alt=Digital artwork of a human face with circuits and patterns in blue and red, evoking a futuristic, technological theme.
Cyber security
2025-05-17 Post a Comment

Government webmail hacked via XSS bugs in global spy campaign

By

Hackers are running a worldwide cyberespionage campaign dubbed ‘RoundPress,’ leveraging zero-day and n-day flaws in webmail servers to steal email from high-value government organizations.

ESET researchers who uncovered the operation attribute it with medium confidence to the Russian state-sponsored hackers APT28 (aka “Fancy Bear” or “Sednit”).

The campaign started in 2023 and continued with the adoption of new exploits in 2024, targeting Roundcube, Horde, MDaemon, and Zimbra.

Notable targets include governments in Greece, Ukraine, Serbia, and Cameroon, military units in Ukraine and Ecuador, defense companies in Ukraine, Bulgaria, and Romania, and critical infrastructure in Ukraine and Bulgaria.

RoundPress targets
RoundPress targets
Source: ESET

Open email, have data stolen

The attack starts with a spear-phishing email referencing current news or political events, often including excerpts from news articles to add legitimacy.

A malicious JavaScript payload embedded in the HTML body of the email triggers the exploitation of a cross-site scripting (XSS) vulnerability in the webmail browser page used by the recipient.

All that is needed from the victim is to open the email to view it, as no other interaction/clicks, redirections, or data input is required for the malicious JavaScript script to execute.

Attack chain overview
Attack chain overview
Source: ESET

The payload has no persistence mechanisms, so it only executes when the malicious email is opened.

The script creates invisible input fields to trick browsers or password managers into autofilling stored credentials for the victim’s email accounts.

Credential stealer function
Credential stealer function
Source: ESET

Additionally, it reads the DOM or sends HTTP requests to collect email message content, contacts, webmail settings, login history, two-factor authentication, and passwords.

The data is then exfiltrated to hardcoded command-and-control (C2) addresses using HTTP POST requests.

Each script has a slightly different set of capabilities, adjusted for the product it’s targeting.

Vulnerabilities targeted

Operation RoundPress targeted multiple XSS flaws in various webmail products that important organizations commonly use to inject their malicious JS scripts.

The exploitation ESET associated with this campaign involves the following flaws:

  • Roundcube – CVE-2020-35730: A stored XSS flaw the hackers used in 2023, by embedding JavaScript directly into the body of an email. When victims opened the email in a browser-based webmail session, the script executed in their context, enabling credential and data theft.
  • Roundcube – CVE-2023-43770: An XSS vulnerability in how Roundcube handled hyperlink text leveraged in early 2024. Improper sanitization allowed attackers to inject <script> tags into the email content, which would be executed when viewed.
  • MDaemon – CVE-2024-11182: A zero-day XSS flaw in the MDaemon Email Server’s HTML parser, exploited by the hackers in late 2024. By crafting a malformed title attribute with a noembed tag, attackers could render a hidden <img onerror> payload, executing JavaScript. This enabled credential theft, 2FA bypass, and persistent access via App Passwords.
  • Horde – Unknown XSS: APT28 attempted to exploit an old XSS vulnerability in Horde by placing a script in an <img onerror> handler. However, the attempt failed, likely due to built-in filtering in modern Horde versions. The exact flaw is unconfirmed but appears to have been patched in the meantime.
  • Zimbra – CVE-2024-27443: An XSS vulnerability in Zimbra’s calendar invite handling, which hasn’t been tagged as actively exploited before. Unsanitized input from the X-Zimbra-Calendar-Intended-For header allowed JavaScript injection into the calendar UI. APT28 embedded a hidden script that decoded and executed base64 JavaScript when the invite was viewed.

Although ESET does not report any RoundPress activity for 2025, the hackers’ methods could be easily applied to this year too, as there’s a constant supply of new XSS flaws in popular webmail products.

read more
alt=Silhouette of a figure at a laptop against the North Korean flag, symbolizing cyber activities and hacking threats.
Cyber security
2025-04-23 Post a Comment

North Korean hackers are using LinkedIn to entice developers to coding challenges

Story by Efosa Udinmwen

A hacker group from North Korea known as Slow Pisces has launched a sophisticated campaign targeting developers in the cryptocurrency sector through LinkedIn.

The group, also known as TraderTraitor or Jade Sleet, poses as recruiters to lure victims with seemingly genuine job offers and coding challenges, only to infect their systems with malicious Python and JavaScript code.

