Category: North Korea

The relationship between North Korea and South Korea is not on good terms for the past few years and that’s probably because of the notorious mind and actions of North Korean leader Kim Jong-un.

Fresh reports are in that a hacking group possibly funded by North Korea Intelligence has been strategically targeting South Korean citizens through phishing emails urging recipients to book appointments for a newly developed corona vaccine that is countering a novel strain of Coronavirus that has sent almost half of Beijing into a lock-down again.

Cybersecurity Insiders have learned that the vaccine details and the email is being sent through an email address registered with the Korean Society for Health Promotion and Disease Prevention.

Highly placed sources state that the email server of the medical council might have been hacked by the North Korean hackers and their email account might have been compromised.

And the email that looks genuinely pinned to the council domain is asking recipients to go for the vaccine, which is actually a link to a malicious malware download.

ESTSecurity was the first firm to analyze and report the incident and has attributed the attack campaign to the Ministry of Defense and the Ministry of Unification of Kim. And the investigation conducted by researchers states the campaign might be earned money in illicit ways such as by spreading ransomware and demanding ransom, spreading malware capable of stealing banking credentials and also cryptocurrency from online e-wallets.

Kim is nowadays busy with his military testing ballistic missiles and last year was being speculated by western media that he was testing nuclear missiles to be used, if/when time demands.

Note– Russia has the support of China and North Korea if it wages a war with the west and Iran has also expressed its interest in joining hands with Putin to knock out all the western at once on a massive scale.

 

The post North Korea hackers sending Corona Vaccine related phishing emails appeared first on Cybersecurity Insiders.

North Korean hackers have been exploiting a zero-day in Chrome.

The flaw, tracked as CVE-2022-0609, was exploited by two separate North Korean hacking groups. Both groups deployed the same exploit kit on websites that either belonged to legitimate organizations and were hacked or were set up for the express purpose of serving attack code on unsuspecting visitors. One group was dubbed Operation Dream Job, and it targeted more than 250 people working for 10 different companies. The other group, known as AppleJeus, targeted 85 users.

Details:

The attackers made use of an exploit kit that contained multiple stages and components in order to exploit targeted users. The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites they owned as well as some websites they compromised.

The kit initially serves some heavily obfuscated javascript used to fingerprint the target system. This script collected all available client information such as the user-agent, resolution, etc. and then sent it back to the exploitation server. If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript. If the RCE was successful, the javascript would request the next stage referenced within the script as “SBX”, a common acronym for Sandbox Escape. We unfortunately were unable to recover any of the stages that followed the initial RCE.

Careful to protect their exploits, the attackers deployed multiple safeguards to make it difficult for security teams to recover any of the stages. These safeguards included:

  • Only serving the iframe at specific times, presumably when they knew an intended target would be visiting the site.
  • On some email campaigns the targets received links with unique IDs. This was potentially used to enforce a one-time-click policy for each link and allow the exploit kit to only be served once.
  • The exploit kit would AES encrypt each stage, including the clients’ responses with a session-specific key.
  • Additional stages were not served if the previous stage failed.

Although we recovered a Chrome RCE, we also found evidence where the attackers specifically checked for visitors using Safari on MacOS or Firefox (on any OS), and directed them to specific links on known exploitation servers. We did not recover any responses from those URLs.

If you’re a Chrome user, patch your system now.