The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: North Korean hackers

North Korean Hackers Weaponizing Open-Source Software in Latest Cyber Attacks

North Korean Hackers Weaponizing Open-Source Software in Latest Cyber Attacks

September 30, 2022Ravie Lakshmanan
A "highly operational, destructive, and sophisticated nation-state activity group" with ties to North Korea has been weaponizing open source software in their social engineering campaigns aimed at companies around the world since June 2022. Microsoft's threat intelligence teams, alongside LinkedIn Threat Prevention and Defense, attributed the intrusions with high confidence to Zinc, a threat group affiliated with Lazarus which is also tracked under the name Labyrinth Chollima.  Attacks targeted employees in organizations across multiple industries, including media, defense and aerospace, and IT services in the U.S., the U.K., India, and Russia. The tech giant  said  it observed Zinc leveraging a "wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks." According to  CrowdStrike , Zinc "has been active since 2009 in operations aimed at collecting polit
North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs

North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs

September 27, 2022Ravie Lakshmanan
The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system. In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto[.]com have been used to mount the attacks. The latest disclosure builds on previous findings from Slovak cybersecurity firm ESET in August, which  delved  into a similar phony job posting for the Coinbase cryptocurrency exchange platform. Both these fake job advertisements are just the latest in a series of attacks dubbed  Operation In(ter)ception , which, in turn, is a constituent of a broader campaign tracked under the name  Operation Dream Job . Although the exact distribution vector for the malware remains unknown, it's suspected that potential targets are singled out via direct messages on the business networking site Linke
U.S. Seizes Cryptocurrency Worth $30 Million Stolen by North Korean Hackers

U.S. Seizes Cryptocurrency Worth $30 Million Stolen by North Korean Hackers

September 09, 2022Ravie Lakshmanan
More than $30 million worth of cryptocurrency plundered by the North Korea-linked Lazarus Group from online video game Axie Infinity has been recovered, marking the first time digital assets stolen by the threat actor have been seized. "The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains," Erin Plante, senior director of investigations at Chainalysis,  said . The development arrives more than five months after the  crypto hack  resulted in the theft of $620 million from the decentralized finance (DeFi) platform Ronin Network, with the attackers laundering a majority of the proceeds – amounting to $455 million – through the Ethereum-based cryptocurrency tumbler Tornado Cash. The March 2022 cryptocurrency heist resulted in losses totaling 173,600 ETH wort
U.S. Offers $10 Million Reward for Information on North Korean Hackers

U.S. Offers $10 Million Reward for Information on North Korean Hackers

July 28, 2022Ravie Lakshmanan
The U.S. State Department has announced rewards of up to $10 million for any information that could help disrupt North Korea's cryptocurrency theft, cyber-espionage, and other illicit state-backed activities. "If you have information on any individuals associated with the North Korean government-linked malicious cyber groups (such as Andariel, APT38, Bluenoroff, Guardians of Peace, Kimsuky, or Lazarus Group) and who are involved in targeting U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act, you may be eligible for a reward," the department  said  in a tweet. The amount is double the bounty the agency  publicized  in March 2022 for specifics regarding the financial mechanisms employed by state-sponsored actors working on behalf of the North Korean government. The development comes a week after the Justice Department  disclosed  the seizure of $500,000 worth of Bitcoin from North Korean hackers who extorted digital payments by using a new r
FBI Seizes $500,000 Ransomware Payments and Crypto from North Korean Hackers

FBI Seizes $500,000 Ransomware Payments and Crypto from North Korean Hackers

July 21, 2022Ravie Lakshmanan
The U.S. Department of Justice (DoJ) has announced the seizure of $500,000 worth of Bitcoin from North Korean hackers who extorted digital payments from several organizations by using a new ransomware strain known as Maui. "The seized funds include ransoms paid by healthcare providers in Kansas and Colorado," the DoJ  said  in a press release issued Tuesday. The recovery of the bitcoin ransoms comes after the agency said it took control of two cryptocurrency accounts that were used to receive payments to the tune of $100,000 and $120,000 from the medical centers. The DoJ did not disclose where the rest of the payments originated from. "Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business," said Assistant Attorney General Matthew G. Olsen of the DoJ's National Security Division. "The reimbursement to these victims of the ransom shows why it pays to work with law en
State-Backed Hackers Targeting Journalists in Widespread Espionage Campaigns

State-Backed Hackers Targeting Journalists in Widespread Espionage Campaigns

July 14, 2022Ravie Lakshmanan
Nation-state hacking groups aligned with China, Iran, North Korea, and Turkey have been targeting journalists to conduct espionage and spread malware as part of a series of campaigns since early 2021. "Most commonly, phishing attacks targeting journalists are used for espionage or to gain key insights into the inner workings of another government, company, or other area of state-designated import," Proofpoint  said  in a report shared with The Hacker News. The ultimate goal of the "sustained" intrusions, the enterprise security firm said, is to gain a competitive intelligence edge or spread disinformation and propaganda. Proofpoint said it identified two Chinese hacking groups, TA412 (aka  Zirconium  or Judgment Panda) and  TA459 , targeting media personnel with malicious emails containing web beacons and weaponized documents respectively that were used to amass information about the recipients' network environments and drop  Chinoxy  malware. In a simila
North Korean Maui Ransomware Actively Targeting U.S. Healthcare Organizations

North Korean Maui Ransomware Actively Targeting U.S. Healthcare Organizations

July 07, 2022Ravie Lakshmanan
In a new joint cybersecurity advisory, U.S. cybersecurity and intelligence agencies have warned about the use of Maui ransomware by North Korean government-backed hackers to target the healthcare sector since at least May 2021. "North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services," the authorities  noted . The  alert  comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury. Cybersecurity firm Stairwell, whose findings formed the basis of the advisory, said the lesser-known ransomware family stands out because of a lack of several key features commonly associated with ransomware-as-a-service (RaaS) groups. This includes the absence of "embedded ransom note to provide recov
Hackers Exploiting VMware Horizon to Target South Korea with NukeSped Backdoor

Hackers Exploiting VMware Horizon to Target South Korea with NukeSped Backdoor

May 20, 2022Ravie Lakshmanan
The North Korea-backed Lazarus Group has been observed leveraging the  Log4Shell vulnerability  in VMware Horizon servers to deploy the NukeSped (aka Manuscrypt) implant against targets located in its southern counterpart. "The attacker used the Log4j vulnerability on VMware Horizon products that were not applied with the security patch," AhnLab Security Emergency Response Center (ASEC)  said  in a new report. The intrusions are said to have been first discovered in April, although  multiple threat actors , including those aligned with  China  and  Iran , have employed the same approach to further their objectives over the past few months. NukeSped is a backdoor that can perform various malicious activities based on commands received from a remote attacker-controlled domain. Last year, Kaspersky disclosed a spear-phishing campaign aimed at stealing critical data from defense companies using a NukeSped variant called  ThreatNeedle . Some of the key functions of the bac
North Korean Hackers Target Journalists with GOLDBACKDOOR Malware

North Korean Hackers Target Journalists with GOLDBACKDOOR Malware

April 26, 2022Ravie Lakshmanan
A state-backed threat actor with ties to the Democratic People's Republic of Korea (DRPK) has been attributed to a spear-phishing campaign targeting journalists covering the country with the ultimate goal of deploying a backdoor on infected Windows systems. The intrusions, said to be the work of Ricochet Chollima, resulted in the deployment of a novel malware strain called GOLDBACKDOOR, an artifact that shares technical overlaps with another malware named BLUELIGHT, which has been previously linked to the group. "Journalists are high-value targets for hostile governments," cybersecurity firm Stairwell  said  in a report published last week. "Compromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources." Ricochet Chollima, also known as  APT37 , InkySquid, and ScarCruft, is a North Korean-nexus targeted intrusion adversary that has been involved in espionage attacks since at least 2016. The
FBI, U.S. Treasury and CISA Warn of North Korean Hackers Targeting Blockchain Companies

FBI, U.S. Treasury and CISA Warn of North Korean Hackers Targeting Blockchain Companies

April 19, 2022Ravie Lakshmanan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and the Treasury Department, warned of a new set of ongoing cyber attacks carried out by the Lazarus Group targeting blockchain companies. Calling the activity cluster  TraderTraitor , the infiltrations involve the North Korean state-sponsored advanced persistent threat (APT) actor striking entities operating in the Web3.0 industry since at least 2020. Targeted organizations include cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs). The attack chains commence with the threat actor reaching out to victims via different communication platforms to lure them into downloading weaponized cryptocurrency apps for Windows and macOS, subse
Lazarus Group Behind $540 Million Axie Infinity Crypto Hack and Attacks on Chemical Sector

Lazarus Group Behind $540 Million Axie Infinity Crypto Hack and Attacks on Chemical Sector

April 16, 2022Ravie Lakshmanan
The U.S. Treasury Department has implicated the North Korea-backed Lazarus Group (aka Hidden Cobra) in the theft of $540 million from video game Axie Infinity's Ronin Network last month. On Thursday, the Treasury  tied  the Ethereum  wallet address  that received the stolen digital currency to the threat actor and sanctioned the funds by adding the address to the Office of Foreign Assets Control's (OFAC) Specially Designated Nationals ( SDN ) List. "The FBI, in coordination with Treasury and other U.S. government partners, will continue to expose and combat the DPRK's use of illicit activities – including cybercrime and cryptocurrency theft – to generate revenue for the regime," the intelligence and law enforcement agency  said  in a statement. The cryptocurrency heist, the second-largest cyber-enabled theft to date, involved the siphoning of 173,600 Ether (ETH) and 25.5 million USD Coins from the Ronin cross-chain bridge, which allows users to transfer their
North Korean Hackers Distributing Trojanized DeFi Wallet Apps to Steal Victims' Crypto

North Korean Hackers Distributing Trojanized DeFi Wallet Apps to Steal Victims' Crypto

April 01, 2022Ravie Lakshmanan
The North Korean state-backed hacking crew, otherwise known as the  Lazarus Group , has been attributed to yet another financially motivated campaign that leverages a trojanized decentralized finance (DeFi) wallet app to distribute a fully-featured backdoor onto compromised Windows systems. The app, which is equipped with functionalities to save and manage a cryptocurrency wallet, is also designed to trigger the launch of the implant that can take control of the infected host. Russian cybersecurity firm Kaspersky  said  it first encountered the rogue application in mid-December 2021. The infection scheme initiated by the app also results in the deployment of the installer for a legitimate application, which gets overwritten with a trojanized version in an effort to cover its tracks. That said, the initial access avenue is unclear, although it's suspected to be a case of social engineering. The spawned malware, which masquerades as Google's Chrome web browser, subsequently
North Korean Hackers Using Windows Update Service to Infect PCs with Malware

North Korean Hackers Using Windows Update Service to Infect PCs with Malware

January 28, 2022Ravie Lakshmanan
The notorious  Lazarus Group  actor has been observed mounting a new campaign that makes use of the Windows Update service to execute its malicious payload, expanding the arsenal of living-off-the-land (LotL) techniques leveraged by the APT group to further its objectives. The Lazarus Group, also known as  APT38 , Hidden Cobra, Whois Hacking Team, and Zinc, is the moniker assigned to the North Korea-based nation-state hacking group that's been active since at least 2009. Last year, the threat actor was  linked  to an elaborate  social engineering campaign  targeting security researchers. The latest spear-phishing attacks, which  Malwarebytes  detected on January 18, originate from weaponized documents with job-themed lures impersonating the American global security and aerospace company Lockheed Martin. Opening the decoy Microsoft Word file triggers the execution of a malicious macro embedded within the document that, in turn, executes a Base64-decoded shellcode to inject a nu
North Korean Hackers Stole Millions from Cryptocurrency Startups Worldwide

North Korean Hackers Stole Millions from Cryptocurrency Startups Worldwide

January 14, 2022Ravie Lakshmanan
Operators associated with the Lazarus sub-group BlueNoroff have been linked to a series of cyberattacks targeting small and medium-sized companies worldwide with an aim to drain their cryptocurrency funds, in what's yet another financially motivated operation mounted by the prolific North Korean state-sponsored actor. Russian cybersecurity company Kaspersky, which is tracking the intrusions under the name " SnatchCrypto ," noted that the campaign has been running since at 2017, adding the attacks are aimed at startups in the FinTech sector located in China, Hong Kong, India, Poland, Russia, Singapore, Slovenia, the Czech Republic, the U.A.E., the U.S., Ukraine, and Vietnam. "The attackers have been subtly abusing the trust of the employees working at targeted companies by sending them a full-featured Windows backdoor with surveillance functions, disguised as a contract or another business file," the researchers  said . "In order to eventually empty the v
North Korean Hackers Start New Year with Attacks on Russian Foreign Ministry

North Korean Hackers Start New Year with Attacks on Russian Foreign Ministry

January 06, 2022Ravie Lakshmanan
A North Korean cyberespionage group named Konni has been linked to a series of targeted attacks aimed at the Russian Federation's Ministry of Foreign Affairs (MID) with New Year lures to compromise Windows systems with malware. "This activity cluster demonstrates the patient and persistent nature of advanced actors in waging multi-phased campaigns against perceived high-value networks," researchers from Lumen Technologies' Black Lotus Labs  said  in an analysis shared with The Hacker News. The Konni group's tactics, techniques, and procedures (TTPs) are known to overlap with threat actors belonging to the broader  Kimsuky  umbrella, which is also tracked by the cybersecurity community under the monikers Velvet Chollima, ITG16, Black Banshee, and Thallium. The most recent attacks involved the actor gaining access to the target networks through stolen credentials, exploiting the foothold to load malware for intelligence gathering purposes, with early signs of t
New Chinotto Spyware Targets North Korean Defectors, Human Rights Activists

New Chinotto Spyware Targets North Korean Defectors, Human Rights Activists

November 29, 2021Ravie Lakshmanan
North Korean defectors, journalists who cover North Korea-related news, and entities in South Korea are being zeroed in on by a nation-state-sponsored advanced persistent threat (APT) as part of a new wave of highly-targeted surveillance attacks. Russian cybersecurity firm Kaspersky attributed the infiltrations to a North Korean hacker group tracked as  ScarCruft , also known as  APT37 , Reaper Group, InkySquid, and Ricochet Chollima. "The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications," the company's Global Research and Analysis Team (GReAT)  said  in a new report published today. "Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, the malware operators can control the whole malware family through one set of command and control scripts." Likely active since at least 2012, ScarC
North Korean Hackers Found Behind a Range of Credential Theft Campaigns

North Korean Hackers Found Behind a Range of Credential Theft Campaigns

November 20, 2021Ravie Lakshmanan
A threat actor with ties to North Korea has been linked to a prolific wave of credential theft campaigns targeting research, education, government, media and other organizations, with two of the attacks also attempting to distribute malware that could be used for intelligence gathering. Enterprise security firm Proofpoint  attributed  the infiltrations to a group it tracks as  TA406 , and by the wider threat intelligence community under the monikers  Kimsuky  ( Kaspersky ), Velvet Chollima ( CrowdStrike ), Thallium ( Microsoft ), Black Banshee ( PwC ), ITG16 ( IBM ), and the Konni Group ( Cisco Talos ). Policy experts, journalists and nongovernmental organizations (NGOs) were targeted as part of weekly campaigns observed between from January through June 2021, Proofpoint researchers Darien Huss and Selena Larson disclosed in a technical report detailing the actor's tactics, techniques, and procedures (TTPs), with the attacks spread across North America, Russia, China, and South
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.