Thanks to this campaign, the group has been able to steal substantial amounts of cryptocurrency. In 2023 alone, they were linked to over $1 billion in stolen funds. A $1.5 billion hack at a Dubai exchange and a $308 million theft from a Japanese company are among the recent attacks.

Coders beware!

After initially sending PDF documents containing job descriptions, the malicious actors follow up with coding assignments hosted on GitHub.

Although these repositories appear to be based on legitimate open-source projects, they have been secretly altered to include hidden malware.

Victims, believing they are completing programming tests, unintentionally allow malware like RN Loader and RN Stealer onto their systems.

These booby-trapped projects mimic legitimate developer tools and applications. For instance, Python repositories might seem to analyze stock market trends using data from reputable sources, while secretly communicating with attacker-controlled domains.

The malware evades most detection tools by using YAML deserialization, avoiding commonly flagged functions like eval or exec. Once triggered, the loader fetches and executes additional payloads directly in memory, making it difficult to detect or remove.

One such payload, RN Stealer, is specifically designed to exfiltrate credentials, cloud configuration files, and stored SSH keys, particularly from macOS systems.

JavaScript variants of the malware operate similarly, using the Embedded JavaScript templating engine to hide malicious code, which activates only for targeted victims based on factors like IP addresses or browser headers.

Forensic analysis shows that the malware stores code in hidden directories and communicates over HTTPS using custom tokens. However, investigators were unable to recover the full JavaScript payload.

GitHub and LinkedIn have responded by removing the malicious accounts and repositories involved.

“GitHub and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our products, we use automated technology, combined with teams of investigation experts and member reporting, to combat bad actors and enforce terms of service. We continue to evolve and improve our processes and encourage our customers and members to report any suspicious activity,” the companies said in a joint statement.

There is a growing need for caution when approached with remote job offers and coding tests. Developers are advised to use strong antivirus software and run unfamiliar code in secure environments, particularly when working in sensitive sectors like cryptocurrency.

Those concerned about security should verify they are using the best IDEs, which typically include integrated security features. Staying alert, and working on a secure, controlled setup, can significantly reduce the risk of falling prey to state-backed cyber threats.

read more
alt=Department of the Treasury building exterior, showcasing its classical architecture and prominent entrance.
Cyber security
2025-01-02 Post a Comment

US Treasury hacked: Are China and the US stepping up their cyberwar?

Department of the Treasury calls cyberattack a ‘major incident’, accuses China-backed hackers.

By Sarah Shamim

The United States Department of the Treasury on Monday blamed China for breaching its network and gaining access to information that includes unclassified documents.

Beijing has denied the allegation, calling it “groundless”.

Keep reading

list of 4 items

end of list

The alleged hacking comes weeks after Beijing accused Washington of carrying out two cyberattacks on Chinese technology firms.

With Washington and Beijing trading blame, we assess the history of cyberwarfare between the world’s two largest economies and whether it has intensified.

Who hacked the US Treasury Department?

The US Treasury Department accused Chinese state-sponsored hackers of breaking into its system this month and accessing employee workstations and unclassified documents.

The department said the hackers gained access by overriding a security key used by third-party cybersecurity provider BeyondTrust, which provides technical support remotely to Treasury employees.

The Treasury Department made these details public on Monday in a letter to the US Congress. The attack was caused by “a China-based Advanced Persistent Threat (APT) actor”, the letter said.

The department, however, did not specify the number of workstations compromised, the nature of the files, the exact timeframe of the hack and the confidentiality level of the stations compromised.

On December 8, Treasury was alerted about a hack by BeyondTrust. The BBC reported that BeyondTrust first suspected unusual activity on December 2 but took three days to determine it was hacked.

How did the US Treasury Department respond?

The department said there is no evidence that the hackers still have access to department information and the compromised BeyondTrust has been taken offline.

It is assessing the impact of the hack with the assistance of the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The hack is being investigated as a “major cybersecurity incident”.

The department’s letter to Congress added that supplemental information about the attack would be sent to US lawmakers in 30 days.

“Over the last four years, Treasury has significantly bolstered its cyber defence, and we will continue to work with both private and public sector partners to protect our financial system from threat actors,” a spokesperson for the department said in a separate statement.

How has China responded?

China has denied the department’s accusations, and its Ministry of Foreign Affairs said Beijing condemns all forms of hacker attacks.

“We have stated our position many times regarding such groundless accusations that lack evidence,” ministry spokesperson Mao Ning was quoted as saying by the AFP news agency.

