Tag: Ongoing | SpinSafe

N. Korea-linked Kimsuky Shifts to Compiled HTML Help Files in Ongoing Cyberattacks

March 24, 2024/in Computer Security

Mar 24, 2024NewsroomArtificial Intelligence / Cyber Espionage

The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging Compiled HTML Help (CHM) files as vectors to deliver malware for harvesting sensitive data.

Kimsuky, active since at least 2012, is known to target entities located in South Korea as well as North America, Asia, and Europe.

According to Rapid7, attack chains have leveraged weaponized Microsoft Office documents, ISO files, and Windows shortcut (LNK) files, with the group also employing CHM files to deploy malware on compromised hosts.

The cybersecurity firm has attributed the activity to Kimsuky with moderate confidence, citing similar tradecraft observed in the past.

“While originally designed for help documentation, CHM files have also been exploited for malicious purposes, such as distributing malware, because they can execute JavaScript when opened,” the company said.

The CHM file is propagated within an ISO, VHD, ZIP, or RAR file, opening which executes a Visual Basic Script (VBScript) to set up persistence and reach out to a remote server to fetch a next-stage payload responsible for gathering and exfiltrating sensitive data.

Rapid7 described the attacks as ongoing and evolving, targeting organizations based in South Korea. It also identified an alternate infection sequence that employs a CHM file as a starting point to drop batch files tasked with harvesting the information and a PowerShell script to connect to the C2 server and transfer the data.

“The modus operandi and reusing of code and tools are showing that the threat actor is actively using and refining/reshaping its techniques and tactics to gather intelligence from victims,” it said.

The development comes as Broadcom-owned Symantec revealed that the Kimsuky actors are distributing malware impersonating an application from a legitimate Korean public entity.

“Once compromised, the dropper installs an Endoor backdoor malware,” Symantec said. “This threat enables attackers to collect sensitive information from the victim or install additional malware.”

It’s worth noting that the Golang-based Endoor,…

Source…

Fujitsu Confirms It Was Hacked Via Malware, Says Probe Ongoing

March 18, 2024/in Computer Security

Fujitsu Limited reported that the attack, which exposed employee and customer information, came from malware that impacted an unspecified number of the company’s work PCs.

Tokyo-based Fujitsu Limited Friday said it suffered a data breach, which resulted in files containing customer information that could have been accessed by unauthorized people.

Fujitsu, in the English translation of an online statement, wrote that it confirmed the presence of malware on several of its work computers, and after an internal investigation, found that “files containing personal information and customer information could be illegally taken out.”

“After confirming the presence of malware, we immediately disconnected the affected business computers and took measures such as strengthening monitoring of other business computers. Additionally, we are currently continuing to investigate the circumstances surrounding the malware’s intrusion and whether information has been leaked,” Fujitsu wrote.

Fujitsu also said it has reported the breach to Japan’s Personal Information Protection Commission, and that it has yet to receive reports whether information about the company’s personnel or its customers has been misused.

Japan’s Personal Information Protection Commission, the chairman of which is appointed by Japan’s Prime Minister, provides security policies, mediation of complaints, and international cooperation.

So far, based on the statement, it appears that the impact of the breach is limited to Japan, but it could be more widespread.

CRN reached out to Fujitsu for more information, but had not received a response by press time.

Fujitsu is a global electronics and IT manufacturer with 124,000 employees and annual revenue of about $25 billion.

2024 has been a big year for data breaches. The U.S. alone in January saw 336 publicly disclosed security incidents, which according to security provider IT Governance was 7 percent of the world’s total…

Source…

AI and cybersecurity: locked in an ongoing battle – TechHQ

September 28, 2023/in Internet Security

AI and cybersecurity: locked in an ongoing battle TechHQ

Source…

MGM cyber attack: How a phone call may have led to the ongoing hack

September 23, 2023/in Computer Security

Did prominent casino chain MGM Resorts gamble with its customers’ data? That’s a question a lot of those customers are probably asking themselves after a cyberattack took down many of MGM’s systems for several days. And it may have all started with a phone call, if reports citing the hackers themselves are to be believed.

MGM, which owns more than two dozen hotel and casino locations around the world as well as an online sports betting arm, reported on September 11 that a “cybersecurity issue” was affecting some of its systems, which it shut down to “protect our systems and data.” For the next several days, reports said everything from hotel room digital keys to slot machines weren’t working. Even websites for its many properties went offline for a while. Guests found themselves waiting in hours-long lines to check in and get physical room keys or getting handwritten receipts for casino winnings as the company went into manual mode to stay as operational as possible. MGM Resorts didn’t respond to a request for comment, and has only posted vague references to a “cybersecurity issue” on Twitter/X, reassuring guests it was working to resolve the issue and that its resorts were staying open.

It took about 10 days, but MGM announced on September 20 that its hotels and casinos were “operating normally” again, although there may be some “intermittent issues” and MGM Rewards may not be available.

“We thank you for your patience,” the company said in its statement. It did not provide any additional information on the reason why its systems went down in the first place.

The attacks show how even organizations that you might expect to be especially locked down and protected from cybersecurity attacks — say, massive casino chains that pull in tens of millions of dollars every day — are still vulnerable if the hacker uses the right attack vector. And that’s almost always a human being and human nature. In this case, it appears that publicly available information and a persuasive phone manner were enough to give the hackers all they needed to get into MGM’s systems and create what is likely to be some very expensive havoc that will hurt both the…

Source…

Tag Archive for: Ongoing