The decision was made last week following negotiations in Washington between Anne Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, and her South Korean and Japanese colleagues.

As part of the initiative, regular quarterly meetings will be held in a new format.

North Korean hackers are state sponsored

North Korea is often accused of cyberattacks aimed at financing its missile and nuclear programs. As noted in a recent UN report, in 2022, hackers working for the DPRK were particularly likely to attack foreign companies to steal cryptocurrency. Thanks to high-tech methods, record amounts were stolen compared to previous years.

The UN said most of the cyberattacks its researchers looked at were carried out by groups controlled by North Korea’s top spy agency. These groups include Kimsuky, Lazarus Group and Andariel, and are monitored by the cybersecurity industry in the US, Europe and Asia.

For example, the media reported that the FBI has officially linked the hack of the Harmony Horizon cross-chain bridge to the Lazarus group. The robbery, which took place at summer 2022, resulted in theft of $100 million worth of cryptocurrency assets.

North Korea’s activity in the cyber threats has been growing over recent years

Aside from country-specific cyberattacks, North Korean hackers also launch supply chain attacks. For example, in April we reported that a group linked to the Asian dictatorship authorities attacked the supply chain of the company 3CX, which caused a number of other attacks on supply chains.

According to experts, the UNC4736 hackers were associated with the financially motivated hacker group Lazarus from North Korea.

We also talked about the hunt of North Korean cybercriminals for IT specialists. Attackers have sought to infect researchers’ home systems and software with malware aiming to infiltrate the networks of companies for which their targets work.

Government groups for this spy company switched from phishing emails to using fake LinkedIn accounts allegedly belonging to HR. These accounts carefully imitate the identities of real people in order to deceive victims and increase the chances of an attack being successful.

Having contacted the victim and made her an “interesting offer” for a job, the attackers try to transfer the conversation to WhatsApp, and then use either the messenger itself or email to deliver a backdoor, which the researchers called Plankwalk, as well as other malware.

North Korea as part of a new axis of evil

The North Korean regime is dangerous not only because it sponsors cyber attacks on Western enterprises and companies, and not only because of repression against its citizens and the testing of new missiles that threaten the democratic countries of the Pacific region.

Recently, the Russian and North Korean dictatorships agreed to supply Korean weapons for use during the Russian invasion of Ukraine. CNN reported that more than a million artillery shells were transferred to Russia as part of this agreement.

Therefore, news about the consolidation of efforts in the fight against regimes that carry out certain actions that violate human rights can only be welcomed. Cyberspace has become a battlefield not only against crime – the confrontation in cyberspace is already taking place at the interstate level.

The post North Korean Hackers Force US, Japan & South Korea Consultations appeared first on Gridinsoft Blog.

By the way, we said that the North Korean Group Lazarus Attacks Energy Companies.

Let me also remind you that Crypto.com is one of the world’s leading cryptocurrency exchange platforms. The company gained mainstream attention in 2021 when it acquired the Los Angeles Staples Center and renamed it the Crypto.com Arena, followed by a series of television commercials.

Sentinel One analysts write that the campaign, which targets people working in the cryptocurrency industry, has been carried out by hackers since 2020. Recently, it was noticed that the attackers exploit the brand of another well-known cryptocurrency exchange, Coinbase, in their attacks, and now they have switched to Crypto.com and are attacking macOS users.

Typically, Lazarus will reach out to their targets via LinkedIn, sending them direct messages informing them of an interesting and high-paying job that Crypto.com is allegedly offering them.

As with previous campaigns targeting macOS, the hackers send victims a binary file disguised as a PDF that contains a 26-page PDF file named Crypto.com_Job_Opportunities_2022_confidential.pdf and information about jobs on Crypto.com.

In the background, this Mach-O binary creates a folder (WifiPreference) in the Library directory and deploys the second and third stage files. The second stage is the WifiAnalyticsServ.app file, which is fixed in the system (wifanalyticsagent) and eventually connects to the control server at market.contradecapital[.]com, from where it receives the final WiFiCloudWidget payload.

Because the attackers’ binaries are signed, they can bypass Apple’s gatekeeper checks and run as trusted software.

Unfortunately, the researchers were unable to study the group’s final payload, as the hackers’ C&C server was already down at the time of the investigation. However, they note that there are some indications that this operation is short-lived, which is quite typical of Lazarus phishing campaigns.

The post Lazarus Hackers Attack MacOS Users by impersonating Crypto[.]com appeared first on Gridinsoft Blog.

Let me remind you that we also reported that Microsoft accused Russia and North Korea of attacks on pharmaceutical companies, and also that Cybersecurity researchers discovered the Chinese hack group Earth Lusca.

Cisco Talos experts talk about the new campaign, according to which, the goal of Lazarus was “to infiltrate organizations around the world to establish long-term access and subsequent theft of data of interest to the enemy state.”

Whereas earlier Lazarus attacks resulted in the use of Preft (Dtrack) and NukeSped (Manuscrypt) malware, the new campaign was notable for the use of a number of other malware: the VSingle HTTP bot, which executes arbitrary code on a remote network; YamaBot backdoor written in Go; as well as the previously unknown Remote Access Trojan (RAT) MagicRAT, which has been used to find and steal data from infected devices, but can also be used to launch additional payloads on infected systems.

It is worth saying that Symantec and AhnLab analysts have already written about this activity of Lazarus, but the latest Cisco report turned out to be more in-depth and reveals much more details about the activities of hackers.

It is known that Lazarus obtained initial access to the corporate networks of its victims by exploiting vulnerabilities in VMware products (for example, Log4Shell). These problems have been used to run shellcode, create reverse shells, and execute arbitrary commands on a compromised machine.

Thus, the use of VSingle malware in one of the attacks allowed the attackers to perform various actions, including reconnaissance, data theft, and manual installation of backdoors, which gave them a clear understanding of the victim’s environment. In essence, this malware sets the stage for credential theft, creates new admin users on the host, and installs a reverse shell to communicate with the command and control server and download plugins that extend its functionality.

In another case, after gaining initial access and conducting reconnaissance, the hackers used not only VSingle, but also MagicRAT, to which the researchers paid special attention and devoted a separate post.

The Trojan is able to fix itself in the victim’s system by executing hard-coded commands and creating scheduled tasks, conduct reconnaissance and extract additional malware from the command-and-control server (such as TigerRAT).

In the third case, Lazarus deployed the YamaBot malware to the affected systems, written in Go and having standard RAT features:

1. listing files and directories;
2. transferring information about processes to the control server;
3. downloading remote files;
4. execution of arbitrary commands and self-destruction.

It is also noted that the group often used not only its own tools, but also collected credentials in the victim’s networks using such well-known solutions as Mimikatz and Procdump, disabled anti-virus components and Active Directory services, and also took measures to cover up traces after backdoors were activated.

The post North Korean Group Lazarus Attacks Energy Companies appeared first on Gridinsoft Blog.