What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2018-08-27 16:09:05 | North Korea-linked Hackers Stole $13.5 Million From Cosmos Bank: Report (lien direct) | The North Korea-linked hacking group Lazarus is said to have stolen $13.5 million in a recent cyber-attack targeting SWIFT/ATM infrastructure of Cosmos Bank. | APT 38 | ||
 |
2018-08-23 15:07:00 | Lazarus Group Builds its First MacOS Malware (lien direct) | This isn't the first time Lazarus Group has infiltrated a cryptocurrency exchange as the hacking team has found new ways to achieve financial gain. | Malware Medical | APT 38 | |
 |
2018-08-23 08:00:00 | AppleJeus: macOS users targeted in new Lazarus attacks (lien direct) | The campaign includes the distribution of Apple macOS malware for the first time. | Malware | APT 38 | |
 |
2018-08-10 16:15:03 | The analysis of the code reuse revealed many links between North Korea malware (lien direct) | Security researchers at Intezer and McAfee have conducted a joint investigation that allowed them to collect evidence that links malware families attributed to North Korean APT groups such as the notorious Lazarus Group and Group 123. The experts focused their analysis on the code reuse, past investigations revealed that some APT groups share portions of code […] | Malware Medical Cloud | APT 38 APT 37 | |
|
2018-08-09 19:34:03 | Researchers Say Code Reuse Links North Korea\'s Malware (lien direct) | Following trails of reused code, security researchers at Intezer and McAfee have uncovered new links between malware families attributed to North Korean threat groups and tracked most of the samples to the infamous | Malware Threat | APT 38 | |
 |
2018-08-09 13:00:01 | Examining Code Reuse Reveals Undiscovered Links Among North Korea\'s Malware Families (lien direct) | 
This research is a joint effort by Jay Rosenberg, senior security researcher at Intezer, and Christiaan Beek, lead scientist and senior principal engineer at McAfee. Intezer has also posted this story. Attacks from the online groups Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, and 10 Days of Rain are believed to …
|
Malware Guideline Medical Cloud | APT 38 APT 37 | |
|
2018-06-26 04:44:00 | Lazarus APT hackers leverages HWP Documents in a recent string of attacks (lien direct) | Security researchers at AlienVault uncovered a series of cyber attacks on cryptocurrency exchanges leveraging weaponized Hangul Word Processor HWP documents (Hangul Word Processor documents). The string of attacks involving the HWP documents has been attributed to the North Korea-linked Lazarus APT group, and includes the hack of the South Korean virtual currency exchange Bithumb. The hackers […] | Hack Threat | Bithumb APT 38 | |
|
2018-06-25 18:30:00 | Malware in South Korean Cyberattacks Linked to Bithumb Heist (lien direct) | Lazarus Group is likely behind a spearphishing campaign containing malicious code to download Manuscrypt malware. | Malware Medical | Bithumb Bithumb APT 38 | |
|
2018-06-25 17:31:04 | North Korean Hackers Exploit HWP Docs in Recent Cyber Heists (lien direct) | A series of malicious Hangul Word Processor (HWP) documents used in recent attacks on cryptocurrency exchanges have been attributed to the North Korea-linked Lazarus group, AlienVault reports. | Medical | APT 38 | |
 |
2018-06-22 14:41:00 | Malicious Documents from Lazarus Group Targeting South Korea (lien direct) |
By Chris Doman, Fernando Martinez and Jaime Blasco
We took a brief look at some documents recently discussed and reviewed by researchers in South Korea over the past week. The malware is linked to Lazarus, a reportedly North Korean group of attackers. One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the economic policies between the wealthiest countries. Another is reportedly related to the recent theft of $30 million from the Bithumb crypto-currency exchange in South Korea.
This article stands very much on the shoulders of other work by researchers in South Korea. Credit for initially identifying these documents goes to @issuemakerslab, @_jsoo_ and others.
