lazarus group | Breaking Cybersecurity News | The Hacker News

The notorious Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts. The vulnerability in question is  CVE-2024-21338  (CVSS score: 7.8), which can permit an attacker to gain SYSTEM privileges. It was resolved by Microsoft earlier this month as part of  Patch Tuesday updates . "To exploit this vulnerability, an attacker would first have to log on to the system," Microsoft  said . "An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system." While there were no indications of active exploitation of CVE-2024-21338 at the time of the release of the updates, Redmond on Wednesday revised its "Exploitability assessment" for the flaw to "Exploitation Detected."  It's currently not clear when the attacks took place, but the vulnerability

The notorious North Korean state-backed hacking group Lazarus uploaded four packages to the Python Package Index (PyPI) repository with the goal of infecting developer systems with malware. The packages, now taken down, are  pycryptoenv ,  pycryptoconf ,  quasarlib , and  swapmempool . They have been collectively downloaded 3,269 times, with pycryptoconf accounting for the most downloads at 1,351. "The package names pycryptoenv and pycryptoconf are similar to pycrypto, which is a Python package used for encryption algorithms in Python," JPCERT/CC researcher Shusei Tomonaga  said . "Therefore, the attacker probably prepared the malware-containing malicious packages to target users' typos in installing Python packages." The disclosure comes days after Phylum  uncovered  several rogue packages on the npm registry that have been used to single out software developers as part of a campaign codenamed Contagious Interview. An interesting commonality between the t

Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn't a plot from the latest cyber-thriller; it's actually been a reality for years now. How this will change – in a positive or negative direction – as artificial intelligence (AI) takes on a larger role in software development is one of the big uncertainties related to this brave new world. In an era where AI promises to revolutionize how we live and work, the conversation about its security implications cannot be sidelined. As we increasingly rely on AI for tasks ranging from mundane to mission-critical, the question is no longer just, "Can AI  boost cybersecurity ?" (sure!), but also "Can AI  be hacked? " (yes!), "Can one use AI  to hack? " (of course!), and "Will AI  produce secure software ?" (well…). This thought leadership article is about the latter. Cydrill  (a

North Korean state-sponsored threat actors have been attributed to a cyber espionage campaign targeting the defense sector across the world. In a joint advisory published by Germany's Federal Office for the Protection of the Constitution (BfV) and South Korea's National Intelligence Service (NIS), the agencies said the goal of the attacks is to plunder advanced defense technologies in a "cost-effective" manner. "The regime is using the military technologies to modernize and improve the performance of conventional weapons and to develop new strategic weapon systems including ballistic missiles, reconnaissance satellites and submarines," they  noted .  The infamous Lazarus Group has been blamed for one of the two hacking incidents, which involved the use of social engineering to infiltrate the defense sector as part of a long-standing operation called  Dream Job . The campaign has been  ongoing since August 2020  over several waves. In these attacks, the

Cybersecurity researchers have discovered a new Apple macOS backdoor called  SpectralBlur  that overlaps with a known malware family that has been attributed to North Korean threat actors. "SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [command-and-control server]," security researcher Greg Lesnewich  said . The malware shares similarities with  KANDYKORN  (aka SockRacket), an advanced implant that functions as a remote access trojan capable of taking control of a compromised host. It's worth noting that the KANDYKORN activity also intersects with another campaign orchestrated by the Lazarus sub-group known as BlueNoroff (aka TA444) which culminates in the deployment of a backdoor referred to as  RustBucket  and a late-stage payload dubbed  ObjCShellz . In recent months, the threat actor has been observed  combining disparate pieces of t

The notorious North Korea-linked threat actor known as the  Lazarus Group  has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts. Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based malware families, including a RAT called NineRAT that leverages Telegram for command-and-control (C2), DLRAT, and a downloader dubbed BottomLoader. The cybersecurity firm described the latest tactics of the adversary as a definitive shift and that they overlap with the cluster widely tracked as Andariel (aka Onyx Sleet or Silent Chollima), a sub-group within the Lazarus umbrella. "Andariel is typically tasked with initial access, reconnaissance and establishing long term access for espionage in support of the North Korean government's national interests," Talos researchers Jung soo An, As

