One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8624668 |
| Date de publication | 2024-12-13 16:08:38 (vue: 2024-12-13 17:08:43) |
| Titre | Radiant links $50 million crypto heist to North Korean hackers |
| Texte | ## Snapshot Mandiant attributes the $50 million USD cryptocurrency heist from Radiant Capital, which occurred [in October 2024](https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081), to North Korean state-affiliated threat actor UNC4736. ## Description Threat actors used sophisticated malware to target three trusted developers at Radiant, a decentralized finance (DeFi) platform. They compromised the developers\' devices to execute unauthorized transactions, exploiting the multi-signature process and stealing funds from Arbitrum and Binance Smart Chain markets. The initial infiltration began on September 11, 2024, when a Radiant developer was tricked into downloading a malicious ZIP file via a Telegram message that appeared to be from a former contractor. The contractor said they were pursuing a new career opportunity and asked for feedback on an alleged endeavor. The message included a ZIP file that contained a decoy PDF and a macOS malware payload named \'InletDrift,\' which established a backdoor on the infected device. Radiant Capital stated that requests to review PDFs are routine in professional settings, and that, post compromise, the devices showed only minor glitches and error messages during signing, typical for hardware wallets and Safe. Additionally, the domain sent with the ZIP file had spoofed the former contractor\'s actual website. Despite Radiant\'s security measures, including transaction simulations and verification layers, the attack went undetected as it was designed to display benign transaction data on the interfaces while signing malicious transactions in the background. Mandiant, assisting in the ongoing investigation, assesses with high confidence that UNC4736 (tracked by Microsoft as [Citrine Sleet](https://security.microsoft.com/intel-profiles/740afa51582ebef367a7120efe99a535ba803f2169356580369a0fd680137145)) is behind the attack. Radiant is working with United States law enforcement and zeroShadow to recover the stolen funds and is emphasizing the need for more robust device-level security solutions to prevent such sophisticated attacks in the future. [ZeroShadow](https://x.com/zeroshadow_io/status/1865839771798429699) also attributes with high confidence this incident to the DPRK. ## Microsoft Analysis and Additional OSINT Context In a related observation, Microsoft first identified atokyonews\[.\]com in November 2023 and attributed the domain to Citrine Sleet. This threat actor primarily targets financial institutions and, using social engineering, conducts thorough reconnaissance of the cryptocurrency industry and associated individuals. Additionally, Citrine Sleet has previously used registered domain names for social engineering, malware hosting, and command-and-control (C2). ## Recommendations [Radiant Captial provided the following preventative recommendations](https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081): - Implement a governance layer where, if one or more signers encounter issues or anomalies, the process is halted for further verification before proceeding. - Utilize an uncompromised, independent device to verify transaction data before signing. - Avoid using blind signing for critical transactions. - Integrate a mechanism where recurring transaction errors or glitches automatically trigger a full audit of the transaction before additional signing attempts can be made. - Manually review transaction payloads. Microsoft recommends the following to reduce the risk of these threats. - [Help prevent social engineering attacks](https://www.microsoft.com/en-us/security/security-insider/emerging-threats/feeding-from-the-trust-economy-social-engineering-fraud?ocid=magicti_ta_blog) by not blending personal accounts with work emails or work-related tasks. Avoid opening emails, attachments, and links, including links from social networks, from suspicious sources. Ask yourself if the sender is who they say they are before clicking anything. Lastly, don\'t overshare online. If t |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | $50 **© 10/security/threat 101/what 20/t 2023 2024 2024** 365 365/compliance/dlp 365/security/defender/microsoft access access/overview accessed accounts across action actions activities activity actor actors actual adaptive add additional additionally admin adopt advanced affiliated agent alerts all alleged already also analysis anomalies anomalous anonymizer any anything appear appeared apply arbitrum architecture are ask asked assesses assist assisting associated assumes atokyonews attachments attack attacker attackers attacks attempt attempts attributed attributes audit auditing automatically available avoid awareness azure backdoor background based become before began behind benign best bigger binance blank bleepingcomputer blending blind blog both breach can capable capital captial career center chain characteristics citrine classify clearing clicking com com/@radiantcapital/radiant com/azure/active com/en com/intel com/microsoft com/news/security/radiant com/zeroshadow command components compromise compromised conditional conducts confidence configure contained content context contractor contributes control controls conversations copyright correlating could create credentials critical crypto cryptocurrency curated currently cybersecurity data decentralized decoy defender defi deploy description designed despite details detect detecting detection determined developer developers device devices directory/conditional directory/privileged disable disabling discover display distinct distribution dlp documents domain don downloading dprk during e56d8c23829e economy educate elevated emails emphasizing employ employees empower enable enabled encounter encryption endeavor enforcement engineering ensure ensures entra error errors escalation especially established every evidence example excessive execute exploiting external faster features fecd6cd38081 feedback file files finance financial find first focused following former fraud from full funds further future get glitches governance hackers hackers/ had halted handling hardware has heist help hide high hosting https://docs https://learn https://medium https://security https://www https://x iam identified identifying identity identity/alerts identity/persistence impact implement implement importance incident incidents included including independent individuals industry infected infiltration information informed initial inletdrift insider insider/emerging insiders institutions integrate interfaces internal internet investigate investigated investigation io/status/1865839771798429699 isp issues key korean lastly law layer layers leaked leaks learndoc learning legitimate level like limiting links location log logging login logs loss machine machines macos made make malicious malware manage management management/microsoft management/pim managing mandiant manipulating manually many markets masking may mdi measures mechanism media medium message messages microsoft million minimize minor mitigate monitor more mortem multi named names need network networks new north not november obscure observation occurred ocid=magicti october one ongoing online only opening opportunity organization osint other overshare overview part payload payloads pdf pdfs people permission permissions persistence personal phishing place platform policies policy portal portal#verify posed post potential practices prevent preventative prevention previously primarily principles privilege privileged pro/windows problems proceeding process products professional profiles profiles/740afa51582ebef367a7120efe99a535ba803f2169356580369a0fd680137145 prohibited protect protection protection/attack protection/overview protection/security provide provided provider providing pursuing purview radiant recognize recommendations recommends reconnaissance recover recurring reduce reduction references registered regular related remediate reproduction requests require reserved resources respond rest review right rights risk risks robust roles routine safe said say scams scope search secure security sender sensitive sent |
| Tags | Malware Tool Threat Legislation |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.