Malicious Documents
We looked at three similar malicious documents:
국제금융체제 실무그룹 회의결과.hwp ("Results of the international financial system working group meeting") - cf09201f02f2edb9c555942a2d6b01d4
금융안정 컨퍼런스 개최결과.hwp ("Financial Stability Conference held") - 69ad5bd4b881d6d1fdb7b19939903e0b
신재영 전산담당 경력.hwp (“[Name] Computer Experience”) - 06cfc6cda57fb5b67ee3eb0400dd5b97
The decoy document, mentioning the G20 International Financial Architecture Working Group Meeting
The decoy document of a resume
These are Hangul Word Processor (“HWP”) files - a South Korean document editor. The HWP files contain malicious postscript code to download either a 32 or 64 bit version of the next stage from:
https://tpddata[.]com/skins/skin-8.thm - eb6275a24d047e3be05c2b4e5f50703d - 32 bit
https://tpddata[.]com/skins/skin-6.thm - a6d1424e1c33ac7a95eb5b92b923c511 - 64 bit
The malware is Manuscrypt (previously described by McAfee and |
Wannacry Bithumb APT 38 | ||
|
2018-06-18 15:18:04 | DHS, FBI published a join alert including technical details of Hidden Cobra-linked \'Typeframe\' Malware (lien direct) | The US DHS and the FBI have published a new joint report that includes technical details of a piece of malware allegedly used by the Hidden Cobra APT. A new joint report published by US DHS and FBI made the headlines, past document details TTPs associated with North Korea-linked threat groups, tracked by the US government as […] | Medical | TYPEFRAME APT 38 | |
|
2018-06-13 11:57:00 | Lazarus Group used ActiveX zero-day vulnerability to attack South Korean security think tank (lien direct) | The South Korean agency focuses on national security issues and is believed to have been attacked by North Korean hackers. | APT 38 | ||
|
2018-06-12 21:09:02 | North Korea-linked Lazarus APT behind recent ActiveX attacks (lien direct) | North Korea-linked Lazarus APT group planted an ActiveX zero-day exploit on the website of a South Korean think tank focused on national security. According to researchers at AlienVault, North Korea-linked hackers planted an ActiveX zero-day vulnerability on the website of a South Korean think tank focused on national security. The experts attributed the attack to the notorious Lazarus APT group […] | APT 38 | ||
|
2018-06-12 11:14:05 | North Korean Hackers Abuse ActiveX in Recent Attacks (lien direct) | An ActiveX zero-day vulnerability discovered recently on the website of a South Korean think tank focused on national security has been abused by the North Korean-linked Lazarus group in attacks, AlienVault reports. | Medical | APT 38 | |
 |
2018-06-12 10:30:01 | Analysis Of Banco De Chile + Continued Cyber Attacks On Banks (lien direct) | As you may have heard, Banco de Chile is the latest victim in a string of cyber attacks targeting payment transfer systems and in a similar vein to the recent Mexico heist, hackers wreaked havoc on banking operations. Ofer Israeli, CEO at Illusive Networks, believes the Lazarus Group, one of the most notorious band of cybercriminals, is behind this, … The ISBuzz Post: This Post Analysis Of Banco De Chile + Continued Cyber Attacks On Banks | Medical | APT 38 | |
|
2018-06-11 13:00:00 | More Details on an ActiveX Vulnerability Recently Used to Target Users in South Korea (lien direct) | Written By Chris Doman and Jaime Blasco Introduction Recently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government. These attacks have been attributed to Lazarus, a group thought to be linked to North Korea. Below we’ve shared our brief analysis of of the attack. Profiling Script The first step appears to have been a profiling script to get information on possible targets for their attack. We’ve seen Lazarus do this before on other sites they have infected, and it’s a technique that other advanced attackers have been seen to employ. This was followed by scripts to perform additional profiling and actually delivery the ActiveX exploit. Some details of these scripts were kindly shared by issuemakerslab, who identified a number of infections that moved over time: | Malware Vulnerability | APT 38 | ★★★★ |
|
2018-06-04 06:35:01 | North Korea-Linked Covellite APT group stopped targeting organizations in the U.S. (lien direct) | A North Korea-linked APT group, tracked by experts at industrial cybersecurity firm Dragos as Covellite, has stopped targeting US organizations. Anyway, the group, that is believed to be linked to the notorious Lazarus APT group, is continuing to target organizations in Europe and East Asia. The group has been around at least since 2017 and is still active, […] | Covellite APT 38 | ||
|
2018-06-01 06:33:04 | North Korea-linked Andariel APT Group exploited an ActiveX Zero-Day in recent attacks (lien direct) | A North Korea-linked APT group, tracked as Andariel Group, leveraged an ActiveX zero-day vulnerability in targeted attacks against South Korean entities. According to a report published by South Korean cyber-security firm AhnLab, the Andariel Group is a division of the dreaded Lazarus APT Group, it already exploited ActiveX vulnerabilities in past attacks The attackers exploited at […] | APT 38 | ||
