alt=An image depicting a computer screen with a "No Internet Connection" message, symbolizing North Korea's internet outage.
Cyber security
2024-10-19 Post a Comment

North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data

î „Ravie Lakshmanan

North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks.

“In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes,” Secureworks Counter Threat Unit (CTU) said in an analysis published this week. “In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024.”

The activity, the cybersecurity company added, shares similarities with a threat group it tracks as Nickel Tapestry, which is also known as Famous Chollima and UNC5267.

The fraudulent IT worker scheme, orchestrated with the intent to advance North Korea’s strategic and financial interests, refers to an insider threat operation that entails infiltrating companies in the West for illicit revenue generation for the sanctions-hit nation.

These North Korean workers are typically sent to countries like China and Russia, from where they pose as freelancers looking for potential job opportunities. As another option, they have also been found to steal the identities of legitimate individuals residing in the U.S. to achieve the same goals.

They are also known to request for changes to delivery addresses for company-issued laptops, often rerouting them to intermediaries at laptop farms, who are compensated for their efforts by foreign-based facilitators and are responsible for installing remote desktop software that allow the North Korean actors to connect to the computers.

What’s more, multiple contractors could end up getting hired by the same company, or, alternatively, one individual could assume several personas.

Secureworks said it has also observed cases where the fake contractors sought permission to use their own personal laptops and even caused organizations to cancel the laptop shipment entirely because they changed the delivery address while it was in transit.

Ransom for Stolen Data

“This behavior aligns with Nickel Tapestry tradecraft of attempting to avoid corporate laptops, potentially eliminating the need for an in-country facilitator and limiting access to forensic evidence,” it said. “This tactic allows the contractors to use their personal laptops to remotely access the organization’s network.”

In a sign that the threat actors are evolving and taking their activities to the next level, evidence has come to light demonstrating how a contractor whose employment was terminated by an unnamed company for poor performance resorted to sending extortion emails including ZIP attachments containing proof of stolen data.

“This shift significantly changes the risk profile associated with inadvertently hiring North Korean IT workers,” Rafe Pilling, Director of Threat Intelligence at Secureworks CTU, said in a statement. “No longer are they just after a steady paycheck, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defenses.”

To tackle the threat, organizations have been urged to be vigilant during the recruitment process, including conducting thorough identity checks, performing in-person or video interviews, and be on the lookout for attempts to re-route corporate IT equipment sent to the contractors declared home address, routing paychecks to money transfer services, and accessing the corporate network with unauthorized remote access tools.

“This escalation and the behaviors listed in the FBI alert demonstrate the calculated nature of these schemes,” Secureworks CTU said, pointing out the workers’ suspicious financial behavior and their attempts to avoid enabling video during calls.

“The emergence of ransom demands marks a notable departure from prior Nickel Tapestry schemes. However, the activity observed prior to the extortion aligns with previous schemes involving North Korean workers.”

read more
alt=A computer wearing a mask sits beside a keyboard, symbolizing health precautions in a digital workspace.
Cyber security
2024-10-19 Post a Comment

Feds unmask duo running one of the most prolific hacker gangs

The Department of Justice has charged and arrested two Sudanese brothers with operating Anonymous Sudan, a hacker group known for destructive website takedowns.

Why it matters: The indictment, unsealed Wednesday, paints the clearest picture of who was running the mysterious Anonymous Sudan hacking group — which has launched more than 35,000 attacks in the last year against hospitals, government offices and other major organizations.

Driving the news: A grand jury indicted Ahmed Salah Yousif Omer and Alaa Salah Yusuuf Omer with a count of conspiracy to damage protected computers.

  • Ahmed Omer was also charged with three counts of damaging protected computers.
  • The FBI and the U.S. Attorney’s Office for the Central District of California seized Anonymous Sudan’s hacking tool, according to a press release.
  • The Washington Post reported that officials arrested the duo abroad in March.

Threat level: Anonymous Sudan’s attacks have caused more than $10 million in damage to U.S. organizations, according to federal officials.

