North Korea | Breaking Cybersecurity News | The Hacker News

The United States Cybersecurity and Infrastructure Security Agency (CISA) has published a new report warning companies about a new in-the-wild malware that North Korean hackers are reportedly using to spy on key employees at government contracting companies. Dubbed ' BLINDINGCAN ,' the advanced remote access trojan acts as a backdoor when installed on compromised computers. According to the FBI and CISA, North Korean state-sponsored hackers Lazarus Group , also known as Hidden Cobra , are spreading BLINDINGCAN to "gather intelligence surrounding key military and energy technologies." To achieve this, attackers first identify high-value targets, perform extensive research on their social and professional networks, and then pose as recruiters to send malicious documents loaded with the malware, masquerading as job advertisements and offerings. However, such employment scams and social engineering strategies are not new and were recently spotted being used in

Yesterday, on the 3rd anniversary of the infamous global WannaCry ransomware outbreak for which North Korea was blamed, the U.S. government released information about three new malware strains used by state-sponsored North Korean hackers. Called COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH, the malware variants are capable of remote reconnaissance and exfiltration of sensitive information from target systems, according to a joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). The three new malware strains are the latest addition to a long list of over 20 malware samples , including BISTROMATH, SLICKSHOES, HOPLIGHT, and ELECTRICFISH , among others, that have been identified by the security agencies as originating as part of a series of malicious cyber activity by the North Korean government it calls Hidden Cobra , or widely known by the moniker Lazarus Group. Full

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

The United States agencies today released a joint advisory warning the world about the 'significant cyber threat' posed by North Korean state-sponsored hackers to the global banking and financial institutions. Besides a summary of recent cyberattacks attributed to North Korean hackers, the advisory—issued by U.S. Departments of State, the Treasury, and Homeland Security, and the FBI—also contains a comprehensive guide intends to help the international community, industries, and other governments defend against North Korea's illicit activities. "In particular, the United States is deeply concerned about North Korea's malicious cyber activities, which the U.S. government refers to as HIDDEN COBRA. The DPRK has the capability to conduct disruptive or destructive cyber activities affecting U.S. critical infrastructure," the advisory says . "The DPRK also uses cyber capabilities to steal from financial institutions, and has demonstrated a pattern of d

Two Chinese nationals have been charged by the US Department of Justice (DoJ) and sanctioned by the US Treasury for allegedly laundering $100 million worth of virtual currency using prepaid Apple iTunes gift cards. According to a newly unsealed court document , the illicit funds originated from a $250 million haul stolen from two different unnamed cryptocurrency exchanges that were perpetrated by Lazarus Group , a cybercrime group with ties with the North Korean government. The two individuals in question — Tian Yinyin (田寅寅)  and Li Jiadong (李家东) — were both charged with operating an unlicensed money transmitting business and money laundering conspiracy. Prosecutors said the defendants worked on behalf of the threat actors based in North Korea to allegedly launder over a $100 million worth of stolen cryptocurrency to obscure transactions, adding the hacking of cryptocurrency exchanges posed a severe threat to the security of the global financial system. It's worth notin

A story has been making the rounds on the Internet since yesterday about a cyber attack on an Indian nuclear power plant. Due to some experts commentary on social media even after lack of information about the event and overreactions by many, the incident received factually incorrect coverage widely suggesting a piece of malware has compromised "mission-critical systems" at the Kudankulam Nuclear Power Plant . Relax! That's not what happened. The attack merely infected a system that was not connected to any critical controls in the nuclear facility. Here we have shared a timeline of the events with brief information on everything we know so far about the cyberattack at Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu. From where this news came? The story started when Indian security researcher Pukhraj Singh tweeted that he informed Indian authorities a few months ago about an information-stealing malware, dubbed Dtrack, which successfully hit "extre