|
2018-05-31 10:11:03 | North Korea-Linked Group Stops Targeting U.S. (lien direct) | A threat actor linked to North Korea's Lazarus Group has stopped targeting organizations in the United States, but remains active in Europe and East Asia. | Medical | APT 38 | |
|
2018-05-30 18:30:05 | US-CERT issued an alert on two malware associated with North Korea-linked APT Hidden Cobra (lien direct) | The Department of Homeland Security (DHS) and the FBI issued a joint Technical alert on two strain on malware, the Joanap backdoor Trojan and Brambul Server Message Block worm, associated with the HIDDEN COBRA North Korea-linked APT group. The US-CERT alert reads: “Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators […] | Medical | APT 38 | |
 |
2018-05-30 14:59:01 | Hidden Cobra Strikes Again with Custom RAT, SMB Malware (lien direct) | The North Korean-sponsored actors are targeting sensitive and proprietary information, and the malware could disrupt regular operations and disable systems and files. | APT 38 | ||
|
2018-05-30 10:44:00 | U.S. Attributes Two More Malware Families to North Korea (lien direct) | The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued another joint technical alert on the North Korea-linked threat group known as Hidden Cobra. | Medical | APT 38 | |
 |
2018-05-30 07:42:05 | FBI issues alert over two new malware linked to Hidden Cobra hackers (lien direct) | The US-CERT has released a joint technical alert from the DHS and the FBI, warning about two newly identified malware being used by the prolific North Korean APT hacking group known as Hidden Cobra.
Hidden Cobra, often known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and known to launch attacks against media organizations, aerospace,
|
Medical | APT 38 | |
 |
2018-05-03 13:48:02 | La Thaïlande saisi un serveur exploité les pirates Nord-Coréens Lazarus (lien direct) | Les pirates informatiques du groupe Lazarus, annonçaient comme Nord-Coréens, auraient perdu un de leur serveur saisi par... L'article La Thaïlande saisi un serveur exploité les pirates Nord-Coréens Lazarus est apparu en premier sur Data Security Breach. | APT 38 | ||
 |
2018-04-30 12:25:04 | Thailand seizes server linked to North Korean attack gang (lien direct) | A server hidden in a Thai university and allegedly used as part of a North Korean hacking operation has been seized by ThaiCERT. Thailand’s infosec organisation announced last Wednesday that the box was operated by the Norks-linked Hidden Cobra APT group, and was part of the command-and-control rig for a campaign called GhostSecret. View full ... | Medical | APT 38 | ★★ |
|
2018-04-30 08:06:04 | Op GhostSecret – ThaiCERT seized a server used by North Korea Hidden Cobra APT group in the Sony Picture hack (lien direct) | The Thai authorities with the support of the ThaiCERT and security first McAfee have seized a server used by North Korean Hidden Cobra APT as part of the Op GhostSecret campaign. The Thai authorities with the support of the ThaiCERT have seized a server used by North Korean hackers in the attack against Sony Picture. […] | Medical | APT 38 | |
|
2018-04-27 15:58:03 | ThaiCERT Seizes Hidden Cobra Server Linked to GhostSecret, Sony Attacks (lien direct) | It's analyzing the server, operated by the North Korea-sponsored APT, which was used to control the global GhostSecret espionage campaign affecting 17 countries. | APT 38 | ||
|
2018-04-25 04:01:02 | (Déjà vu) Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries (lien direct) | 
McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. (For an extensive …
|
Medical | APT 38 | |
|
2018-04-25 04:01:02 | (Déjà vu) Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide (lien direct) | 
McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. In this post, …
|
Medical | APT 38 | |
|
2018-04-05 09:22:01 | North Korea-Linked Lazarus APT suspected for online Casino assault (lien direct) | The North Korea-linked APT group known as Lazarus made the headlines again for attacking an online casino in Central America and other targets. The activity of the Lazarus Group (aka Hidden Cobra) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated. […] | Medical | APT 38 | |
|
2018-04-04 17:40:00 | North Korean Hackers Behind Online Casino Attack: Report (lien direct) | >The infamous North Korean hacking group known as Lazarus is responsible for attacking an online casino in Central America, along with various other targets, ESET says. The Lazarus Group has been active since at least 2009 and is said to be associated with a large number of major cyber-attacks, including the $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank. Said to be the most serious threat against banks, the group has shown increased interest in | Medical | APT 38 | |