A spokesperson for the Chinese embassy in the US, Liu Pengyu, denied the department’s allegations. “We hope that relevant parties will adopt a professional and responsible attitude when characterising cyber-incidents, basing their conclusions on sufficient evidence rather than unfounded speculation and accusations,” he said, according to a BBC report.

“The US needs to stop using cybersecurity to smear and slander China and stop spreading all kinds of disinformation about the so-called Chinese hacking threats.”

Are the US and China ramping up cyberattacks against each other?

While the US has blamed China for cyberattacks over the years, Beijing has also accused Washington of hacking its critical cyber-infrastructure in recent years.

Here’s a brief timeline of recent cyberattacks claimed by the two nations:

On December 18, China’s National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNCERT/CC) released a statement saying two US cyberattacks since May 2023 tried to “steal trade secrets” from Chinese technology firms.

On December 5, US Deputy National Security Adviser Anne Neuberger said a Chinese hacking group called Salt Typhoon had obtained communications of senior US government officials but classified information was not compromised.

A month earlier, on November 13, the FBI and CISA said they had uncovered a broad cyberespionage campaign carried out by China-linked hackers.

The US alleged that the hackers had compromised “private communications of a limited number of individuals”. While it did not specify who these individuals were, they were “primarily involved in government or political activity”, the FBI and CISA said.

Weeks before the US elections in November, the FBI launched an investigation after reports alleged Chinese hackers had targeted mobile phones of President-elect Donald Trump and Vice President-elect JD Vance as well as people associated with Kamala Harris, the Democratic presidential candidate in the race.

In July 2023, US tech giant Microsoft said the China-based hacking group Storm-0558 breached email accounts at about 25 organisations and government agencies. The breached accounts included those belonging to US Department of State staff.

In March, the US and United Kingdom accused China of carrying out a sweeping cyberespionage campaign that allegedly hit millions of people, including lawmakers, journalists and defence contractors. The two countries slapped sanctions on a Chinese company after the incident. A month before, US authorities said they had dismantled a China-sponsored hacker network called Volt Typhoon.

In response, China called the charges “completely fabricated and malicious slanders”.

In March 2022, China said it experienced a series of cyberattacks that mostly traced back to US addresses. Some were also traced back to the Netherlands and Germany, according to CNCERT/CC.

 

Video Duration 3 minutes 57 seconds
  • Now Playing

    Video Duration 03 minutes 57 seconds
    China cyber-attacks: Beijing calls UK & US accusations 'groundless'

    China cyber-attacks: Beijing calls UK & US accusations ‘groundless

Why are cyberattacks launched?

State-sponsored actors are regularly accused of launching cyberattacks against adversaries that range from state institutions to politicians and activists. They aim to gain unauthorised access to confidential data and trade secrets or disrupt economies and critical infrastructure.

Advertisement

“The US and China have had a history of using cyberdefence to further their national security aims,” Rebecca Liao, the Co-Founder and CEO at web3 protocol Saga, told Al Jazeera.

“While espionage against state actors is an accepted practice, the US has protested against China’s rampant cyberattacks against US commercial entities,” said Liao, who was a member of President Joe Biden’s 2020 and Hillary Clinton’s 2016 presidential campaigns, advising on China, technology and Asia economic policy.

“It is obviously not diplomatically wise to build a track record of resorting to espionage. That’s why Beijing has been so swift to deny all allegations.”

With the development of digital technology, cyberattacks are on the rise worldwide, according to the German Institute for International and Security Affairs (SWP). Data from the SWP shows that cyberattacks went up from 107 in 2014 to 723 in 2023.

Cyberattacks are also carried out by individuals or organised groups who want to steal data and money.

How can countries protect themselves from cyberattacks?

The US and China “should spearhead a treaty on the responsible use of the cyberspace”, wrote researchers Asimiyu Olayinka Adenuga and Temitope Emmanuel Abiodun from the Political Science Department at Nigeria’s Tai Solarin University in an article published this year.

They cited the example of the treaties signed between the US and Soviet Union as a result of the Strategic Arms Limitations Talks, SALT I and SALT II, in 1972 and 1979. The two Cold War superpowers signed the treaties to establish US-Soviet stability by limiting their production of nuclear weapons.

In their article, the Tai Solarin researchers added that there is a need for further technological development, particularly in quantum computing, that will make it harder to execute cyberattacks.

Victor Atkins, a fellow with the Indo-Pacific Security Initiative of the US think tank Atlantic Council, wrote in a February article that the US “should launch an expansive new multilateral cyber threat intelligence sharing coalition in the Indo-Pacific” to combat cyberattacks from China.