  • Anonymous Sudan’s victim list spans sectors and includes several high-profile names: Cloudflare, Microsoft, OpenAI and even the FBI itself.
  • Cedars-Sinai Medical Center in Los Angeles had to redirect emergency room patients to other hospitals for treatment.

The big picture: Anonymous Sudan has been a mystery to security researchers for a little more than a year.

  • The group is mostly politically motivated, unlike other cybercriminal groups where money is the prime motivator.
  • But the group has been far more prolific than the typical political hacking group. At times, security researchers had even assumed the group was a front for pro-Russia political hackers.
  • However, officials told the Post they don’t believe a third party, including a government, was financing or supporting the group’s work.

What they’re saying: “What’s unusual is the predominance of the ideological motive, with financial sprinkled in,” Martin Estrada, U.S. attorney for the Los Angeles region, told the Post.

How it works: Anonymous Sudan targeted victims in distributed denial-of-service attacks — where hackers overload internet-enabled devices with bot traffic until they’re inaccessible.

  • While suffering a website outage might not sound too bad, the repercussions can be huge. Customers may not be able to make payments online and corporations may not be able to access cloud servers.
  • Anonymous Sudan would demand victims pay a ransom to make the attack end, according to court filings.
  • Some of these victims sustained millions of dollars in losses from these attacks, according to a criminal complaint unsealed Wednesday.

Between the lines: Anonymous Sudan was also selling its tool to other hacking groups looking to launch their own large-scale DDoS attacks, according to the complaint.

  • More than 100 users have used the tool — known as Godzilla Botnet, Skynet Botnet and InfraShutdown — to deploy their own DDoS attacks, per federal officials.
  • This is also unusual: Building and selling hacker tools is more common in the cybercrime world and rarely seen in the political hacking space.

Zoom in: The private sector played a prominent role in helping the FBI identify the people running this group.

  • PayPal’s own internal investigation after its attack uncovered certain accounts tied to Anonymous Sudan, according to the complaint.
  • Those accounts then helped the FBI identify potential email addresses linked to Ahmed Omer, specifically, according to the affidavit.

What’s next: If convicted, Ahmed Omer could face a maximum sentence of life in prison, while Alaa Omer could face a maximum of five years.

read more
alt=A man wearing a police vest stands confidently in front of a building, ready for duty.
Cyber security
2024-10-18 Post a Comment

Hacker allegedly behind attacks on FBI, Airbus, National Public Data arrested in Brazil

Jonathan Greig

Federal law enforcement in Brazil arrested a hacker allegedly behind several brazen, high-profile cyberattacks.

In a statement on Wednesday, Brazil’s Department of Federal Police (DFP)said they launched “Operation Data Breach” to investigate several intrusions on their own systems as well as others internationally.

“A search and seizure warrant and a preventive arrest warrant was served in the city of Belo Horizonte/MG against an investigated person suspected of being responsible for two publications and sales of Federal Police data, on May 22, 2020 and on February 22, 2022,” DFP said.

“The prisoner boasted of being responsible for several cyber intrusions carried out in some countries, claiming, on websites, to have disclosed sensitive data of 80,000 members of InfraGard, a partnership between the FBI and private critical infrastructure entities in the United States of America.”

DFP did not name the suspect, but a threat actor known as USDoD has long boasted of being behind the December 2022 breach of the FBI’s InfraGard platform that is used by law enforcement to coordinate with companies.

The hacker — who has been linked to Brazil by several cybersecurity researchers — also claimed breaches of European aerospace giant Airbus, the U.S. Environmental Protection Agency and several other organizations that often could not be verified.

The same threat actor caused widespread alarm in April when they posted a database on the criminal marketplace Breached claiming it came from U.S. background check giant National Public Data. The database included about 899 million unique Social Security numbers, likely of both living and deceased people.

A bankruptcy filing by National Public Data explicitly names USDoD, noting that the hacker “has had a great deal of success breaching other institutions including the FBI, Airbus, and TransUnion.”

DFP confirmed that the person they arrested is “responsible for leaking large databases of personal information, including those of companies such as Airbus and the United States Environmental Protection Agency.”