 |
2018-04-03 13:00:03 | Lazarus KillDisks Central American casino (lien direct) | >The Lazarus Group gained notoriety especially after cyber-sabotage against Sony Pictures Entertainment in 2014. Fast forward to late 2017 and the group continues to deploy its malicious tools, including disk-wiping malware known as KillDisk, to attack a number of targets. | Medical | APT 38 | |
 |
2018-03-29 22:25:24 | WannaCry after one year (lien direct) | In the news, Boeing (an aircraft maker) has been "targeted by a WannaCry virus attack". Phrased this way, it's implausible. There are no new attacks targeting people with WannaCry. There is either no WannaCry, or it's simply a continuation of the attack from a year ago.It's possible what happened is that an anti-virus product called a new virus "WannaCry". Virus families are often related, and sometimes a distant relative gets called the same thing. I know this watching the way various anti-virus products label my own software, which isn't a virus, but which virus writers often include with their own stuff. The Lazarus group, which is believed to be responsible for WannaCry, have whole virus families like this. Thus, just because an AV product claims you are infected with WannaCry doesn't mean it's the same thing that everyone else is calling WannaCry.Famously, WannaCry was the first virus/ransomware/worm that used the NSA ETERNALBLUE exploit. Other viruses have since added the exploit, and of course, hackers use it when attacking systems. It may be that a network intrusion detection system detected ETERNALBLUE, which people then assumed was due to WannaCry. It may actually have been an nPetya infection instead (nPetya was the second major virus/worm/ransomware to use the exploit).Or it could be the real WannaCry, but it's probably not a new "attack" that "targets" Boeing. Instead, it's likely a continuation from WannaCry's first appearance. WannaCry is a worm, which means it spreads automatically after it was launched, for years, without anybody in control. Infected machines still exist, unnoticed by their owners, attacking random machines on the Internet. If you plug in an unpatched computer onto the raw Internet, without the benefit of a firewall, it'll get infected within an hour.However, the Boeing manufacturing systems that were infected were not on the Internet, so what happened? The narrative from the news stories imply some nefarious hacker activity that "targeted" Boeing, but that's unlikely.We have now have over 15 years of experience with network worms getting into strange places disconnected and even "air gapped" from the Internet. The most common reason is laptops. Somebody takes their laptop to some place like an airport WiFi network, and gets infected. They put their laptop to sleep, then wake it again when they reach their destination, and plug it into the manufacturing network. At this point, the virus spreads and infects everything. This is especially the case with maintenance/support engineers, who often have specialized software they use to control manufacturing machines, for which they have a reason to connect to the local network even if it doesn't have useful access to the Internet. A single engineer may act as a sort of Typhoid Mary, going from customer to customer, infecting each in turn whenever they open their laptop.Another cause for infection is virtual machines. A common practice is to take "snapshots" of live machines and save them to backups. Should the virtual machine crash, instead of rebooting it, it's simply restored from the backed up running image. If that backup image is infected, then bringing it out of sleep will allow the worm to start spreading.Jake Williams claims he's seen three other manufacturing networks infected with WannaCry. Why does manufacturing seem more susceptible? The reason appears to be the "killswitch" that stops WannaCry from running elsewhere. The killswitch uses a DNS lookup, stopping itself if it can resolve a certain domain. Manufacturing networks are largely disconnected from the Internet enough that such DNS lookups don't work, so the domain can't be found, so the killswitch doesn't work. Thus, manufacturing systems are no more likely to get infected, but the lack of killswitch means the virus will conti | Medical | Wannacry APT 38 | |
|
2018-03-16 13:00:00 | Things I hearted this week 16th March 2018 (lien direct) |
Last weekend, my daughter and I finally got around to watching Wonder Woman. We quite enjoyed it. There was a part in which Chris Pine’s character said, “My father told me once, he said, "If you see something wrong happening in the world, you can either do nothing, or you can do something". And I already tried nothing."
