North Korean hackers | Breaking Cybersecurity News | The Hacker News

The North Korean state-sponsored threat actor known as  Kimsuky  has been discovered using a new reconnaissance tool called  ReconShark  as part of an ongoing global campaign. "[ReconShark] is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros," SentinelOne researchers Tom Hegel and Aleksandar Milenkoski  said . Kimsuky  is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima. Active since at least 2012, the  prolific   threat actor  has been linked to  targeted   attacks  on non-governmental organizations (NGOs), think tanks, diplomatic agencies, military organizations, economic groups, and research entities across North America, Asia, and Europe. The latest intrusion set documented by SentinelOne leverages geopolitical themes related to North Korea's nuclear proliferat

A financially-motivated North Korean threat actor is suspected to be behind a new Apple macOS malware strain called  RustBucket . "[RustBucket] communicates with command and control (C2) servers to download and execute various payloads," Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley  said  in a technical report published last week.  The Apple device management company attributed it to a threat actor known as BlueNoroff, a subgroup within the infamous Lazarus cluster that's also tracked under the monikers APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444. The connections stem from tactical and infrastructure overlaps with a  prior campaign  exposed by Russian cybersecurity company Kaspersky in late December 2022 likely aimed at Japanese financial entities using fake domains impersonating venture capital firms. BlueNoroff, unlike other constituent entities of the Lazarus Group, is known for its  sophisticated   cyber-enabled heists

In today's digital world, where connectivity is rules all, endpoints serve as the gateway to a business's digital kingdom. And because of this, endpoints are one of hackers' favorite targets.  According to the IDC,  70% of successful breaches start at the endpoint . Unprotected endpoints provide vulnerable entry points to launch devastating cyberattacks. With IT teams needing to protect more endpoints—and more kinds of endpoints—than ever before, that perimeter has become more challenging to defend. You need to improve your endpoint security, but where do you start? That's where this guide comes in.  We've curated the top 10 must-know endpoint security tips that every IT and security professional should have in their arsenal. From identifying entry points to implementing EDR solutions, we'll dive into the insights you need to defend your endpoints with confidence.  1. Know Thy Endpoints: Identifying and Understanding Your Entry Points Understanding your network's

A new North Korean nation-state cyber operator has been attributed to a series of campaigns orchestrated to gather strategic intelligence that aligns with Pyongyang's geopolitical interests since 2018. Google-owned Mandiant, which is tracking the activity cluster under the moniker  APT43 , said the group's motives are both espionage- and financially-motivated, leveraging techniques like  credential harvesting  and social engineering to further its objectives. The monetary angle to its attack campaigns is an attempt on the part of the threat actor to generate funds to meet its "primary mission of collecting strategic intelligence." Victimology patterns suggest that targeting is focused on South Korea, the U.S., Japan, and Europe, spanning government, education, research, policy institutes, business services, and manufacturing sectors. The threat actor was also observed straying off course by striking health-related verticals and pharma companies from October 2020

A North Korean espionage group tracked as  UNC2970  has been observed employing previously undocumented malware families as part of a spear-phishing campaign targeting U.S. and European media and technology organizations since June 2022. Google-owned Mandiant said the threat cluster shares "multiple overlaps" with a  long-running   operation   dubbed  " Dream Job " that employs job recruitment lures in email messages to trigger the infection sequence. UNC2970 is the new moniker designated by the threat intelligence firm to a set of North Korean cyber activity that maps to UNC577 (aka Temp.Hermit ), and which also comprises another nascent threat cluster tracked as UNC4034. The UNC4034 activity, as  documented  by Mandiant in September 2022, entailed the use of WhatsApp to socially engineer targets into downloading a  backdoor  called AIRDRY.V2 under the pretext of sharing a skills assessment test. "UNC2970 has a concerted effort towards obfuscation and emp