“A decade ago, there were some suggestions about convening an international body around cybersecurity to come up with standards or codes of conduct that participating nations would abide by,” Liao, the tech expert, said.

“However, none of these efforts have yielded fruit, and it is up to each individual country to protect against cyberattacks.”

Governments currently are working on developing cybersecurity infrastructure such as firewalls to protect themselves from cyberattacks such as hacking.

An article published by the University of Miami added that countries employ other practices to counter cyberthreats. These include testing these cyberthreats in a simulated environment. “Cyber teams constantly undergo training exercises, similar to the military,” the article said.

 

read more
alt=An illustration depicting China and the United States as the world's two largest economies, highlighting their global influence.
Cyber security
2024-10-28 Post a Comment

Chinese hackers said to have collected audio of American calls

The hackers are said to be part of a Chinese government-affiliated group that American researchers have dubbed Salt Typhoon.

By 

 and 

Chinese state-affiliated hackers have collected audio from the phone calls of U.S. political figures, according to three people familiar with the matter. Those whose calls have been intercepted include an unnamed Trump campaign adviser, said one of the people.

Sign up for Fact Checker, our weekly review of what’s true, false or in-between in politics.

The hackers are said to be part of a Chinese government-affiliated group that American researchers have dubbed Salt Typhoon and were able to collect audio on a number of calls as part of a wide-ranging espionage operation that began months ago, according to the people, who spoke on the condition of anonymity because a federal investigation is underway. The government is still seeking to determine how much audio the hackers have, one of the people said.

They were also able to access unencrypted communications, including text messages, of the individual, the people said. End-to-end encrypted communications such as those on the Signal platform are believed to have not been hacked, they said.

The development heightens concerns over the extent of the infiltration as the 2024 election is in high gear as well as the potential threat to long-term national security.

The FBI declined to comment on the matter.

The FBI and other U.S. agencies are still investigating the full extent and nature of the espionage campaign. The hackers targeted the phones of former president Donald Trump, who is running to regain the White House, and his running mate JD Vance, the New York Times first reported Friday. They were thought to have targeted information about call logs, and there is no evidence so far that the hackers listened in on calls of the two Republicans at the top of the ticket.

As previously reported, Democrats were also targeted in the hacking efforts, including the staff of Senate Majority Leader Charles E. Schumer (D-New York), according to another person familiar with the matter.

The Salt Typhoon group is also thought to have targeted the system that tracks lawful requests for wiretaps made by the federal government of carriers. The motive there could be to figure out who the FBI and other federal agencies have under surveillance, said people familiar with the matter.

The matter is so serious that the White House earlier this month set up an emergency multiagency team to ensure all relevant agencies have visibility into the investigation. The establishment of a “unified coordination group” triggers a separate mandatory investigation by a public-private Cyber Safety Review Board, which in this case will probe the lapses that led to the intrusions. The board is led by the Department of Homeland Security and includes cyber experts from industry. It’s unclear when the probe will begin, officials said.

The wide-ranging operation has involved at least 10 telecom companies, including major carriers such as AT&T, Verizon and Lumen.

At least one U.S. official was notified late last week that a personal cellphone had been accessed by the Salt Typhoon hackers, said one of the people familiar with the matter. The hackers were targeting phone logs, SMS text messages and other data on the device, said the person. It was not clear whether audio calls were successfully intercepted for that official, the person said.

read more
alt=An image depicting a computer screen with a "No Internet Connection" message, symbolizing North Korea's internet outage.
Cyber security
2024-10-19 Post a Comment

North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data

î „Ravie Lakshmanan

North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks.

“In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes,” Secureworks Counter Threat Unit (CTU) said in an analysis published this week. “In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024.”

The activity, the cybersecurity company added, shares similarities with a threat group it tracks as Nickel Tapestry, which is also known as Famous Chollima and UNC5267.

The fraudulent IT worker scheme, orchestrated with the intent to advance North Korea’s strategic and financial interests, refers to an insider threat operation that entails infiltrating companies in the West for illicit revenue generation for the sanctions-hit nation.

These North Korean workers are typically sent to countries like China and Russia, from where they pose as freelancers looking for potential job opportunities. As another option, they have also been found to steal the identities of legitimate individuals residing in the U.S. to achieve the same goals.