“The person under investigation must answer for the crime of hacking into a computer device, qualified by obtaining information, with an increase in the sentence for the commercialization of the data obtained,” they said.

“The investigation will continue to identify any other cyber intrusions that were committed by the person under investigation.”

A person claiming to be USDoD came forward in August and spoke to a news outlet, admitting to being a 33-year-old man named Luan G. from the state of Minas Gerais in Brazil.

“I want to say thank you, it is time to admit I got defeated and I will retire my Jersey. Yes, this is Luan speaking. I won’t run, I’m in Brazil, the same city where I was born,” he told HackRead.

“I am a huge valuable target and maybe I will talk soon to whoever is in charge but everyone will know that behind USDoD I’m a human like everyone else, to be honest, I wanted this to happen, I can’t live with multiple lives and it is time to take responsibility for every action of mine and pay the price doesn’t matter how much it may cost me.”

The person claimed they had already been identified by cybersecurity experts working for Crowdstrike and other companies like Intel471. Local news outlets reported at the time that Crowdstrike shared its findings with the Brazilian government.

Other researchers have used social media accounts and more to trace the identity back to Luan.

The arrest is just the latest attempt by Brazilian law enforcement to limit the operations of hackers in their country. In January, Brazilian police disrupted the operation of a criminal group responsible for the banking malware called Grandoreiro that was used to steal €3.6 million ($3.9 million) since 2019.

In 2022, they carried out eight search and seizure warrants as part of an investigation into attacks claimed by the Lapsus$ Group.

read more
alt=A man in a hoodie is seated at a computer, focused on the screen in a cozy indoor setting.
Cyber security
2024-10-18 Post a Comment

Undercover North Korean IT workers now steal data, extort employers

By

North Korean IT professionals who trick Western companies into hiring them are stealing data from the organization’s network and asking for a ransom to not leak it.

Dispatching IT workers to seek employment at companies in wealthier nations is a tactic that North Korea has been using for years as a means to obtain privileged access for cyberattacks or to generate revenue for the country’s weapons programs.

Researchers at cybersecurity company Secureworks uncovered the extortion component during multiple investigations of such fraudulent schemes.

After the employment of a North Korean national with access to proprietary data (as part of their contractor role) terminated, the company would receive the first extortion email, the researchers explain.

To obtain the job and avoid raising suspicions afterwards, the fraudulent IT workers used a false or stolen identity and relied on laptop farms to route traffic between their real location and the company through a U.S.-based point.

They also avoided video during calls or resorted to various tricks while on the job to hide their face during video conferences, such as using artificial intelligence tools.

Overview of the scheme
Overview of the scheme
Source: Secureworks

In July, American cybersecurity company KnowBe4 revealed that they were among the hundreds of victimized companies, and in their case, the threat actor attempted to install an infostealer on the company’s computer.

Secureworks tracks the group organizing and coordinating North Korea’s IT worker army as “Nickel Tapestry,” while Mandiant uses the UNC5267 name.

One example of a Nickel Tapestry campaign in mid-2024 that Secureworks investigated is that of a company that had proprietary data stolen almost immediately after employing an external contractor

The data was transferred to a personal Google Drive cloud storage using the company’s virtual desktop infrastructure (VDI).

After terminating the employment due to poor performance, the company began receiving extortion emails from external Outlook and Gmail addresses containing samples of the stolen data in ZIP archives.

The threat actors demanded a six-figure ransom to be paid in cryptocurrency in exchange to not leaking the data publicly.

Secureworks’ investigation revealed that Nickel Tapestry had used Astrill VPN and residential proxies to mask their real IP address during the malicious activities, while AnyDesk was used for remote accessing the systems.

The researchers warn that North Korean IT workers often coordinate to refer one another to companies.

Organizations should be cautious when hiring remote workers or freelancers, and look for signs of fraud like changes in payment accounts and laptop shipment addresses, submission of generic-looking resumes, atypical correspondence hours, and unwillingness to enable camera during interviews.

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights