The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: North Korean hackers

Hackers Exploiting VMware Horizon to Target South Korea with NukeSped Backdoor

Hackers Exploiting VMware Horizon to Target South Korea with NukeSped Backdoor
May 20, 2022Ravie Lakshmanan
The North Korea-backed Lazarus Group has been observed leveraging the  Log4Shell vulnerability  in VMware Horizon servers to deploy the NukeSped (aka Manuscrypt) implant against targets located in its southern counterpart. "The attacker used the Log4j vulnerability on VMware Horizon products that were not applied with the security patch," AhnLab Security Emergency Response Center (ASEC)  said  in a new report. The intrusions are said to have been first discovered in April, although  multiple threat actors , including those aligned with  China  and  Iran , have employed the same approach to further their objectives over the past few months. NukeSped is a backdoor that can perform various malicious activities based on commands received from a remote attacker-controlled domain. Last year, Kaspersky disclosed a spear-phishing campaign aimed at stealing critical data from defense companies using a NukeSped variant called  ThreatNeedle . Some of the key functions of the bac

North Korean Hackers Target Journalists with GOLDBACKDOOR Malware

North Korean Hackers Target Journalists with GOLDBACKDOOR Malware
April 26, 2022Ravie Lakshmanan
A state-backed threat actor with ties to the Democratic People's Republic of Korea (DRPK) has been attributed to a spear-phishing campaign targeting journalists covering the country with the ultimate goal of deploying a backdoor on infected Windows systems. The intrusions, said to be the work of Ricochet Chollima, resulted in the deployment of a novel malware strain called GOLDBACKDOOR, an artifact that shares technical overlaps with another malware named BLUELIGHT, which has been previously linked to the group. "Journalists are high-value targets for hostile governments," cybersecurity firm Stairwell  said  in a report published last week. "Compromising a journalist can provide access to highly-sensitive information and enable additional attacks against their sources." Ricochet Chollima, also known as  APT37 , InkySquid, and ScarCruft, is a North Korean-nexus targeted intrusion adversary that has been involved in espionage attacks since at least 2016. The

FBI, U.S. Treasury and CISA Warn of North Korean Hackers Targeting Blockchain Companies

FBI, U.S. Treasury and CISA Warn of North Korean Hackers Targeting Blockchain Companies
April 18, 2022Ravie Lakshmanan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and the Treasury Department, warned of a new set of ongoing cyber attacks carried out by the Lazarus Group targeting blockchain companies. Calling the activity cluster  TraderTraitor , the infiltrations involve the North Korean state-sponsored advanced persistent threat (APT) actor striking entities operating in the Web3.0 industry since at least 2020. Targeted organizations include cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs). The attack chains commence with the threat actor reaching out to victims via different communication platforms to lure them into downloading weaponized cryptocurrency apps for Windows and macOS, subse

Lazarus Group Behind $540 Million Axie Infinity Crypto Hack and Attacks on Chemical Sector

Lazarus Group Behind $540 Million Axie Infinity Crypto Hack and Attacks on Chemical Sector
April 16, 2022Ravie Lakshmanan
The U.S. Treasury Department has implicated the North Korea-backed Lazarus Group (aka Hidden Cobra) in the theft of $540 million from video game Axie Infinity's Ronin Network last month. On Thursday, the Treasury  tied  the Ethereum  wallet address  that received the stolen digital currency to the threat actor and sanctioned the funds by adding the address to the Office of Foreign Assets Control's (OFAC) Specially Designated Nationals ( SDN ) List. "The FBI, in coordination with Treasury and other U.S. government partners, will continue to expose and combat the DPRK's use of illicit activities – including cybercrime and cryptocurrency theft – to generate revenue for the regime," the intelligence and law enforcement agency  said  in a statement. The cryptocurrency heist, the second-largest cyber-enabled theft to date, involved the siphoning of 173,600 Ether (ETH) and 25.5 million USD Coins from the Ronin cross-chain bridge, which allows users to transfer their

North Korean Hackers Distributing Trojanized DeFi Wallet Apps to Steal Victims' Crypto

North Korean Hackers Distributing Trojanized DeFi Wallet Apps to Steal Victims' Crypto
April 01, 2022Ravie Lakshmanan
The North Korean state-backed hacking crew, otherwise known as the  Lazarus Group , has been attributed to yet another financially motivated campaign that leverages a trojanized decentralized finance (DeFi) wallet app to distribute a fully-featured backdoor onto compromised Windows systems. The app, which is equipped with functionalities to save and manage a cryptocurrency wallet, is also designed to trigger the launch of the implant that can take control of the infected host. Russian cybersecurity firm Kaspersky  said  it first encountered the rogue application in mid-December 2021. The infection scheme initiated by the app also results in the deployment of the installer for a legitimate application, which gets overwritten with a trojanized version in an effort to cover its tracks. That said, the initial access avenue is unclear, although it's suspected to be a case of social engineering. The spawned malware, which masquerades as Google's Chrome web browser, subsequently

North Korean Hackers Using Windows Update Service to Infect PCs with Malware

North Korean Hackers Using Windows Update Service to Infect PCs with Malware
January 28, 2022Ravie Lakshmanan
The notorious  Lazarus Group  actor has been observed mounting a new campaign that makes use of the Windows Update service to execute its malicious payload, expanding the arsenal of living-off-the-land (LotL) techniques leveraged by the APT group to further its objectives. The Lazarus Group, also known as  APT38 , Hidden Cobra, Whois Hacking Team, and Zinc, is the moniker assigned to the North Korea-based nation-state hacking group that's been active since at least 2009. Last year, the threat actor was  linked  to an elaborate  social engineering campaign  targeting security researchers. The latest spear-phishing attacks, which  Malwarebytes  detected on January 18, originate from weaponized documents with job-themed lures impersonating the American global security and aerospace company Lockheed Martin. Opening the decoy Microsoft Word file triggers the execution of a malicious macro embedded within the document that, in turn, executes a Base64-decoded shellcode to inject a nu

North Korean Hackers Stole Millions from Cryptocurrency Startups Worldwide

North Korean Hackers Stole Millions from Cryptocurrency Startups Worldwide
January 14, 2022Ravie Lakshmanan
Operators associated with the Lazarus sub-group BlueNoroff have been linked to a series of cyberattacks targeting small and medium-sized companies worldwide with an aim to drain their cryptocurrency funds, in what's yet another financially motivated operation mounted by the prolific North Korean state-sponsored actor. Russian cybersecurity company Kaspersky, which is tracking the intrusions under the name " SnatchCrypto ," noted that the campaign has been running since at 2017, adding the attacks are aimed at startups in the FinTech sector located in China, Hong Kong, India, Poland, Russia, Singapore, Slovenia, the Czech Republic, the U.A.E., the U.S., Ukraine, and Vietnam. "The attackers have been subtly abusing the trust of the employees working at targeted companies by sending them a full-featured Windows backdoor with surveillance functions, disguised as a contract or another business file," the researchers  said . "In order to eventually empty the v

North Korean Hackers Start New Year with Attacks on Russian Foreign Ministry

North Korean Hackers Start New Year with Attacks on Russian Foreign Ministry
January 06, 2022Ravie Lakshmanan
A North Korean cyberespionage group named Konni has been linked to a series of targeted attacks aimed at the Russian Federation's Ministry of Foreign Affairs (MID) with New Year lures to compromise Windows systems with malware. "This activity cluster demonstrates the patient and persistent nature of advanced actors in waging multi-phased campaigns against perceived high-value networks," researchers from Lumen Technologies' Black Lotus Labs  said  in an analysis shared with The Hacker News. The Konni group's tactics, techniques, and procedures (TTPs) are known to overlap with threat actors belonging to the broader  Kimsuky  umbrella, which is also tracked by the cybersecurity community under the monikers Velvet Chollima, ITG16, Black Banshee, and Thallium. The most recent attacks involved the actor gaining access to the target networks through stolen credentials, exploiting the foothold to load malware for intelligence gathering purposes, with early signs of t

New Chinotto Spyware Targets North Korean Defectors, Human Rights Activists

New Chinotto Spyware Targets North Korean Defectors, Human Rights Activists
November 29, 2021Ravie Lakshmanan
North Korean defectors, journalists who cover North Korea-related news, and entities in South Korea are being zeroed in on by a nation-state-sponsored advanced persistent threat (APT) as part of a new wave of highly-targeted surveillance attacks. Russian cybersecurity firm Kaspersky attributed the infiltrations to a North Korean hacker group tracked as  ScarCruft , also known as  APT37 , Reaper Group, InkySquid, and Ricochet Chollima. "The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications," the company's Global Research and Analysis Team (GReAT)  said  in a new report published today. "Although intended for different platforms, they share a similar command and control scheme based on HTTP communication. Therefore, the malware operators can control the whole malware family through one set of command and control scripts." Likely active since at least 2012, ScarC

North Korean Hackers Found Behind a Range of Credential Theft Campaigns

North Korean Hackers Found Behind a Range of Credential Theft Campaigns
November 20, 2021Ravie Lakshmanan
A threat actor with ties to North Korea has been linked to a prolific wave of credential theft campaigns targeting research, education, government, media and other organizations, with two of the attacks also attempting to distribute malware that could be used for intelligence gathering. Enterprise security firm Proofpoint  attributed  the infiltrations to a group it tracks as  TA406 , and by the wider threat intelligence community under the monikers  Kimsuky  ( Kaspersky ), Velvet Chollima ( CrowdStrike ), Thallium ( Microsoft ), Black Banshee ( PwC ), ITG16 ( IBM ), and the Konni Group ( Cisco Talos ). Policy experts, journalists and nongovernmental organizations (NGOs) were targeted as part of weekly campaigns observed between from January through June 2021, Proofpoint researchers Darien Huss and Selena Larson disclosed in a technical report detailing the actor's tactics, techniques, and procedures (TTPs), with the attacks spread across North America, Russia, China, and South

Researchers Discover PhoneSpy Malware Spying on South Korean Citizens

Researchers Discover PhoneSpy Malware Spying on South Korean Citizens
November 10, 2021Ravie Lakshmanan
An ongoing mobile spyware campaign has been uncovered snooping on South Korean residents using a family of 23 malicious Android apps to siphon sensitive information and gain remote control of the devices. "With more than a thousand South Korean victims, the malicious group behind this invasive campaign has had access to all the data, communications, and services on their devices," Zimperium researcher Aazim Yaswant said. "The victims were broadcasting their private information to the malicious actors with zero indication that something was amiss." The Dallas-based mobile security company dubbed the campaign " PhoneSpy ." Zimperium did not attribute the spyware to a known threat actor. "The evidence surrounding PhoneSpy shows a familiar framework that has been passed around for years, updated by individuals and shared within private communities and back channels until assembled into what we see in this variation today," Richard Melick, the co

North Korea Exploited VPN Flaw to Hack South's Nuclear Research Institute

North Korea Exploited VPN Flaw to Hack South's Nuclear Research Institute
June 18, 2021Ravie Lakshmanan
South Korea's state-run Korea Atomic Energy Research Institute (KAERI) on Friday disclosed that its internal network was infiltrated by suspected attackers operating out of its northern counterpart. The intrusion is said to have taken place on May 14 through a vulnerability in an unnamed virtual private network (VPN) vendor and involved a  total of 13 IP addresses , one of which — "27.102.114[.]89" — has been previously linked to a state-sponsored threat actor dubbed  Kimsuky . KAERI, established in 1959 and situated in the city of Daejeon, is a government-funded research institute that designs and develops nuclear technologies related to reactors, fuel rods, radiation fusion, and nuclear safety. Following the intrusion, the think tank said it took steps to block the attacker's IP addresses in question and applied necessary security patches to the vulnerable VPN solution. "Currently, the Atomic Energy Research Institute is investigating the subject of the ha

U.S. Charges 3 North Korean Hackers Over $1.3 Billion Cryptocurrency Heist

U.S. Charges 3 North Korean Hackers Over $1.3 Billion Cryptocurrency Heist
February 17, 2021Ravie Lakshmanan
The U.S. Department of Justice (DoJ) on Wednesday  indicted  three suspected North Korean hackers for allegedly conspiring to steal and extort over $1.3 billion in cash and cryptocurrencies from financial institutions and businesses. The three defendants — Jon Chang Hyok, 31; Kim Il, 27; and Park Jin Hyok, 36 — are said to be members of the Reconnaissance General Bureau, a military intelligence division of North Korea, also known as the  Lazarus group ,  Hidden Cobra , or Advanced Persistent Threat 38 (APT 38). Accusing them of creating and deploying multiple malicious cryptocurrency applications, developing and fraudulently marketing a blockchain platform, the indictment expands on the  2018 charges brought against Park , one of the alleged nation-state hackers previously charged in connection with the 2014 cyberattack on Sony Pictures Entertainment. A Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes "North Korea's operatives, using keyboards rather than g

Hackers Target Defense Contractors' Employees By Posing as Recruiters

Hackers Target Defense Contractors' Employees By Posing as Recruiters
August 20, 2020Mohit Kumar
The United States Cybersecurity and Infrastructure Security Agency (CISA) has published a new report warning companies about a new in-the-wild malware that North Korean hackers are reportedly using to spy on key employees at government contracting companies. Dubbed ' BLINDINGCAN ,' the advanced remote access trojan acts as a backdoor when installed on compromised computers. According to the FBI and CISA, North Korean state-sponsored hackers Lazarus Group , also known as Hidden Cobra , are spreading BLINDINGCAN to "gather intelligence surrounding key military and energy technologies." To achieve this, attackers first identify high-value targets, perform extensive research on their social and professional networks, and then pose as recruiters to send malicious documents loaded with the malware, masquerading as job advertisements and offerings. However, such employment scams and social engineering strategies are not new and were recently spotted being used in

EU sanctions hackers from China, Russia, North Korea who're wanted by the FBI

EU sanctions hackers from China, Russia, North Korea who're wanted by the FBI
July 31, 2020Swati Khandelwal
The Council of the European Union has imposed its first-ever sanctions against persons or entities involved in various cyber-attacks targeting European citizens, and its member states. The directive has been issued against six individuals and three entities responsible for or involved in various cyber-attacks, out of which some publicly known are ' WannaCry ', ' NotPetya ', and ' Operation Cloud Hopper ,' as well as an attempted cyber-attack against the organization for the prohibition of chemical weapons. Out of the six individuals sanctioned by the EU include two Chinese citizens and four Russian nationals. The companies involved in carrying out cyberattacks include an export firm based in North Korea, and technology companies from China and Russia. The sanctions imposed include a ban on persons traveling to any EU countries and a freeze of assets on persons and entities. Besides this, EU citizens and entities are also forbidden from doing any busin

U.S Defense Warns of 3 New Malware Used by North Korean Hackers

U.S Defense Warns of 3 New Malware Used by North Korean Hackers
May 13, 2020Ravie Lakshmanan
Yesterday, on the 3rd anniversary of the infamous global WannaCry ransomware outbreak for which North Korea was blamed, the U.S. government released information about three new malware strains used by state-sponsored North Korean hackers. Called COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH, the malware variants are capable of remote reconnaissance and exfiltration of sensitive information from target systems, according to a joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). The three new malware strains are the latest addition to a long list of over 20 malware samples , including BISTROMATH, SLICKSHOES, HOPLIGHT, and ELECTRICFISH , among others, that have been identified by the security agencies as originating as part of a series of malicious cyber activity by the North Korean government it calls Hidden Cobra , or widely known by the moniker Lazarus Group. Full

U.S. Offers Rewards up to $5 Million for Information on North Korean Hackers

U.S. Offers Rewards up to $5 Million for Information on North Korean Hackers
April 15, 2020Mohit Kumar
The United States agencies today released a joint advisory warning the world about the 'significant cyber threat' posed by North Korean state-sponsored hackers to the global banking and financial institutions. Besides a summary of recent cyberattacks attributed to North Korean hackers, the advisory—issued by U.S. Departments of State, the Treasury, and Homeland Security, and the FBI—also contains a comprehensive guide intends to help the international community, industries, and other governments defend against North Korea's illicit activities. "In particular, the United States is deeply concerned about North Korea's malicious cyber activities, which the U.S. government refers to as HIDDEN COBRA. The DPRK has the capability to conduct disruptive or destructive cyber activities affecting U.S. critical infrastructure," the advisory says . "The DPRK also uses cyber capabilities to steal from financial institutions, and has demonstrated a pattern of d
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.