North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media

The Federal Bureau of Investigation (FBI), the U.S. Department of State, and the National Security Agency (NSA), together with the Republic of Korea’s National Intelligence Service (NIS), National Police Agency (NPA), and Ministry of Foreign Affairs (MOFA), are jointly issuing this advisory to highlight the use of social engineering by Democratic People’s Republic of Korea (DPRK a.k.a. North Korea) state-sponsored cyber actors to enable computer network exploitation (CNE) globally against individuals employed by research centers and think tanks, academic institutions, and news media organizations. These North Korean cyber actors are known to conduct spearphishing campaigns posing as real journalists, academics, or other individuals with credible links to North Korean policy circles. The DPRK employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets.

North Korea’s cyber program provides the regime with broad intelligence collection and espionage capabilities. The Governments of the United States and the Republic of Korea (ROK a.k.a. South Korea) have observed sustained information-gathering efforts originating from these North Korean cyber actors. North Korea’s primary military intelligence organization, the Reconnaissance General Bureau (RGB), which has been sanctioned by the United Nations Security Council, is primarily responsible for this network of actors and activities.

We assess the primary goals of the DPRK regime’s cyber program include maintaining consistent access to current intelligence about the United States, South Korea, and other countries of interest to impede any political, military, or economic threat to the regime’s security and stability.

Currently, the U.S. and ROK Governments, and private sector cyber security companies, track a specific set of DPRK cyber actors conducting these large-scale social engineering campaigns as Kimsuky, Thallium, APT43, Velvet Chollima, and Black Banshee. Kimsuky is administratively subordinate to an element within North Korea’s…


How to stop hackers from spying on you through a Ring camera or video doorbell

People who use internet-enabled security camera systems like Amazon Ring or Google Nest to keep their homes safe could be opening up their virtual worlds to hackers, or even employees of the companies.

The devices, typically placed on the outside of homes and aimed at entryways, record live footage of who is approaching the premises, with many residents using the technology to deter package thieves and otherwise monitor their homes. But users who don’t properly secure their devices could be inviting criminals to snoop around their digital networks and potentially gain access to reams of sensitive personal data. 

In a case highlighting such vulnerabilities, Amazon this week agreed to pay $5.8 million to the Federal Trade Commission to settle allegations it gave its Ring surveillance employees “unfettered” access to personal videos. The agency in its lawsuit also claimed that Amazon failed to protect customer security, leading to hackers threatening or sexually propositioning Ring owners.

Gavin Millard, a cybersecurity expert at Tenable, a firm that alerts clients to tech vulnerabilities, said there are ways to leverage video doorbells and cameras’ security features without exposing one’s private lives and information to bad actors. Here are five ways users of the technology can protect themselves.

Reset default username and password

Never keep the username and password that a home security system assigns you by default. Because they can be easily guessed by hackers, they should be changed immediately, Millard said. 

“Often when consumers buy the devices, they don’t change them from their default, insecure configurations,” Millard told CBS MoneyWatch. 

Changing this password is crucial because once hackers breach one device, they can explore others that are connected to the same home network. For example, bad actors can use search engine Shodan to scan the whole internet for any connected devices, from webcams to smart lightbulbs. 

“I can ask it to show me every single internet-connected camera and try ‘Admin’ and ‘Password’ as the username and password, and you could access the video streams of any that are vulnerable,” he explained. 

Two-factor authentication



iTunes on Windows security flaw allows unauthorized access

iTunes on Windows has a security flaw

Researchers have found a vulnerability in iTunes for Windows that lets users escalate system privileges, and Windows users should update the app.

In late 2022, the Synopsys Cybersecurity Research Center (CyRC) discovered a security vulnerability within the Windows version of the iTunes app. Exploiting it can lead to local privilege escalation to achieve system-level privileges.

User privileges, also known as permissions, define what a user account can do on a computer system. They are an essential part of the system’s security, ensuring that users can perform tasks without compromising the system’s security.

Privileges can include the ability to open files, change or delete data, or modify system settings. Users with administrative privileges can do more, such as installing new apps and managing user accounts.

With this vulnerability, someone with limited user privileges on a Windows computer, specifically running specific versions of iTunes, could exploit the system to acquire elevated privileges. That could allow a malicious person to gain unauthorized access to sensitive data, change or delete data they aren’t supposed to, or launch attacks on other computers within the same network.

The iTunes software creates a folder (“SC Info”) on the Windows system. Only the system should use this folder, but iTunes gives all users complete control over it.

If a user deletes this folder and then creates a link from where the folder was to the Windows system folder, this forces a system repair process that recreates the folder.

That new folder, linked to the system folder, gives assailants high-level access to the Windows system.

How to protect yourself from the iTunes bug

The Synopsys team already reported the vulnerability to Apple, tracked as CVE-2023-32353 in the database of publicly-disclosed computer security flaws known as Common Vulnerabilities and Exposures. As a result, Apple issued a patch on May 23.

It affects versions of iTunes on Windows before 12.12.9, and users are advised to install the update…


Kaspersky says attackers hacked staff iPhones with unknown malware

Image Credits: Wong Yu Liang / Getty Images

The Russian cybersecurity company Kaspersky said that hackers working for a government targeted its employees’ iPhones with unknown malware.

On Monday, Kaspersky announced the alleged cyberattack, and published a technical report analyzing it, where the company admitted its analysis is not yet complete. The company said that the hackers, whom at this point are unknown, delivered the malware with a zero-click exploit via an iMessage attachment, and that all the events happened within a one to three minute timeframe. At this point, it’s unclear if the hackers exploited new vulnerabilities that were unpatched at the time, meaning they were so-called zero-days.

Kaspersky researchers said that they discovered the attack when they noticed “suspicious activity that originated from several iOS-based phones,” while monitoring their own corporate Wi-Fi network.

The company called this alleged hack against its own employees “Operation Triangulation,” and created a logo for it. Neither Kaspersky nor Apple immediately responded to requests for comment.

Kaspersky researchers said they created offline backups of the targeted iPhones and inspected them with a tool developed by Amnesty International called the Mobile Verification Toolkit, or MVT, which allowed them to discover “traces of compromise.” The researchers did not say when they discovered the attack, and said that they found traces of it going as far back as 2019, and that “attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7.”

While the malware was designed to clean up the infected devices and remove traces of itself, “it is possible to reliably identify if the device was compromised,” the researchers wrote.

In the report, the researchers explained step by step how they analyzed the compromised devices, outlining how others can do the same. They did not, however, include many details of what they found using this process.

The researchers said that the presence of “data usage lines mentioning the process named ‘BackupAgent’,” was the most reliable sign that an iPhone was hacked, and that another one of…