Category: North Korea

North Korea has long been recognized for its sophisticated cyber operations, particularly targeting financial institutions and cryptocurrency databases to fund its nuclear and ballistic missile programs. In addition to these high-profile cyberattacks, North Korean hackers have increasingly adopted more subtle methods, such as creating fake professional profiles on platforms like LinkedIn to gain employment at foreign firms, especially those based in Western nations.

In a recent development uncovered by security experts from Nisos, hackers linked to North Korea’s regime are now exploiting platforms like GitHub to craft fraudulent workspaces. The goal is to impress potential employers, particularly those from Japan and the United States, with fabricated portfolios showcasing fake expertise in various technical fields.

Here’s how the operation typically unfolds: Hackers first create fake online profiles, often claiming to be from Vietnam, Japan, or Singapore, and upload manipulated photos related to their work environment. These photos are designed to appear authentic, but they are part of a deliberate effort to deceive potential employers. Following this, the hackers create misleading workspaces on GitHub, where they display fabricated projects and coding expertise. The aim is to project the image of a skilled developer or engineer, despite the profiles being entirely fictitious.

Once these fake profiles are established, the hackers begin applying for remote job positions, such as blockchain developers, full-stack engineers, and other tech roles. They primarily target companies operating in Japan and the United States, hoping to secure employment and gain access to valuable corporate intelligence. The hackers’ ultimate goal is not just employment but also to gather sensitive information, which they either sell to competitors or transmit to remote servers, possibly for the benefit of North Korea’s regime.

This Insider Threat tactic bears similarities to previous cases, such as the one last year involving Chinese nationals working in the UK, who were found to be transmitting sensitive data to Chinese intelligence agencies. The trend highlights the growing risks posed by cybercriminals infiltrating organizations under false pretenses.

Given this emerging threat, business leaders are being urged to exercise heightened caution when hiring for remote positions, especially through freelance platforms. Thorough background checks are now more critical than ever before. Employers should verify candidates’ educational backgrounds, scrutinize their nationalities, conduct criminal checks, and ensure that drug tests and other relevant screening processes are followed before offering employment. This additional diligence is necessary to protect companies from the increasing threat of cyber espionage and to safeguard sensitive information.

The post North Korea exploits GitHub with fake profiles and Insider Threats appeared first on Cybersecurity Insiders.

It looks like a very sophisticated attack against the Dubai-based exchange Bybit:

Bybit officials disclosed the theft of more than 400,000 ethereum and staked ethereum coins just hours after it occurred. The notification said the digital loot had been stored in a “Multisig Cold Wallet” when, somehow, it was transferred to one of the exchange’s hot wallets. From there, the cryptocurrency was transferred out of Bybit altogether and into wallets controlled by the unknown attackers.

[…]

…a subsequent investigation by Safe found no signs of unauthorized access to its infrastructure, no compromises of other Safe wallets, and no obvious vulnerabilities in the Safe codebase. As investigators continued to dig in, they finally settled on the true cause. Bybit ultimately said that the fraudulent transaction was “manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH Cold Wallet.”

The announcement on the Bybit website is almost comical. This is the headline: “Incident Update: Unauthorized Activity Involving ETH Cold Wallet.”

More:

This hack sets a new precedent in crypto security by bypassing a multisig cold wallet without exploiting any smart contract vulnerability. Instead, it exploited human trust and UI deception:

  • Multisigs are no longer a security guarantee if signers can be compromised.
  • Cold wallets aren’t automatically safe if an attacker can manipulate what a signer sees.
  • Supply chain and UI manipulation attacks are becoming more sophisticated.

The Bybit hack has shattered long-held assumptions about crypto security. No matter how strong your smart contract logic or multisig protections are, the human element remains the weakest link. This attack proves that UI manipulation and social engineering can bypass even the most secure wallets. The industry needs to move to end to end prevention, each transaction must be validated.

The SolarWinds have returned to haunt four cybersecurity companies who tried to hide their breaches and ended up with their trousers around their ankles, and North Korea succeeds in getting one of its IT workers hired... but what's their plan? All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.

Interesting social engineering attack: luring potential job applicants with fake recruiting pitches, trying to convince them to download malware. From a news article

These particular attacks from North Korean state-funded hacking team Lazarus Group are new, but the overall malware campaign against the Python development community has been running since at least August of 2023, when a number of popular open source Python tools were maliciously duplicated with added malware. Now, though, there are also attacks involving “coding tests” that only exist to get the end user to install hidden malware on their system (cleverly hidden with Base64 encoding) that allows remote execution once present. The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS.

In episode 14 of "The AI Fix", Graham makes an apology, Mark wonders if suicide drones have second thoughts, people pretend to be robots, and some researchers prove that all you need for an AI to generate a somewhat usable version of the computer game Doom out of thin air is to already have a fully-working copy of the computer game Doom. Graham learns how to escape from a police sniffer elephant, an AI-generates a smell with no odour, and Mark explains why the world's best LLMs think there are two Rs in "strawberry". All this and much more is discussed in the latest edition of "The AI Fix" podcast by Graham Cluley and Mark Stockley.

APT45, a cyber threat group associated with North Korea’s Reconnaissance General Bureau, known by aliases such as Stonefly, Silent Colima, Nickey Hayatt, Andriel, and Onyx Sleet, has recently shifted its focus from cyber espionage to spreading ransomware. The group has been observed targeting organizations in South Korea, Japan, and the United States.

Security researchers from Google’s Mandiant have analyzed the group’s activities and found them deploying Shattered Glass Ransomware. This ransomware variant was last detected between June 2021 and June 2022 by Kaspersky.

Previously, APT45 had concentrated on stealing healthcare and crop science information from research and development institutions linked to various governments worldwide.

North Korea, under Kim Jong Un’s leadership, has historically conducted cyber attacks targeting cryptocurrency companies to steal digital assets and gather intelligence for resale to interested parties. The recent shift towards ransomware may be motivated by the potential for substantial financial gains to fund North Korea’s nuclear ambitions.

The discovery of APT45’s new tactics coincided with KnowBe4’s revelation that it had been targeted by a North Korean cyber crime group. The group attempted to infiltrate KnowBe4’s development network by planting a fake employee with a fabricated identity. KnowBe4 robust administrative and security measures prevented the infiltration before any intelligence could be extracted from their servers or malware could be deployed on their network.

Remember, paying a ransom doesn’t guaranty a decryption key for sure and moreover it increases the risk level by a mile as the criminals try to attack the same network multiple times in a year, by exploiting the same vulnerability. Furthermore it gives a confidence to threat actors that their malicious motives will surely be rewarded.

The post Ransomware shift from Cyber Espionage for North Korea appeared first on Cybersecurity Insiders.

Microsoft gets itself into a pickle with a privacy-popping new feature on its CoPilot+ PCs, the FTC warns of impersonated companies, and is your company hiring North Korean IT workers? All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by author, journalist, and podcaster Geoff White.