Tag Archive for: Korean

North Korean Affiliates Suspected in $40M Cryptocurrency Heist, FBI Warns

/in


Aug 23, 2023THNCryptocurrency / Cyber Attack

Cryptocurrency Heist

The U.S. Federal Bureau of Investigation (FBI) on Tuesday warned that threat actors affiliated with North Korea may attempt to cash out stolen cryptocurrency worth more than $40 million.

The law enforcement agency attributed the blockchain activity to an adversary the U.S. government tracks as TraderTraitor, which is also known by the name Jade Sleet.

An investigation undertaken by the FBI found that the group moved approximately 1,580 bitcoin from several cryptocurrency heists over the past 24 hours and are currently said to be holding those funds in six different wallets.

North Korea is known to blur the lines among cyber warfare, espionage, and financial crime. TraderTraitor, in particular, has been linked to a series of attacks targeting blockchain and cryptocurrency exchanges with the goal of plundering digital assets to generate illicit revenue for the sanctions-hit nation.

Cybersecurity

This includes the $60 million theft of virtual currency from Alphapo on June 22, 2023; the $37 million theft of virtual currency from CoinsPaid on June 22, 2023; and the $100 million theft of virtual currency from Atomic Wallet on June 2, 2023, as well as attacks targeting Sky Mavis’ Ronin Network and Harmony Horizon Bridge last year.

The cluster shares overlap with another North Korean group dubbed APT38 (aka BlueNoroff or Stardust Chollima), which, in turn, is part of the larger Lazarus constellation. Google-owned Mandiant, last month, also connected TraderTraitor to UNC4899, a hacking crew attributed to the JumpCloud hack in late June 2023.

According to data compiled by blockchain intelligence firm TRM Labs, North Korean hackers are estimated to have stolen over $2 billion in cryptocurrencies since 2018 as part of a series of 30 attacks, with $200 million stolen in 2023 alone.

“Private sector entities should examine the blockchain data associated with these addresses and be vigilant in guarding against transactions directly with, or derived from, the addresses,” the FBI said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source…

Exclusive: North Korean hackers breached top Russian missile maker

/in


  • Hackers breached systems at NPO Mashinostroyeniya
  • Russian firm produces hypersonic missiles, satellites
  • Discovery comes shortly after Russian defence minister visits Pyongyang

LONDON/WASHINGTON, Aug 7 (Reuters) – An elite group of North Korean hackers secretly breached computer networks at a major Russian missile developer for at least five months last year, according to technical evidence reviewed by Reuters and analysis by security researchers.

Reuters found cyber-espionage teams linked to the North Korean government, which security researchers call ScarCruft and Lazarus, secretly installed stealthy digital backdoors into systems at NPO Mashinostroyeniya, a rocket design bureau based in Reutov, a small town on the outskirts of Moscow.

Reuters could not determine whether any data was taken during the intrusion or what information may have been viewed. In the months following the digital break-in Pyongyang announced several developments in its banned ballistic missile programme but it is not clear if this was related to the breach.

Experts say the incident shows how the isolated country will even target its allies, such as Russia, in a bid to acquire critical technologies.

NPO Mashinostroyeniya did not respond to requests from Reuters for comment. Russia’s embassy in Washington did not respond to an emailed request for comment. North Korea’s mission to the United Nations in New York did not respond to a request for comment.

News of the hack comes shortly after a trip to Pyongyang last month by Russian defence minister Sergei Shoigu for the 70th anniversary of the Korean War; the first visit by a Russian defence minister to North Korea since the 1991 breakup of the Soviet Union.

The targeted company, commonly known as NPO Mash, has acted as a pioneer developer of hypersonic missiles, satellite technologies and newer generation ballistic armaments, according to missile experts – three areas of keen interest to North Korea since it embarked on its mission to create an Intercontinental Ballistic Missile (ICBM) capable of striking the mainland United States.

