Tag Archive for: Lazarus

Lazarus Group Behind $540 Million Axie Infinity Crypto Hack and Attacks on Chemical Sector

/in


North Korean Lazarus Hackers

The U.S. Treasury Department has implicated the North Korea-backed Lazarus Group (aka Hidden Cobra) in the theft of $540 million from video game Axie Infinity’s Ronin Network last month.

On Thursday, the Treasury tied the Ethereum wallet address that received the stolen digital currency to the threat actor and sanctioned the funds by adding the address to the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals (SDN) List.

“The FBI, in coordination with Treasury and other U.S. government partners, will continue to expose and combat the DPRK’s use of illicit activities – including cybercrime and cryptocurrency theft – to generate revenue for the regime,” the intelligence and law enforcement agency said in a statement.

The cryptocurrency heist, the second-largest cyber-enabled theft to date, involved the siphoning of 173,600 Ether (ETH) and 25.5 million USD Coins from the Ronin cross-chain bridge, which allows users to transfer their digital assets from one crypto network to another, on March 23, 2022.

“The attacker used hacked private keys in order to forge fake withdrawals,” the Ronin Network explained in its disclosure report a week later after the incident came to light.

CyberSecurity

By sanctioning the wallet address, the move prohibits U.S. individuals and entities from transacting with it to ensure that the state-sponsored group can’t cash out any further funds. An analysis by Elliptic has found that the actor has already managed to launder 18% of the siphoned digital funds (about $97 million) as of April 14.

“First, the stolen USDC was swapped for ETH through decentralized exchanges (DEXs) to prevent it from being seized,” Elliptic noted. “By converting the tokens at DEXs, the hacker avoided the anti-money laundering (AML) and ‘know your customer’ (KYC) checks performed at centralized exchanges.”

Nearly $80.3 million of the laundered funds have involved the use of Tornado Cash, a mixing service on the Ethereum blockchain designed to obscure the trail of funds, with another $9.7 million worth of ETH likely to be laundered in the same manner.

Lazarus Group, an umbrella name assigned to prolific state-sponsored actors operating on behalf of North Korean strategic…

Source…

Industrial systems under threat. Lazarus resumes Operation Dream Job. OldGremlin phishes in Russia.

/in


Dateline Moscow and Kyiv: Russian preparations for cyberattacks against the energy sector.

Ukraine at D+49: Exchanges of kinetic fire, and preparation for cyberattacks against ICS/SCADA. (The CyberWire) Ukraine says it’s hit the guided missile cruiser Moskva with anti-ship missiles. The US warns of Russian preparations for cyberattacks against ICS and SCADA systems (and both government and industry have published details on the tools they’ve found). On the ground, Russia continues to resort to heavy and indiscriminate fires as it seeks to reduce cities in the Donbas and along the Black Sea coast.

Ukraine Update: U.S., EU to Send More Arms; Warship Damaged (Bloomberg) President Joe Biden announced $800 million in additional U.S. military aid for Ukraine and the European Union agreed to provide more cash for weapons, as Russia repositions its forces for renewed attacks in eastern and southern parts of its neighbor.

Ukraine says it damaged Russian flagship, crew evacuates (AP NEWS) Ukraine said its forces struck and seriously damaged the flagship of Russia’s Black Sea fleet, dealing a potentially major setback to Moscow’s troops as they try to regroup for a renewed offensive in eastern Ukraine after retreating from much of the north, including the capital.

Russian warship notorious for firing on Snake Island defenders ‘seriously damaged’ after blast (The Telegraph) The Moskva missile cruiser was struck by two Ukrainian missiles, the Ukrainian governor of the region said

Russia says warship ‘seriously damaged’ by explosion as Putin builds forces in east Ukraine (the Guardian) Ukraine says it struck the Moskva with two anti-ship missiles without giving evidence as Zelenskiy says Russia ramping up offensive in east and south

One Of Russia’s Biggest Cruisers May Have Sunk Near Ukraine (Forbes) There are unconfirmed reports that a Ukrainian navy missile battery has struck the Russian navy cruiser Moskva off the coast of Odessa, a strategic port city on the Black Sea in southwest Ukraine.