The North Korea-linked  Lazarus Group  has been observed weaponizing flaws in an undisclosed software to breach a financial business entity in South Korea twice within a span of a year. While the first attack in May 2022 entailed the use of a vulnerable version of a certificate software that's widely used by public institutions and universities, the re-infiltration in October 2022 involved the exploitation of a zero-day in the same program. Cybersecurity firm AhnLab Security Emergency Response Center (ASEC)  said  it's refraining from divulging more specifics owing to the fact that "the vulnerability has not been fully verified yet and a software patch has not been released." The adversarial collective, after obtaining an initial foothold by an unknown method, abused the zero-day bug to perform lateral movement, shortly after which the AhnLab V3 anti-malware engine was disabled via a  BYOVD attack . It's worth noting here that the Bring Your Own Vulnerable D

A new backdoor associated with a malware downloader named  Wslink  has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal. The payload, dubbed  WinorDLL64  by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine. Its other features comprise listing active sessions, creating and terminating processes, enumerating drives, and compressing directories. Wslink was  first documented  by the Slovak cybersecurity firm in October 2021, describing it as a "simple yet remarkable" malware loader that's capable of executing received modules in memory. "The Wslink payload can be leveraged later for lateral movement, due to its specific interest in network sessions," ESET researcher Vladislav Hrčka  said . "The Wslink loader listens on a port specified in the configuration and can

A North Korean nation-state group notorious for crypto heists has been attributed to a new wave of malicious email attacks as part of a "sprawling" credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy. The state-aligned threat actor is being tracked by Proofpoint under the name  TA444 , and by the larger cybersecurity community as APT38,  BlueNoroff , Copernicium, and Stardust Chollima. TA444 is "utilizing a wider variety of delivery methods and payloads alongside blockchain-related lures, fake job opportunities at prestigious firms, and salary adjustments to ensnare victims," the enterprise security firm  said  in a report shared with The Hacker News. The advanced persistent threat is something of an aberration among state-sponsored groups in that its operations are financially motivated and geared towards generating illicit revenue for the Hermit Kingdom as opposed to espionage and data theft. T

BlueNoroff , a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web ( MotW ) protections. This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today. "BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said , adding the new attack procedure was flagged in its telemetry in September 2022. Some of the bogus domains have been found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, most of which are located in Japan, signalling a "keen interest" in the region. It's worth pointing out that although MotW bypasses have been documented in the wild before, this is the first time they have been incorporated by

The North Korea-linked  ScarCruft  group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart. "The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers," ESET researcher Filip Jurčacko  said  in a new report published today. Dolphin is said to be selectively deployed, with the malware using cloud services like Google Drive for data exfiltration as well as command-and-control. The Slovak cybersecurity company said it found the implant deployed as a final-stage payload as part of a watering hole attack in early 2021 directed against a South Korean digital newspaper. The campaign, first uncovered by  Kaspersky  and  Volexity  last year,  entailed  the weaponization of two Internet Explorer flaws ( CVE-2020-1380

Hackers tied to the North Korean government have been observed using an updated version of a backdoor known as Dtrack targeting a wide range of industries in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the U.S. "Dtrack allows criminals to upload, download, start or delete files on the victim host," Kaspersky researchers Konstantin Zykov and Jornt van der Wiel  said  in a report. The victimology patterns indicate an expansion to Europe and Latin America. Sectors targeted by the malware are education, chemical manufacturing, governmental research centers and policy institutes, IT service providers, utility providers, and telecommunication firms. Dtrack, also called Valefor and Preft, is the handiwork of Andariel, a subgroup of the  Lazarus nation-state threat actor  that's publicly tracked by the broader cybersecurity community using the monikers Operation Troy, Silent Chollima, and Stonefly. Discovered in September 2019, the malware