So, I turned to my daughter and asked, "When you're older will you say awesome quotes and attribute them to your dad so I'll appear all knowing and wise?"
She replied, "Yeah, I'll say 'my father told me if you see something wrong you can either do nothing, or send memes'".
Not sure if that means I’ve succeeded as a Dad or failed miserably. Hopefully she’ll come across one of these posts in the future and realise there was more to me than just memes.
Operation Bayonet
This article gives a fascinating insight into how law enforcement infiltrated and took down a drug market.
As reports of these kinds of operations become available, Hollywood should really be looking to these for inspiration. Far better plots than most fiction!
Operation Bayonet: Inside the sting that hijacked an entire dark web drug market | Wired
How many devices are misconfigured… or not configured?
I saw this blog that Anton Chuvakin posted over at Gartner stating that there’s a lot of security technology which is deployed yet misconfigured, not configured optimally, set to default, or deployed broken in other ways.
Broadly speaking, I agree, in the race to get things done, assurance often takes a back seat. But there’s no obvious answer. Testing takes time and expertise. Unless it’s automated. But even then someone needs to look at the results and get things fixed. DevSecOps maybe?
How Much of Your Security Gear Is Misconfigured or Not Configured? | Gartner
Hacking encrypted phones
Encrypted phone company Ciphr claims it was hacked by a rival company. A preview into how vicious digital rivals can get. And regardless of who is to blame, the fact remains that the real victims here are the users.
Customer Data From Encrypted Phone Company Ciphr Has Been Dumped Online | Motherboard
Hidden Cobra on Turkish Banks
Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity. The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions. Bankshot was first reported by the Department of Homeland Security on December 13, 2017, and has only recently resurfaced in newly compiled variants. The sample we analyzed is 99% similar to the documented Bankshot variants from 2017.
|
Medical | Equifax APT 38 | |
|
2018-03-10 06:53:00 | North Korean Hidden Cobra APT targets Turkish financial industry with new Bankshot malware (lien direct) | McAfee Advanced Threat Research team discovered that the Hidden Cobra APT group is targeting financial organizations in Turkey. North Korea-linked APT group Hidden Cobra (aka Lazarus Group) is targeting the Turkish financial system. Experts from McAfee observed the hackers using the Bankshot implant in targeted attacks against the financial organizations in Turkey. The attack resembles previous attacks conducted […] | Medical | APT 38 | |
|
2018-03-09 17:22:01 | New North Korea-linked Cyberattacks Target Financial Institutions (lien direct) | New North Korean Hidden Cobra / Lazarus Campaign Targets Financial Institutions in Turkey Hidden Cobra, also known as the Lazarus Group from North Korea, is now targeting the Turkish financial system with a new and 'aggressive' operation that resembles earlier attacks against the global SWIFT financial network. | Medical | APT 38 | |
|
2018-03-08 14:00:03 | Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant (lien direct) | 
This post was prepared with contributions from Asheer Malhotra, Charles Crawford, and Jessica Saavedra-Morales. On February 28, the McAfee Advanced Threat Research team discovered that the cybercrime group Hidden Cobra continues to target cryptocurrency and financial organizations. In this analysis, we observed the return of Hidden Cobra's Bankshot malware implant surfacing in the Turkish financial …
|
Medical | APT 38 | ★★★ |
 |
2018-02-28 10:09:00 | Cryptocurrency-Mining Malware: 2018\'s New Menace? (lien direct) |  Will cryptocurrency-mining malware be the new ransomware? The popularity and increasing real-world significance of cryptocurrencies are also drawing cybercriminal attention - so much so that it appears to keep pace with ransomware's infamy in the threat landscape. In fact, cryptocurrency mining was the most detected network event in devices connected to home routers in 2017.
What started out in mid-2011 as an afterthought to main payloads such as worms and backdoors has evolved into such an effective way to profit that even cyberespionage and ransomware operators, and organized hacking groups are joining the bandwagon.
