Tag Archive for: Opsec

North Korean Nation-State Actors Exposed in JumpCloud Hack After OPSEC Blunder

/in


North Korean nation-state actors affiliated with the Reconnaissance General Bureau (RGB) have been attributed to the JumpCloud hack following an operational security (OPSEC) blunder that exposed their actual IP address.

Google-owned threat intelligence firm Mandiant attributed the activity to a threat actor it tracks under the name UNC4899, which likely shares overlaps with clusters already being monitored as Jade Sleet and TraderTraitor, a group with a history of striking blockchain and cryptocurrency sectors.

UNC4899 also overlaps with APT43, another hacking crew associated with the Democratic People’s Republic of Korea (DPRK) that was unmasked earlier this March as conducting a series of campaigns to gather intelligence and siphon cryptocurrency from targeted companies.

The adversarial collective’s modus operandi is characterized by the use of Operational Relay Boxes (ORBs) using L2TP IPsec tunnels along with commercial VPN providers to disguise the attacker’s true point of origin, with commercial VPN services acting as the final hop.

“There have been many occasions in which DPRK threat actors did not employ this last hop, or mistakenly did not utilize this while conducting actions on operations on the victim’s network,” the company said in an analysis published Monday, adding it observed “UNC4899 connecting directly to an attacker-controlled ORB from their 175.45.178[.]0/24 subnet.”

The intrusion directed against JumpCloud took place on June 22, 2023, as part of a sophisticated spear-phishing campaign that leveraged the unauthorized access to breach fewer than five customers and less than 10 systems in what’s called a software supply chain attack.

Mandiant’s findings are based on an incident response effort initiated in the aftermath of a cyber attack against one of JumpCloud’s impacted customers, an unnamed software solutions entity, the starting point being a malicious Ruby script (“init.rb”) executed via the JumpCloud agent on June 27, 2023.

A notable aspect of the incident is its targeting of four Apple systems running macOS Ventura versions 13.3 or 13.4.1, underscoring North Korean actors’ continued investment in honing malware specially tailored for the platform in…

Source…

Opsec examples: 6 spectacular operational security failures

/in


Every day, most of us leave trails of online breadcrumbs behind us, disconnected pieces of data that a determined sleuth could connect to learn about our activities and perhaps break through our veil of anonymity. The struggle to prevent attackers from putting these puzzle pieces together is known as operational security (opsec).

Most of us don’t think too much about all this: nobody’s trying to track us down, and if they did, the consequences wouldn’t be too worrisome. But there are those for whom the stakes are much higher. Would it be so bad if someone recognized the handles of your anonymous social media accounts as the name one of your big work projects or the subject of your senior thesis? It might be if you were the director of the FBI. Does it matter if the selfies you upload to social media have location data embedded in them, or if your fitness tracker sends anonymized data about your jogging route to its manufacturer? It might if you’re a soldier on a secret military base or in a country where your government swears it hasn’t sent any troops.

Hackers and cybercriminals—of both the freelance and state-sponsored variety—are generally quick to exploit any failures in opsec made by potential victims. That’s why it’s perhaps surprising that these malicious actors often themselves fail to cover their online tracks, whether due to arrogance, incompetence, or some combination of the two. You can view these incidents as morality plays in which the bad guys get their comeuppance, but maybe it’s better to think about them as cautionary tales: you might not be spying for the Chinese government or running an online drug market, but you could fall into the same mistakes that these cybercriminals did, to your peril.

All roads lead back to Dread Pirate Roberts

For a few years in the early 2010s, the Silk Road was source of fascination and frustration for computer security researchers and law enforcement alike. An underground marketplace where users could trade cryptocurrency for drugs, weapons, and other illegal goods and services, it brought the idea of the “dark web,” along with knowledge about Tor and bitcoin, into the consciousness of regular people….

Source…

Opsec fail: Baltimore teen car thieves paired phones with Jeep UConnect

/in

A Nest video screen grab of a November 22 burglary led to one teen’s arrest—and the online hunt for others. (credit: @BaconisFruit)

On November 22, 2015, a group of teenagers broke into the house of a Baltimore man, stealing his bicycle and finding a spare key to his Jeep Renegade. They then took off, stealing the Jeep and taking it for a multiday joyride before abandoning it with an empty gas tank and some minor damage.

In Baltimore (as I can sadly say from personal experience), the story would usually end there with an insurance claim and a shrug. But the group of young men involved in the burglary and theft were all captured on a Nest camera as they rifled through drawers. And some of them left more potential digital evidence when they paired their phones over Bluetooth with the Jeep’s UConnect system.

One of the thieves was identified from a head shot from the camera footage a few weeks later by a school police officer and has already pleaded guilty in juvenile court. But the apprehended youth wouldn’t give police the identities of the others involved in the theft. Because he’s a juvenile, he’ll likely be released soon.

Read 4 remaining paragraphs | Comments

Technology Lab – Ars Technica