Posts

What makes North Korean hacking groups more creative?


North Korean leader Kim Jong Un meets with former U.S. President Donald Trump within the demilitarized zone (DMZ) separating South and North Korea in 2019. (Handout photo by Dong-A Ilbo via Getty Images/Getty Images)

When cybersecurity experts talk about APT groups targeting the U.S. and its allies, they usually end up connecting the activity to one of “The Big Four:” Russia, China, Iran and North Korea. While these countries are far from the only ones conducting clandestine operations in cyberspace today, they’re often pegged as the most sophisticated and thus tend to get much of the attention.

But that doesn’t mean they all operate the same way. From a preference for writing custom malware code to pioneering new strategies, North Korean hacking groups have shown an innovative spirit that allows them to punch above their weight despite crushing sanctions.

At the 2021 RSA Conference, Dmitri Alperovitch, former co-founder and chief technology officer at Crowdstrike, said North Korean hacking groups, many of which operate under the umbrella name Lazarus Group, stand out considerably from their other Big Four counterparts in the creativity of their hacking campaign tactics and the way they eschew popular commercial offensive tools.

“They’re in some ways my favorite actor in cyberspace, because they’re just so incredibly innovative,” said Alperovitch, now executive chairman at the Silverado Policy Accelerator.

In the early 2000s, North Korean intelligence agencies like the Reconnaissance General Bureau “pioneered” the concept of destructive cyberattacks in digital skirmishes with their South Korean neighbors, while the country’s 2014 hack of entertainment giant Sony foretold the coming era of hack and leak operations that would be picked up by Russia just a few more years down the line.

Alperovitch said that in recent years, Russian, Chinese and Iranian APTs have increasingly incorporated publicly available commercial offensive hacking tools like Cobalt Strike or open-source tools like the credential harvesting Mimikatz in their operations in lieu of writing their own malware, because they are less expensive and because using…

Source…

Spy groups hack into companies using zero-day flaw in Pulse Secure VPN


Over the past few months, several cyberespionage groups, including one believed to be tied to the Chinese government, have been breaking into the networks of organizations from the United States and Europe by exploiting vulnerabilities in VPN appliances from zero-trust access provider Pulse Secure. Some of the flaws date from 2019 and 2020, but one was unknown until this month.

“Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices,” researchers from Mandiant, the MDR and incident response arm of security vendor FireEye, said in a newly released report. “These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families.”

Pulse Secure VPN zero-day vulnerability

While investigating breaches this year at various defense, government and financial organizations from around the world, the Mandiant team kept finding malicious activity in the compromised environments tracing back to their Pulse Secure VPN appliances where hackers had obtained administrative access. The experts couldn’t determine how the hackers gained administrative credentials, so it contacted Pulse Secure and its parent company Ivanti. Their investigation concluded that the attackers were likely using known vulnerabilities found and patched over the past two years, but also a previously unknown one.

Tracked as CVE-2021-22893, the flaw allows attackers to bypass authentication on the Pulse Connect Secure (PCS) VPN solution and execute arbitrary code. The vulnerability is rated critical with a severity score of 10 on the CVSS scale. A patch for the issue will be included in version 9.1R.11.4 of the PCS server, which has not been released yet. Until then, the company provided a workaround in the form of an .xml configuration file that can be imported into the appliance. The file will disable the Windows File Share Browser and Pulse Secure Collaboration features of the appliance to block the…

Source…

UPDATE 3-At least 10 hacking groups using Microsoft software flaw -researchers

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.


(Adds comment from researchers who discovered flaw, possible methods for leaks)

By Raphael Satter, Christopher Bing and Joseph Menn

WASHINGTON, March 10 (Reuters) – At least 10 different hacking groups are using recently discovered flaws in Microsoft Corp’s mail server software to break in to targets around the world, cybersecurity company ESET said in a blog post on Wednesday.

The breadth of the exploitation adds to the urgency of the warnings being issued by authorities in the United States and Europe about the weaknesses found in Microsoft’s Exchange software.

The security holes in the widely used mail and calendaring solution leave the door open to industrial-scale cyber espionage, allowing malicious actors to steal emails virtually at will from vulnerable servers or move elsewhere in the network. Tens of thousands of organizations have already been compromised, Reuters reported last week, and new victims are being made public daily.

Earlier on Wednesday, for example, Norway’s parliament announced data had been “extracted” in a breach linked to the Microsoft flaws. Germany’s cybersecurity watchdog agency also said on Wednesday two federal authorities had been affected by the hack, although it declined to identify them.

While Microsoft has issued fixes, the sluggish pace of many customers’ updates – which experts attribute in part to the complexity of Exchange’s architecture – means the field remains at least partially open to hackers of all stripes. The patches do not remove any back door access that has already been left on the machines.

In addition, some of the back doors left on compromised machines have passwords that are easily guessed, so that newcomers can take them over.

Microsoft declined comment on the pace of customers’ updates. In previous announcements pertaining to the flaws, the company has emphasized the importance of “patching all affected systems immediately.”

Although the hacking has appeared to be focused on cyber espionage, experts are concerned about the prospect of ransom-seeking cybercriminals taking advantage of the flaws because it could lead to widespread disruption.

ESET’s blog post said there were already signs of cybercriminal exploitation,…

Source…

At least 10 hacking groups using Microsoft software flaw : The Tribune India

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.


Washington, March 10

At least 10 different hacking groups are using recently discovered flaws in Microsoft Corp’s mail server software to break into targets around the world, cybersecurity company ESET said in a blog post on Wednesday.

The breadth of the exploitation adds to the urgency of the warnings being issued by authorities in the United States and Europe about the weaknesses found in Microsoft’s Exchange software.

The security holes in the widely used mail and calendaring solution leave the door open to industrial-scale cyber-espionage, allowing malicious actors to steal emails virtually at will from vulnerable servers or move elsewhere in the network. Tens of thousands of organizations have already been compromised, Reuters reported last week, and new victims are being made public daily.

Earlier on Wednesday, for example, Norway’s parliament announced data had been “extracted” in a breach linked to the Microsoft flaws. Germany’s cybersecurity watchdog agency also said on Wednesday two federal authorities had been affected by the hack, although it declined to identify them.

While Microsoft has issued fixes, the sluggish pace of many customers’ updates – which experts attribute in part to the complexity of Exchange’s architecture – means the field remains at least partially open to hackers of all stripes. The patches do not remove any back door access that has already been left on the machines.

Also, some of the back doors left on compromised machines have passwords that are easily guessed, so that newcomers can take them over.

Microsoft declined to comment on the pace of customers’ updates. In previous announcements pertaining to the flaws, the company has emphasized the importance of “patching all affected systems immediately.”

Although hacking has appeared to be focused on cyber espionage, experts are concerned about the prospect of ransom-seeking cybercriminals taking advantage of the flaws because it could lead to widespread disruption.

ESET’s blog post said there were already signs of cybercriminal exploitation, with one group that specializes in stealing computer resources to mine…

Source…