The North Korean threat actor known as  Kimsuky  has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems. "The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC)  said  in an analysis posted last week. The attack chains commence with an import declaration lure that's actually a malicious JSE file containing an obfuscated PowerShell script, a Base64-encoded payload, and a decoy PDF document. The next stage entails opening the PDF file as a diversionary tactic, while the PowerShell script is executed in the background to launch the backdoor. The malware, for its part, is configured to collect network information and other relevant data (i.e., host name, user name, and operating system version) and transmit the encoded details to a remote server. It's also capable of

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on Thursday sanctioned the North Korea-linked adversarial collective known as Kimsuky as well as eight foreign-based agents who are alleged to have facilitated sanctions evasion. The agents, the Treasury  said , helped in " revenue generation  and missile-related technology procurement that support the DPRK's weapons of mass destruction (WMD) programs." The sanctions against Kimsuky, which have been levied for gathering intelligence to support the regime's strategic objectives, come more than four years after the OFAC  imposed   similar measures  against the Lazarus Group and its offshoots  Andariel  and  BlueNoroff  in September 2019. The actions are in  response  to North Korea's launch of a military reconnaissance satellite late last month, the Treasury added. They also arrive a day after a virtual currency mixer service called Sinbad was  sanctioned  for processing stolen as

Threat actors from the Democratic People's Republic of Korea (DPRK) are increasingly targeting the cryptocurrency sector as a  major revenue generation mechanism  since at least 2017 to get around sanctions imposed against the country. "Even though movement in and out of and within the country is heavily restricted, and its general population is isolated from the rest of the world, the regime's ruling elite and its highly trained cadre of computer science professionals have privileged access to new technologies and information," cybersecurity firm Recorded Future  said  in a report shared with The Hacker News. "The privileged access to resources, technologies, information, and sometimes international travel for a small set of selected individuals with promise in mathematics and computer science equips them with the necessary skills for conducting cyber attacks against the cryptocurrency industry." The disclosure comes as the U.S. Treasury Department  imp

The U.S. Treasury Department on Wednesday imposed sanctions against  Sinbad , a virtual currency mixer that has been put to use by the North Korea-linked  Lazarus Group  to launder ill-gotten proceeds. "Sinbad has processed millions of dollars' worth of virtual currency from Lazarus Group heists, including the Horizon Bridge and Axie Infinity heists," the department said . "Sinbad is also used by cybercriminals to obfuscate transactions linked to malign activities such as sanctions evasion, drug trafficking, the purchase of child sexual abuse materials, and additional illicit sales on darknet marketplaces." In addition to the sanctions, Sinbad had its website seized as part of a coordinated law enforcement action between agencies in the U.S., Finland, and the Netherlands. The development builds on prior actions undertaken by governments in Europe and the U.S. to blockade mixers such as  Blender ,  Tornado Cash , and  ChipMixer , all of which have been accu

The recently disclosed critical security flaw impacting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called  GoTitan  as well as a .NET program known as  PrCtrl Rat  that's capable of remotely commandeering the infected hosts. The attacks involve the exploitation of a remote code execution bug (CVE-2023-46604, CVSS score: 10.0) that has been  weaponized  by various hacking crews, including the  Lazarus Group , in recent weeks. Following a successful breach, the threat actors have been observed to drop next-stage payloads from a remote server, one of which is GoTitan, a botnet designed for orchestrating distributed denial-of-service (DDoS) attacks via protocols such as HTTP, UDP, TCP, and TLS. "The attacker only provides binaries for x64 architectures, and the malware performs some checks before running," Fortinet Fortiguard Labs researcher Cara Lin  said  in a Tuesday analysis. "It also creates a file named &#

A North Korean state-sponsored threat actor tracked as  Diamond Sleet  is distributing a trojanized version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers via a supply chain attack. "This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload," the Microsoft Threat Intelligence team  said  in an analysis on Wednesday. The poisoned file, the tech giant said, is hosted on the update infrastructure owned by the company while also including checks to limit the time window for execution and bypass detection by security products. The campaign is estimated to have impacted over 100 devices across Japan, Taiwan, Canada, and the U.S. Suspicious activity associated with the modified CyberLink installer file was observed as early as October 20, 2023. The links to North Korea stem from