A "highly operational, destructive, and sophisticated nation-state activity group" with ties to North Korea has been weaponizing open source software in their social engineering campaigns aimed at companies around the world since June 2022. Microsoft's threat intelligence teams, alongside LinkedIn Threat Prevention and Defense, attributed the intrusions with high confidence to Zinc, a threat group affiliated with Lazarus which is also tracked under the name Labyrinth Chollima.  Attacks targeted employees in organizations across multiple industries, including media, defense and aerospace, and IT services in the U.S., the U.K., India, and Russia. The tech giant  said  it observed Zinc leveraging a "wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks." According to  CrowdStrike , Zinc "has been active since 2009 in operations aimed at collecting polit

The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system. In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto[.]com have been used to mount the attacks. The latest disclosure builds on previous findings from Slovak cybersecurity firm ESET in August, which  delved  into a similar phony job posting for the Coinbase cryptocurrency exchange platform. Both these fake job advertisements are just the latest in a series of attacks dubbed  Operation In(ter)ception , which, in turn, is a constituent of a broader campaign tracked under the name  Operation Dream Job . Although the exact distribution vector for the malware remains unknown, it's suspected that potential targets are singled out via direct messages on the business networking site Linke

More than $30 million worth of cryptocurrency plundered by the North Korea-linked Lazarus Group from online video game Axie Infinity has been recovered, marking the first time digital assets stolen by the threat actor have been seized. "The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains," Erin Plante, senior director of investigations at Chainalysis,  said . The development arrives more than five months after the  crypto hack  resulted in the theft of $620 million from the decentralized finance (DeFi) platform Ronin Network, with the attackers laundering a majority of the proceeds – amounting to $455 million – through the Ethereum-based cryptocurrency tumbler Tornado Cash. The March 2022 cryptocurrency heist resulted in losses totaling 173,600 ETH wort

The U.S. State Department has announced rewards of up to $10 million for any information that could help disrupt North Korea's cryptocurrency theft, cyber-espionage, and other illicit state-backed activities. "If you have information on any individuals associated with the North Korean government-linked malicious cyber groups (such as Andariel, APT38, Bluenoroff, Guardians of Peace, Kimsuky, or Lazarus Group) and who are involved in targeting U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act, you may be eligible for a reward," the department  said  in a tweet. The amount is double the bounty the agency  publicized  in March 2022 for specifics regarding the financial mechanisms employed by state-sponsored actors working on behalf of the North Korean government. The development comes a week after the Justice Department  disclosed  the seizure of $500,000 worth of Bitcoin from North Korean hackers who extorted digital payments by using a new r

The U.S. Department of Justice (DoJ) has announced the seizure of $500,000 worth of Bitcoin from North Korean hackers who extorted digital payments from several organizations by using a new ransomware strain known as Maui. "The seized funds include ransoms paid by healthcare providers in Kansas and Colorado," the DoJ  said  in a press release issued Tuesday. The recovery of the bitcoin ransoms comes after the agency said it took control of two cryptocurrency accounts that were used to receive payments to the tune of $100,000 and $120,000 from the medical centers. The DoJ did not disclose where the rest of the payments originated from. "Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business," said Assistant Attorney General Matthew G. Olsen of the DoJ's National Security Division. "The reimbursement to these victims of the ransom shows why it pays to work with law en

Nation-state hacking groups aligned with China, Iran, North Korea, and Turkey have been targeting journalists to conduct espionage and spread malware as part of a series of campaigns since early 2021. "Most commonly, phishing attacks targeting journalists are used for espionage or to gain key insights into the inner workings of another government, company, or other area of state-designated import," Proofpoint  said  in a report shared with The Hacker News. The ultimate goal of the "sustained" intrusions, the enterprise security firm said, is to gain a competitive intelligence edge or spread disinformation and propaganda. Proofpoint said it identified two Chinese hacking groups, TA412 (aka  Zirconium  or Judgment Panda) and  TA459 , targeting media personnel with malicious emails containing web beacons and weaponized documents respectively that were used to amass information about the recipients' network environments and drop  Chinoxy  malware. In a simila