Post from: Trendlabs Security Intelligence Blog - by Trend Micro
Cryptocurrency-Mining Malware: 2018's New Menace?
|
APT 38 | ||
|
2018-02-15 14:00:00 | North Korean Cyber-Attacks and Collateral Damage (lien direct) |
WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars.
There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions.
Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK.
The Voice of Korea and the Rivts Virus
This section describes a piece of malware that may have been created within the DPRK as part of a test project - and accidentally leaked out onto the wider internet.
A simple file-infector
We triage many millions of malicious files automatically every day in an effort to ensure our customers are covered from new threats. One malware family we regularly see, called Rivts by antivirus vendors, was originally created in 2009 but still continues to spread.
Rivts is a file-infecting worm - it spreads across USB drives and hard drives attaching itself to files to spread further. The new files we see everyday are the result of new files being infected with the original worm from 2009 - not new developments by the attacker.
Overall, it’s a fairly boring file infector (or “virus”). But there was one very strange thing that caught our eye.
North Korean Software
As part of its initial infection process, Rivts checks for the presence of system files normally found on Windows XP to infect first. But it seems to expect two pieces of uncommon software in the Windows System folder:
Below are the details of these two files, nnr60.exe and hana80.exe:
Whilst the DPRK is well known for developing its own Linux based operating system, and there is evidence of some DPRK hackers using |
NotPetya Wannacry Yahoo APT 38 | ||
 |
2018-02-13 18:45:01 | Hidden Cobra, un malveillant made un Corée du Nord (lien direct) | Le FBI et le DHS viennent de publier un document concernant Hidden Cobra. Un logiciel d’espionnage qui serait la création de pirates informatiques officiant pour la Corée du Nord. Le site Data Security Breach revient sur une alerte lancée par le Department of Homeland Security (DHS) et le Fédé... Cet article Hidden Cobra, un malveillant made un Corée du Nord est apparu en premier sur ZATAZ. | Medical | APT 38 | |
|
2018-02-13 18:27:03 | Opération de la Corée du nord baptisée HIDDEN COBRA (lien direct) | HIDDEN COBRA, une attaque informatique signée par des pirates informatiques de la Corée du Nord selon les... Cet article Opération de la Corée du nord baptisée HIDDEN COBRA est diffusé par Data Security Breach. | Medical | APT 38 | |
|
2018-01-30 13:40:00 | OTX Trends Part 3 - Threat Actors (lien direct) |
By Javvad Malik and Chris Doman
This is the third of a three part series on trends identified by AlienVault in 2017.
Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX.
Which threat actors should I be most concerned about?
Which threat actors your organization should be most concerned about will vary greatly. A flower shop will have a very different threat profile from a defense contractor. Therefore below we’ve limited ourselves to some very high level trends of particular threat actors below- many of which may not be relevant to your organisation.
Which threat actors are most active?
The following graph describes the number of vendor reports for each threat actor over the past two years by quarter:
For clarity, we have limited the graph to the five threat actors reported on most in OTX. This is useful as a very rough indication of which actors are particularly busy.
Caveats
There are a number of caveats to consider here. One news-worthy event against a single target may be reported in multiple vendor reports. Whereas a campaign against thousands of targets may be only represented by one report.
Vendors are also more inclined to report on something that is “commercially interesting”. For example activity targeting banks in the United States is more likely to be reported than attacks targeting the Uyghur population in China. It’s also likely we missed some reports, particularly in the earlier days of OTX which may explain some of the increase in reports between 2016 and 2017.
The global targeted threat landscape
There are a number of suggested methods to classify the capability of different threat actors. Each have their problems however. For example – if a threat actor never deploys 0-day exploits do they lack the resources to develop them, or are they mature enough to avoid wasting resources unnecessarily?
Below we have plotted out a graph of the threat actors most reported on in the last two years. We have excluded threat actors whose motivation is thought to be criminal, as that wouldn’t be an apples to apples comparison.
Both the measure of their activity (the number of vendor reports) and the measure of their capability (a rough rule of thumb) are not scientific, but can provide some rough insights:
A rough chart of the activity and capability of notable threat actors in the last year
Perhaps most notable here is which threat actors are not listed here. Some, such as APT1 and Equation Group, seem to have disappeared under their existing formation following from very public reporting. It seems unlikely groups which likely employ thousands of people such as those have disappeared completely. The lack of such reporting is more likely a result of significantly changed tactics and identification following their outing. Others remain visibly active, but not enough to make our chart of “worst offenders”.