North Korean threat actors have been linked to two campaigns in which they masquerade as both job recruiters and seekers to distribute malware and obtain unauthorized employment with organizations based in the U.S. and other parts of the world. The activity clusters have been codenamed Contagious Interview and Wagemole, respectively, by Palo Alto Networks Unit 42. While the first set of attacks aims to "infect software developers with malware through a fictitious job interview," the latter is designed for financial gain and espionage. "The first campaign's objective is likely cryptocurrency theft and using compromised targets as a staging environment for additional attacks," the cybersecurity company  said . The fraudulent job-seeking activity, on the other hand, involves the use of a GitHub repository to host resumes with forged identities that impersonate individuals of various nationalities. The Contagious Interview attacks pave the way for two hitherto undocumented cross-plat

A sub-cluster within the infamous Lazarus Group has established new infrastructure that impersonates skills assessment portals as part of its social engineering campaigns. Microsoft attributed the activity to a threat actor it calls  Sapphire Sleet , describing it as a "shift in the persistent actor's tactics." Sapphire Sleet, also called APT38, BlueNoroff, CageyChameleon, and CryptoCore, has a track record of orchestrating cryptocurrency theft via social engineering. Earlier this week, Jamf Threat Labs implicated the threat actor to a new macOS malware family called  ObjCShellz  that's assessed to be a late-stage payload delivered in connection with another macOS malware known as RustBucket. "Sapphire Sleet typically finds targets on platforms like LinkedIn and uses lures related to skills assessment," the Microsoft Threat Intelligence team  said  in a series of posts on X (formerly Twitter). "The threat actor then moves successful communication

The North Korea-linked nation-state group called BlueNoroff has been attributed to a previously undocumented macOS malware strain dubbed  ObjCShellz . Jamf Threat Labs, which disclosed details of the malware, said it's used as part of the RustBucket malware campaign, which came to light earlier this year. "Based on previous attacks performed by BlueNoroff, we suspect that this malware was a late stage within a multi-stage malware delivered via social engineering," security researcher Ferdous Saljooki said in a report shared with The Hacker News. BlueNoroff, also tracked under the names APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444, is a subordinate element of the infamous  Lazarus Group  that specializes in financial crime, targeting banks and the crypto sector as a way to  evade sanctions  and  generate illicit profits  for the regime. The development arrives days after Elastic Security Labs disclosed the Lazarus Group's use of a new ma

State-sponsored threat actors from the Democratic People's Republic of Korea (DPRK) have been found targeting blockchain engineers of an unnamed crypto exchange platform via Discord with a novel macOS malware dubbed  KANDYKORN . Elastic Security Labs said the activity, traced back to April 2023, exhibits overlaps with the infamous adversarial collective  Lazarus Group , citing an analysis of the network infrastructure and techniques used. "Threat actors lured blockchain engineers with a Python application to gain initial access to the environment," security researchers Ricardo Ungureanu, Seth Goodwin, and Andrew Pease  said  in a report published today. "This intrusion involved multiple complex stages that each employed deliberate defense evasion techniques." This is not the first time the Lazarus Group has leveraged macOS malware in its attacks. Earlier this year, the threat actor was observed distributing a backdoored PDF application that culminated in t

North Korean threat actors are actively exploiting a critical security flaw in JetBrains TeamCity to opportunistically breach vulnerable servers, according to Microsoft. The attacks, which entail the exploitation of  CVE-2023-42793  (CVSS score: 9.8), have been  attributed  to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima). It's worth noting that both the threat activity clusters are part of the infamous North Korean nation-state actor known as  Lazarus Group . In one of the two attack paths employed by Diamond Sleet, a successful compromise of TeamCity servers is followed by the deployment of a known implant called  ForestTiger  from legitimate infrastructure previously compromised by the threat actor. A second variant of the attacks leverages the initial foothold to retrieve a malicious DLL (DSROLE.dll aka RollSling or Version.dll or FeedLoad) that's loaded by means of a technique referred to as DLL search-order hijacking to eithe