Russia to consider US and NATO vehicles carrying weapons in Ukraine as legitimate military targets (TDPel Media) “We are warning that we will consider US-NATO transports with weapons moving through the…

Source…

Lazarus Group phishes for hacking tools. Rockethack’s odd position in the C2C market. CISA’s holiday advice. SEC scam warning.

/in


Attacks, Threats, and Vulnerabilities

North Korean Hackers Caught Snooping on China’s Cyber Squad (The Daily Beast) North Korean hackers are under fierce pressure to raise revenue to fund regime goals. Now they’re trying to spy on Chinese security researchers to get better hacking tools.

Void Balaur explained—a stealthy cyber mercenary group that spies on thousands (CSO Online) Unlike other groups, Void Balaur will target individuals and organizations in Russian-speaking countries and seems to have intimate knowledge of telecom systems.

APT41’s cyber attack methods are a blueprint for hacker groups- TechHQ (TechHQ) APT41’s cyberattack methods is becoming the blueprint for other hacker groups to launch attacks on the supply chain and other industries as well.

Reminder for Critical Infrastructure to Stay Vigilant Against Threats During Holidays and Weekends (CISA) As Americans prepare to hit the highways and airports this Thanksgiving holiday, CISA and the Federal Bureau of Investigation (FBI) are reminding critical infrastructure partners that malicious cyber actors aren’t making the same holiday plans as you. Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways—big and small—to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure. 

New ‘SharkBot’ Android Banking Malware Hitting U.S., UK and Italy Targets (SecurityWeek) A newly discovered Android banking trojan has been observed targeting international banks and five different cryptocurrency services.

Github cookie leakage – thousands of Firefox cookie files uploaded by mistake (Naked Security) Be aware before you share! That’s a good rule for developers and techies, just as much as it is for social media addicts.

Space cyber wargame exposes satellite industry risks (README) Space industry executives grappled with a simulated crisis Monday as a hacker compromised a satellite and set it on a collision course.

US SEC warns investors of ongoing govt impersonation attacks (BleepingComputer) The Securities and Exchange Commission (SEC) has warned US investors of scammers impersonating SEC…

Source…

North Korean Lazarus Hacking Group Leverages Supply Chain Attacks To Distribute Malware for Cyber Espionage

/in


North Korean threat actor Lazarus group has resorted to supply chain attacks similar to SolarWinds and Kaseya to compromise the regime’s targets, according to cybersecurity firm Kaspersky.

Kaspersky’s Q3 2021 APT Trends report says that “Lazarus developed an infection chain that stemmed from legitimate South Korean security software deploying a malicious payload.”

The APT group compromised a South Korean think tank using two remote access trojan (RAT) variants BLINDINGCAN and COPPERHEDGE. The DHS Cybersecurity & Infrastructure Security Agency (CISA) had issued security alerts AR20-232A and AR20-133A over these trojans.

According to the researchers, Lazarus’ recent activity is part of a broader international campaign leveraging supply chain attacks.

Identified by US-CERT and the FBI as HIDDEN COBRA, the group was suspected to be responsible for the WannaCry ransomware and the Sony Picture Entertainment hacking that escalated tensions between the US and North Korea.

Lazarus’ supply chain attacks target atypical victims

Experts believe that Lazarus is expanding its victim base beyond that of Asian government agencies and policy think tanks.

Kaspersky researchers discovered that the hacking group had targeted a Latvian tech firm developing asset monitoring solutions, an atypical victim for Lazarus.

During the attack, the North Korean APT deployed a compromised downloader “Racket” signed with a stolen digital certificate. The hacking group had stolen the digital certificate from a US-based South Korean security company.

According to Kaspersky, the APT compromised multiple servers and uploaded several malicious scripts in the process. The group used the malicious scripts to control the trojans installed on downstream victims.

“North Korea once again figures prominently in an attack, although it doesn’t appear to be the government this time, at least not directly,” said Saryu Nayyar, CEO at Gurucul.

“Government-sponsored attacks continue to be a major issue for other governments and enterprises. Both types of organizations need to be cognizant of the potential for high-powered attacks and respond appropriately. Early…

Source…