laws for its own benefit," U.S. Attorney Damian Williams  said  in a statement. The sentencing comes more than six months after Griffith  pleaded guilty  to violating the International Emergency Economic Powers Act ( IEEPA ) by offering technical advice to the hermit kingdom with regards to the use of digital currency to bypass economic restrictions. Griffith was arrested in November 2019. North Korea is known to  rely on   cryptocurrency heists  to get around international sanctions and use it to help fund programs to build weapons of mass destruction. Indeed, the nation-st
NK Hackers Deploy Browser Exploits on South Korean Sites to Spread Malware

NK Hackers Deploy Browser Exploits on South Korean Sites to Spread Malware

Aug 18, 2021
A North Korean threat actor has been discovered taking advantage of two exploits in Internet Explorer to infect victims with a custom implant as part of a strategic web compromise (SWC) targeting a South Korean online newspaper. Cybersecurity firm Volexity  attributed  the watering hole attacks to a threat actor it tracks as InkySquid, and more widely known by the monikers ScarCruft and APT37. Daily NK, the publication in question, is said to have hosted the malicious code from at least late March 2021 until early June 2021. The "clever disguise of exploit code amongst legitimate code" and the use of custom malware enables the attackers to avoid detection, Volexity researchers said. The attacks involved tampering with the jQuery JavaScript libraries hosted on the website to serve additional obfuscated JavaScript code from a remote URL, using it to leverage exploits for two Internet Explorer flaws that were patched by Microsoft in  August 2020  and  March 2021 . Successfu
Researchers Uncover Hacking Operations Targeting Government Entities in South Korea

Researchers Uncover Hacking Operations Targeting Government Entities in South Korea

Jun 02, 2021
A North Korean threat actor active since 2012 has been behind a new espionage campaign targeting high-profile government officials associated with its southern counterpart to install an Android and Windows backdoor for collecting sensitive information. Cybersecurity firm Malwarebytes attributed the activity to a threat actor tracked as Kimsuky, with the targeted entities comprising of the Ministry of Foreign Affairs, Ambassador of the Embassy of Sri Lanka to the State, International Atomic Energy Agency (IAEA) Nuclear Security Officer, and the Deputy Consul General at Korean Consulate General in Hong Kong. The attacks also involved collecting information about other organizations and universities in the country, including the Korea Internet and Security Agency (KISA), Seoul National University, and Daishin Securities. Malwarebytes, however, noted that there is no evidence of active targeting or compromise by the adversary. The development is only the latest in a series of surveil
Hackers Set Up a Fake Cybersecurity Firm to Target Security Experts

Hackers Set Up a Fake Cybersecurity Firm to Target Security Experts

Apr 01, 2021
A North Korean government-backed campaign targeting cybersecurity researchers with malware has re-emerged with new tactics in their arsenal as part of a fresh social engineering attack. In an update shared on Wednesday, Google's Threat Analysis Group said the attackers behind the operation set up a fake security company called SecuriElite and a slew of social media accounts across Twitter and LinkedIn in an attempt to trick unsuspecting researchers into visiting the company's booby-trapped website "where a browser exploit was waiting to be triggered." "The new website claims the company is an offensive security company located in Turkey that offers pentests, software security assessments and exploits," TAG's Adam Weidemann  said . The website is said to have gone live on March 17. A total of eight Twitter profiles and seven LinkedIn profiles, who claimed to be vulnerability researchers and human resources personnel at different security firms (inclu
North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

Feb 26, 2021
A prolific North Korean state-sponsored hacking group has been tied to a new ongoing espionage campaign aimed at exfiltrating sensitive information from organizations in the defense industry. Attributing the attacks with high confidence to the  Lazarus Group , the new findings from Kaspersky signal an expansion of the APT actor's tactics by going beyond the usual gamut of financially-motivated crimes to fund the cash-strapped regime.  This broadening of its strategic interests happened in early 2020 by leveraging a tool called ThreatNeedle , researchers Vyacheslav Kopeytsev and Seongsu Park said in a Thursday write-up. At a high level, the campaign takes advantage of a multi-step approach that begins with a carefully crafted spear-phishing attack leading eventually to the attackers gaining remote control over the devices. ThreatNeedle is delivered to targets via COVID-themed emails with malicious Microsoft Word attachments as initial infection vectors that, when opened, run a
Cybersecurity Resources