The United States Treasury Department on Friday announced sanctions against three state-sponsored North Korean hacking groups for conducting several destructive cyberattacks on US critical infrastructure. Besides this, the hacking groups have also been accused of stealing possibly hundreds of millions of dollars from financial institutions around the world to ultimately fund the North Korean government's illicit weapons and missile programs. The three North Korean hacking groups in question are the well-known Lazarus Group , and its two sub-groups, Bluenoroff and Andariel . The sanctions announced by the Treasury Department's Office of Foreign Assets Control (OFAC) claim that all the three groups are "agencies, instrumentalities, or controlled entities of the Government of North Korea" based on their relationship with Pyongyang's central intelligence bureau called the Reconnaissance General Bureau (RGB). Specifically, the sanctions aim to lock any fore

The U.S. Department of Homeland Security (DHS) and the FBI have issued another joint alert about a new piece of malware that the prolific North Korean APT hacking group Hidden Cobra has actively been using in the wild. Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is believed to be backed by North Korean government and known to launch cyber attacks against media organizations, aerospace, financial and critical infrastructure sectors across the world. The hacking group was the same associated with the 2017 WannaCry ransomware menace , the 2014 Sony Pictures hack , and the SWIFT Banking attack in 2016. Now, the DHS and the FBI have uncovered a new malware variant, dubbed ELECTRICFISH , that Hidden Cobra hackers have been using for secretly tunneling traffic out of compromised computer systems. The malware implements a custom protocol configured with a proxy server/port and proxy username and password, allowing hackers to bypass the compromised system'

Security researchers have finally, with "high confidence," linked a previously discovered global cyber espionage campaign targeting critical infrastructure around the world to a North Korean APT hacking group. Thanks to the new evidence collected by researchers after analyzing a command-and-control (C2) server involved in the espionage campaign and seized by law enforcement. Dubbed Operation Sharpshooter , the cyber espionage campaign targeting government, defense, nuclear, energy, and financial organizations around the world was initially uncovered in December 2018 by security researchers at McAfee. At that time, even after finding numerous technical links to the North Korean Lazarus hacking group , researchers were not able to immediately attribute the campaign due to a potential for false flags. Researchers Analysed Sharpshooter's Command Server Now, according to a press release shared with The Hacker News, a recent analysis of the seized code and command

The United States Department of Justice (DoJ) announced Wednesday its effort to "map and further disrupt" a botnet tied to North Korea that has infected numerous Microsoft Windows computers across the globe over the last decade. Dubbed Joanap , the botnet is believed to be part of " Hidden Cobra "—an Advanced Persistent Threat (APT) actors' group often known as Lazarus Group and Guardians of Peace and backed by the North Korean government. Hidden Cobra is the same hacking group that has been allegedly associated with the WannaCry ransomware menace in 2016, the SWIFT Banking attack in 2016, as well as Sony Motion Pictures hack in 2014. Dates back to 2009, Joanap is a remote access tool (RAT) that lands on a victim's system with the help an SMB worm called Brambul , which crawls from one computer to another by brute-forcing Windows Server Message Block (SMB) file-sharing services using a list of common passwords. Once there, Brambul downloads Jo

The US-CERT has released a joint technical alert from the DHS, the FBI, and Treasury warning about a new ATM scheme being used by the prolific North Korean APT hacking group known as Hidden Cobra . Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and has previously launched attacks against a number of media organizations, aerospace, financial and critical infrastructure sectors across the world. The group had also reportedly been associated with the WannaCry ransomware menace that last year shut down hospitals and big businesses worldwide, the SWIFT Banking attack in 2016, as well as the Sony Pictures hack in 2014. Now, the FBI, the Department of Homeland Security (DHS), and the Department of the Treasury have released details about a new cyber attack, dubbed " FASTCash ," that Hidden Cobra has been using since at least 2016 to cash out ATMs by compromising the bank server. FASTCash Hack

The U.S. Department of Justice announces criminal charges against a North Korean government spy in connection with the 2017 global WannaCry ransomware attack and the 2014 Sony Pictures Entertainment hack . According to multiple government officials cited by the NY Times who are familiar with the indictment, the charges would be brought against Park Jin Hyok , who works for North Korean military intelligence agency Reconnaissance General Bureau (RGB). The November 2014 Sony Pictures Entertainment hack was done in retaliation for the studio's production of a comedic film, " The Interview ," a comedy about two journalists who are recruited by the CIA to assassinate North Korean leader Kim Jong Un. In June 2014, the Pyongyang government also denounced the film as "undisguised sponsoring of terrorism, as well as an Act of War" in a letter to U.N. Secretary-General Ban Ki-moon. The Sony Pictures hack was devastating to the company and exposed over 200

