US, allies warn of a global North Korean cyberespionage campaign, Andariel hacker indicted for ransomware attacks
The UK, the US, and South Korea have issued a joint advisory warning of a global cyberespionage campaign orchestrated by North Korean hackers to support Pyongyang's nuclear ambitions. The threat actor, tracked as Andariel, Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, Stonefly/Clasiopa, and APT45, has targeted defense and engineering firms worldwide. The targets include companies involved in the production of tanks, submarines, naval ships, fighter jets, missiles, and radar systems.
Andariel, linked to Reconnaissance General Bureau (RGB), a North Korean military intelligence agency, exploits known vulnerabilities in software like Log4j to gain initial access, deploying web shells to access sensitive data and applications. They use standard techniques for system discovery and persistence, privilege escalation tools like Mimikatz, custom malware, remote access tools (RATs), and open-source tools for further exploitation. The group’s tactics also include phishing campaigns using malicious attachments such as LNK or HTA files.
Cybersecurity firm Mandiant released a separate report highlighting Andariel’s cyber activities.
Additionally, the US authorities have indicted Rim Jong Hyok, a member of Andariel, for his involvement in ransomware attacks on US hospitals. These attacks aimed to extort ransoms, launder the proceeds, and fund further cyberespionage against military and technology targets in the US, South Korea, and China. A federal arrest warrant for Rim Jong Hyok was issued on July 24, 2024, in the District of Kansas, with authorities offering up to $10 million for information leading to his capture.
Spain, the US strike pro-Russian hacktivists for attacks on critical infrastructure
Spanish police have arrested three individuals allegedly linked to a pro-Russian hacking collective known as NoName057(16) targeting Spain and other NATO countries that have supported Ukraine in its fight against the Russian invasion.
The arrests took place in Mallorca, Huelva, and Seville. The three were detained on suspicion of participating in denial-of-service (DDoS) attacks aiming to disrupt web pages of public and private organizations in the government sectors, critical infrastructures and essential services. The group has used a custom DDoS service named “DDoSia” to conduct the attacks.
Separately, the US authorities sanctioned Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, members of the Russian hacktivist group Cyber Army of Russia Reborn (CARR), for their involvement in cyber operations against US critical infrastructure.
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat
For two days in mid-January, residents of Lviv, Ukraine, endured freezing temperatures without central heating following a cyberattack on the city's municipal energy company. The Ukrainian authorities and security researchers have attributed the incident to a newly identified malware, dubbed FrostyGoop, which specifically targets industrial control systems (ICS). The cybersecurity firm Dragos released a detailed report, detailing the new malware, which, it said, it had first detected in April 2024. The malware, which is said to be the first ICS-specific malware that uses Modbus communications to achieve an impact on operational technology (OT), exploits the Modbus protocol—a widely used communication standard across various industrial sectors. Dragos' analysis suggests that the malware was utilized in the attack on Lviv’s heating systems, affecting over 600 apartment buildings.
According to the report, FrostyGoop directly interacts with ICS devices via Modbus TCP on port 502. It is designed to target Windows systems, with no antivirus software capable of detecting it at the time of its discovery.
Russia shifts its cyber activities to Ukraine’s frontlines
Russia's cyber activities in Ukraine have moved from strategic civilian targets to tactical military objectives, according to a recent report by the Royal United Services Institute (RUSI).
The change aligns with Russia's anticipated summer offensive aimed at reclaiming territory lost during Ukraine's 2023 counter-offensive.
Multiple Russian cyber units, including the GRU and FSB, have adapted their strategies to focus on Ukrainian military computers and mobile devices, aiming to provide battlefield advantages. This adaptation marks a departure from their initial strategy of targeting Ukrainian critical infrastructure to exert societal pressure, which was more prevalent in the early stages of the invasion.
Russia-linked hackers exploit critical Rejetto flaw to drop Hatvibe backdoor
The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) has shared technical details of a cyberattack orchestrated by the UAC-0063 group against a Ukrainian research institution that utilized malicious software known as Hatvibe and Cherryspy.
Additionally, the agency has detailed an attack by a Belarusian hacker group tracked as UAC-0057 targeting project offices and local government bodies in Ukraine. It has also observed the campaign by the UAC-0102 threat actor targeting users of the popular email service UKR.NET. The attackers distribute emails with an HTML file that redirects the victim to a website that mimics the UKR.NET service page. If the user enters their login and password, their authentication data is sent to the attackers.
Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal
A Beijing-affiliated state-sponsored hacking group known as Daggerfly has launched a series of sophisticated attacks on organizations in Taiwan and a US non-governmental organization (NGO) operating in China. Symantec says that the attackers exploited a vulnerability in an Apache HTTP server to deliver an upgraded version of the MgBot malware. Daggerfly, also known as Evasive Panda or Bronze Highland, has updated its toolkit following public exposure of malware’s variants.
CrowdStrike blamed a software bug for global IT crash
CrowdStrike said a bug in its test software was the cause of a widespread IT crash that impacted millions of Windows systems globally. The cybersecurity company explained that on July 19, 2024, it issued a routine content configuration update for its Falcon platform's Windows sensor. This update aimed to gather telemetry on potential new threat techniques. However, the update inadvertently contained an error that caused Windows systems to crash.