A review of the most reported on threat actors
The threat actor referenced i |
APT 38 APT 28 APT 10 APT 3 APT 1 APT 34 | ||
|
2018-01-25 19:26:13 | A look into the cyber arsenal used by Lazarus APT hackers in recent attacks against financial institutions (lien direct) | >Security experts at Trend Micro have analyzed malware and a tool used by the Lazarus APT group in the recent attacks against financial institutions. Security experts at Trend Micro have analyzed the attacks conducted by the notorious Lazarus APT group against financial institutions. The activity of the Lazarus Group surged in 2014 and 2015, its […] | Medical | APT 38 | |
|
2018-01-25 15:01:52 | North Korea-linked Lazarus Hackers Update Arsenal of Hacking Tools (lien direct) | Recent cyberattacks associated with the North Korea-linked Lazarus group have used an evolved backdoor, along with a Remote Controller tool, Trend Micro reports. | Medical | APT 38 | |
|
2018-01-24 13:56:18 | Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More (lien direct) | We analyzed a new RATANKBA variant (BKDR_RATANKBA.ZAEL.A) that uses a PowerShell script instead of its more traditional PE executable form. In this entry, we provide in-depth analysis of the malware, as well as a detailed examination of its remote controller. Post from: Trendlabs Security Intelligence Blog - by Trend Micro Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More | APT 38 | ||
|
2018-01-08 14:00:00 | A North Korean Monero Cryptocurrency Miner (lien direct) | AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea. The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments it’s executed with, it’s likely a piece of software called xmrig. It’s not unusual to see xmrig in malware campaigns. It was recently used in some wide campaigns exploiting unpatched IIS servers to mine Monero. The Installer executes Xmrig with the following command: "-o barjuok.ryongnamsan.edu.kp:5615 -u 4JUdGzvrMFDWrUUwY... -p KJU" + processorCount + " -k -t " + (processorCount -1)" The installer passes xmrig the following arguments: 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS is the address of the Monero wallet barjuok.ryongnamsan.edu.kp is the mining server that would receive any mined currency. The ryongnamsan.edu.kp domain indicates this server is located at Kim Il Sung University. The password, KJU, is a possible reference to Kim Jong-un Why was this application created? The hostname barjuok.ryongnamsan.edu.kp address doesn’t currently resolve. That means the software can’t send mined currency to the authors - on most networks. It may be that: The application is designed to be run within another network, such as that of the university itself; The address used to resolve but no longer does; or The usage of a North Korean server is a prank to trick security researchers. It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of | Wannacry Bithumb APT 38 | ||
|
2017-12-24 15:36:28 | Financially motivated attacks reveal the interests of the Lazarus APT Group (lien direct) | >Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies, the group's arsenal of tools, implants, and exploits is extensive and under constant development. Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies. The North Korea-Linked hackers launched several multistage attacks that […] | APT 38 | ||
 |
2017-12-22 09:12:21 | Lazarus – La Corée du Nord en a t\'elle après les bitcoins ? (lien direct) |  Depuis qu'il a été établi que le groupe de cybercriminels Lazarus est étroitement lié au régime de Pyongyang, les chercheurs tentent de percer leurs objectifs d'attaques. Le Bitcoin semble en faire parti, et l'arsenal des pirates serait à la hauteur. |
APT 38 | ||
 |
2017-12-22 07:41:43 | Les hackers nord-coréens veulent dérober vos bitcoins et vos données bancaires (lien direct) | Le groupe de pirates Lazarus, qui serait une émanation du régime de Pyongyang, s'est doté d'un arsenal permettant de dérober les portefeuilles bitcoins sur les PC des particuliers et siphonner les données de cartes bancaires sur les terminaux de paiement.  |
APT 38 | ||
|
2017-12-21 22:39:44 | North Korean Hackers Targeting Individuals: Report (lien direct) | North Korean state-sponsored hacking group Lazarus has started targeting individuals and organizations directly, instead of focusing exclusively on spying on financial institutions, Proofpoint reports. | APT 38 |
To see everything:
Our RSS (filtrered)