Remember the ' Olympic Destroyer ' cyber attack? The group behind it is still alive, kicking and has now been found targeting biological and chemical threat prevention laboratories in Europe and Ukraine, and a few financial organisation in Russia. Earlier this year, an unknown group of notorious hackers targeted Winter Olympic Games 2018 , held in South Korea, using a destructive malware that purposely planted sophisticated false flags to trick researchers into mis-attributing the campaign. Unfortunately, the destructive malware was successful to some extent, at least for a next few days, as immediately after the attack various security researchers postmortem the Olympic Destroyer malware and started attributing the attack to different nation-state hacking groups from North Korea, Russia, and China. Later researchers from Russian antivirus vendor Kaspersky Labs uncovered more details about the attack, including the evidence of false attribution artifacts, and conclud

The US-CERT has released a joint technical alert from the DHS and the FBI, warning about two newly identified malware being used by the prolific North Korean APT hacking group known as Hidden Cobra. Hidden Cobra, often known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and known to launch attacks against media organizations, aerospace, financial and critical infrastructure sectors across the world. The group was even associated with the WannaCry ransomware menace that last year shut down hospitals and businesses worldwide. It is reportedly also linked to the 2014 Sony Pictures hack , as well as the SWIFT Banking attack in 2016. Now, the Department of Homeland Security (DHS) and the FBI have uncovered two new pieces of malware that Hidden Cobra has been using since at least 2009 to target companies working in the media, aerospace, financial, and critical infrastructure sectors across the world. The malware Hidden Cobra is

Security researchers at Cisco Talos have uncovered variants of a new Android Trojan that are being distributed in the wild disguising as a fake anti-virus application, dubbed "Naver Defender." Dubbed KevDroid , the malware is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices, as well as capable of recording phone calls. Talos researchers published Monday technical details about two recent variants of KevDroid detected in the wild, following the initial discovery of the Trojan by South Korean cybersecurity firm ESTsecurity two weeks ago. Though researchers haven't attributed the malware to any hacking or state-sponsored group, South Korean media have linked KevDroid with North Korea state-sponsored cyber espionage hacking group " Group 123 ," primarily known for targeting South Korean targets. The most recent variant of KevDroid malware, detected in March this year, has the following capabilit

Another reason to uninstall Adobe Flash Player—a new zero-day Flash Player exploit has reportedly been spotted in the wild by North Korean hackers. South Korea's Computer Emergency Response Team (KR-CERT) issued an alert Wednesday for a new Flash Player zero-day vulnerability that's being actively exploited in the wild by North Korean hackers to target Windows users in South Korea. Simon Choi of South Korea-based cybersecurity firm Hauri first reported the campaign on Twitter, saying the North Korean hackers have been using the Flash zero-day against South Koreans since mid-November 2017. Although Choi did not share any malware sample or details about the vulnerability, the researcher said the attacks using the new Flash zero-day is aimed at South Korean individuals who focus on researching North Korea. Adobe also released an advisory on Wednesday, which said the zero-day is exploiting a critical 'use-after-free' vulnerability (CVE-2018-4878) in its Flash

The North Korean hacking group has turned greedy. Security researchers have uncovered a new widespread malware campaign targeting cryptocurrency users, believed to be originated from Lazarus Group , a state-sponsored hacking group linked to the North Korean government. Active since 2009, Lazarus Group has been attributed to many high profile attacks, including Sony Pictures Hack , $81 million heists from the Bangladesh Bank , and the latest — WannaCry . The United States has officially blamed North Korea for global WannaCry ransomware attack that infected hundreds of thousands of computers across more than 150 countries earlier this year. In separate news, security experts have blamed Lazarus group for stealing bitcoins worth millions from the South Korean exchange Youbit , forcing it to shut down and file for bankruptcy after losing 17% of its assets. Researchers from security firm Proofpoint have published a new report, revealing a connection between Lazarus Group and a