According to technical data, the intrusion roughly began in late 2021 and continued until May 2022 when, according to internal…

Source…

Advanced Linux Malware Targeting South Korean Systems

/in


Aug 05, 2023THNLinux / Malware

Reptile Rootkit

Threat actors are using an open-source rootkit called Reptile to target Linux systems in South Korea.

“Unlike other rootkit malware that typically only provide concealment capabilities, Reptile goes a step further by offering a reverse shell, allowing threat actors to easily take control of systems,” the AhnLab Security Emergency Response Center (ASEC) said in a report published this week.

“Port knocking is a method where the malware opens a specific port on an infected system and goes on standby. When the threat actor sends a magic packet to the system, the received packet is used as a basis to establish a connection with the C&C server.”

A rootkit is a malicious software program that’s designed to provide privileged, root-level access to a machine while concealing its presence. At least four different campaigns have leveraged Reptile since 2022.

Cybersecurity

The first use of the rootkit was recorded by Trend Micro in May 2022 in connection with an intrusion set tracked as Earth Berberoka (aka GamblingPuppet), which has been found to use the malware to hide connections and processes related to a cross-platform Python trojan known as Pupy RAT in attacks aimed at gambling sites in China.

Then in March 2023, Google-owned Mandiant detailed a set of attacks mounted by a suspected China-linked threat actor dubbed UNC3886 that employed zero-day flaws in Fortinet appliances to deploy a number of custom implants as well as Reptile.

Reptile Rootkit

ExaTrack, that same month, revealed a Chinese hacking group’s use of a Linux malware called Mélofée that’s based on Reptile. Lastly, in June 2023, a cryptojacking operation discovered by Microsoft used a shell script backdoor to download Reptile in order to obscure its child processes, files, or their content.

A closer examination of Reptile reveals the use of a loader, which uses a tool called kmatryoshka to decrypt and load the rootkit’s kernel module into memory, after which it opens a specific port and awaits for the attacker to transmit a magic packet to the host over protocols such as TCP, UDP, or ICMP.

Cybersecurity

“The data received through the magic packet contains the C&C server address,” ASEC said. “Based on this, a reverse shell…

Source…

North Korean Nation-State Actors Exposed in JumpCloud Hack After OPSEC Blunder

/in


North Korean nation-state actors affiliated with the Reconnaissance General Bureau (RGB) have been attributed to the JumpCloud hack following an operational security (OPSEC) blunder that exposed their actual IP address.

Google-owned threat intelligence firm Mandiant attributed the activity to a threat actor it tracks under the name UNC4899, which likely shares overlaps with clusters already being monitored as Jade Sleet and TraderTraitor, a group with a history of striking blockchain and cryptocurrency sectors.

UNC4899 also overlaps with APT43, another hacking crew associated with the Democratic People’s Republic of Korea (DPRK) that was unmasked earlier this March as conducting a series of campaigns to gather intelligence and siphon cryptocurrency from targeted companies.

The adversarial collective’s modus operandi is characterized by the use of Operational Relay Boxes (ORBs) using L2TP IPsec tunnels along with commercial VPN providers to disguise the attacker’s true point of origin, with commercial VPN services acting as the final hop.

“There have been many occasions in which DPRK threat actors did not employ this last hop, or mistakenly did not utilize this while conducting actions on operations on the victim’s network,” the company said in an analysis published Monday, adding it observed “UNC4899 connecting directly to an attacker-controlled ORB from their 175.45.178[.]0/24 subnet.”

The intrusion directed against JumpCloud took place on June 22, 2023, as part of a sophisticated spear-phishing campaign that leveraged the unauthorized access to breach fewer than five customers and less than 10 systems in what’s called a software supply chain attack.

Mandiant’s findings are based on an incident response effort initiated in the aftermath of a cyber attack against one of JumpCloud’s impacted customers, an unnamed software solutions entity, the starting point being a malicious Ruby script (“init.rb”) executed via the JumpCloud agent on June 27, 2023.

A notable aspect of the incident is its targeting of four Apple systems running macOS Ventura versions 13.3 or 13.4.1, underscoring North Korean actors’ continued investment in honing malware specially tailored for the platform in…

Source…