Unsurprisingly, threat actors are actively exploiting the CrowdStrike’s glitchy update disaster to distribute malware, such as Remcos RAT, and to conduct phishing attacks.
Microsoft Defender SmartScreen bug exploited to spread info-stealers
A vulnerability in Microsoft Defender SmartScreen has been actively exploited in a sophisticated campaign designed to deliver a range of information stealers, including ACR Stealer, Lumma, and Meduza. The campaign, observed by FortiGuard Labs, leverages the flaw (CVE-2024-21412) to download malicious executable files. This is a security restrictions bypass issue that allows attackers to bypass SmartScreen protection and deliver malicious payloads. Microsoft addressed this vulnerability in its February 2024 monthly security updates.
Stargazer Goblin launch malware distribution-as-a-service via GitHub
A threat actor known as 'Stargazer Goblin' has orchestrated a sophisticated malware distribution-as-a-service (DaaS) operation using over 3,000 fake GitHub accounts. The campaign, discovered by Check Point Research, employs GitHub repositories and compromised WordPress sites to distribute password-protected archives laden with information-stealing malware.
Dubbed the Stargazers Ghost Network, the operation leverages various malware variants such as RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer.
Meta removes 63,000 Instagram accounts linked to Nigerian sextortion scams
Meta Platforms, the parent company of Instagram and Facebook, has announced it has removed approximately 63,000 Instagram accounts linked to financial sextortion scams.
In addition to the Instagram accounts, Meta has also taken down a series of Facebook accounts, Pages, and Groups managed by a group known as "Yahoo Boys." This loosely organized cybercriminal network operates primarily out of Nigeria and is known for conducting various types of online scams, including phishing, romance scams, and business email compromise schemes.
KnowBe4 mistakenly hired a North Korean hacker
US-based cybersecurity company KnowBe4 said it had mistakenly hired a North Korean state actor as a Principal Software Engineer. Despite performing extensive background checks, verifying references, and conducting four video interviews, the individual used a stolen US identity and AI tools to create a convincing profile. Suspicion arose on July 15, 2024, when KnowBe4's Endpoint Detection and Response (EDR) product flagged an attempt to install info-stealing malware on the new hire's Mac workstation. The malware targeted web browser data, but no unauthorized access occurred, and no data was compromised or exfiltrated from KnowBe4's systems, the company assured.
French police dismantle the PlugX botnet
French police, in collaboration with cybersecurity firm Sekoia, have launched a major operation to disinfect PCs infected with PlugX malware. PlugX, spread primarily through USB drives, has compromised millions of computers worldwide, including 3,000 to 4,000 in France. The effort follows Sekoia's successful sinkholing of a PlugX command-and-control server last April. PlugX, a remote access trojan linked to multiple Chinese threat actors, has seen various new variants released to suit different malicious campaigns. Sekoia's sinkholing effort captured data from 100,000 daily pings and 2.5 million unique connections from 170 countries over six months, disabling the botnet's command capabilities.
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service
The UK’s National Crime Agency (NCA) said it infiltrated and dismantled a major DDoS-for-hire service called digitalstress.su responsible for facilitating tens of thousands of attacks weekly on a global scale. The action was carried out in collaboration with the Police Service of Northern Ireland (PSNI). The crackdown follows the arrest of one of the site's suspected administrators earlier this month. In addition to seizing the site, the NCA accessed various communication platforms used by cybercriminals to discuss launching DDoS attacks.
Two Russian LockBit ransomware affiliates plead guilty in the US
Two Russian nationals pleaded guilty to participating in the LockBit ransomware group responsible for multiple high-profile ransomware attacks. The defendants, Ruslan Magomedovich Astamirov, 21, a Russian national from the Chechen Republic, and Mikhail Vasiliev, 34, a dual Canadian and Russian national from Bradford, Ontario, admitted to deploying LockBit attacks against victims in the United States and worldwide.
Astamirov pleaded guilty to conspiracy to commit computer fraud and abuse and conspiracy to commit wire fraud, facing a maximum penalty of 25 years in prison. Vasiliev pleaded guilty to conspiracy to commit computer fraud and abuse, intentional damage to a protected computer, transmission of a threat related to damaging a protected computer, and conspiracy to commit wire fraud, facing a maximum penalty of 45 years in prison. Sentencing dates for both individuals have not yet been set.
A teenage member of Scattered Spider cybercrime group arrested in the UK
The UK police have arrested a 17-year-old boy from Walsall linked to the notorious cybercrime group known as Scattered Spider. This group is implicated in numerous high-profile ransomware attacks, including a breach at MGM Resorts in the United States. The teen was taken into custody on suspicion of Blackmail and Computer Misuse Act offences and has been released on bail.
PKfail Secure Boot bypass puts hundreds of UEFI products at risk of compromise
A critical firmware supply-chain issue dubbed PKfail has left hundreds of UEFI products from 10 vendors vulnerable to compromise. This flaw allows attackers to bypass Secure Boot and install malware. The Binarly Research Team discovered that affected devices use a test Secure Boot "master key" (Platform Key or PK) generated by American Megatrends International (AMI), which was labeled "DO NOT TRUST." Vendors were supposed to replace these keys with their own securely generated ones. However, 813 products from vendors including Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro still use these untrusted test keys.