They are also known to request for changes to delivery addresses for company-issued laptops, often rerouting them to intermediaries at laptop farms, who are compensated for their efforts by foreign-based facilitators and are responsible for installing remote desktop software that allow the North Korean actors to connect to the computers.

What’s more, multiple contractors could end up getting hired by the same company, or, alternatively, one individual could assume several personas.

Secureworks said it has also observed cases where the fake contractors sought permission to use their own personal laptops and even caused organizations to cancel the laptop shipment entirely because they changed the delivery address while it was in transit.

Ransom for Stolen Data

“This behavior aligns with Nickel Tapestry tradecraft of attempting to avoid corporate laptops, potentially eliminating the need for an in-country facilitator and limiting access to forensic evidence,” it said. “This tactic allows the contractors to use their personal laptops to remotely access the organization’s network.”

In a sign that the threat actors are evolving and taking their activities to the next level, evidence has come to light demonstrating how a contractor whose employment was terminated by an unnamed company for poor performance resorted to sending extortion emails including ZIP attachments containing proof of stolen data.

“This shift significantly changes the risk profile associated with inadvertently hiring North Korean IT workers,” Rafe Pilling, Director of Threat Intelligence at Secureworks CTU, said in a statement. “No longer are they just after a steady paycheck, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defenses.”

To tackle the threat, organizations have been urged to be vigilant during the recruitment process, including conducting thorough identity checks, performing in-person or video interviews, and be on the lookout for attempts to re-route corporate IT equipment sent to the contractors declared home address, routing paychecks to money transfer services, and accessing the corporate network with unauthorized remote access tools.

“This escalation and the behaviors listed in the FBI alert demonstrate the calculated nature of these schemes,” Secureworks CTU said, pointing out the workers’ suspicious financial behavior and their attempts to avoid enabling video during calls.

“The emergence of ransom demands marks a notable departure from prior Nickel Tapestry schemes. However, the activity observed prior to the extortion aligns with previous schemes involving North Korean workers.”

read more
alt=A computer wearing a mask sits beside a keyboard, symbolizing health precautions in a digital workspace.
Cyber security
2024-10-19 Post a Comment

Feds unmask duo running one of the most prolific hacker gangs

The Department of Justice has charged and arrested two Sudanese brothers with operating Anonymous Sudan, a hacker group known for destructive website takedowns.

Why it matters: The indictment, unsealed Wednesday, paints the clearest picture of who was running the mysterious Anonymous Sudan hacking group — which has launched more than 35,000 attacks in the last year against hospitals, government offices and other major organizations.

Driving the news: A grand jury indicted Ahmed Salah Yousif Omer and Alaa Salah Yusuuf Omer with a count of conspiracy to damage protected computers.

  • Ahmed Omer was also charged with three counts of damaging protected computers.
  • The FBI and the U.S. Attorney’s Office for the Central District of California seized Anonymous Sudan’s hacking tool, according to a press release.
  • The Washington Post reported that officials arrested the duo abroad in March.

Threat level: Anonymous Sudan’s attacks have caused more than $10 million in damage to U.S. organizations, according to federal officials.

  • Anonymous Sudan’s victim list spans sectors and includes several high-profile names: Cloudflare, Microsoft, OpenAI and even the FBI itself.
  • Cedars-Sinai Medical Center in Los Angeles had to redirect emergency room patients to other hospitals for treatment.

The big picture: Anonymous Sudan has been a mystery to security researchers for a little more than a year.

  • The group is mostly politically motivated, unlike other cybercriminal groups where money is the prime motivator.
  • But the group has been far more prolific than the typical political hacking group. At times, security researchers had even assumed the group was a front for pro-Russia political hackers.
  • However, officials told the Post they don’t believe a third party, including a government, was financing or supporting the group’s work.

What they’re saying: “What’s unusual is the predominance of the ideological motive, with financial sprinkled in,” Martin Estrada, U.S. attorney for the Los Angeles region, told the Post.

How it works: Anonymous Sudan targeted victims in distributed denial-of-service attacks — where hackers overload internet-enabled devices with bot traffic until they’re inaccessible.

  • While suffering a website outage might not sound too bad, the repercussions can be huge. Customers may not be able to make payments online and corporations may not be able to access cloud servers.
  • Anonymous Sudan would demand victims pay a ransom to make the attack end, according to court filings.
  • Some of these victims sustained millions of dollars in losses from these attacks, according to a criminal complaint unsealed Wednesday.

Between the lines: Anonymous Sudan was also selling its tool to other hacking groups looking to launch their own large-scale DDoS attacks, according to the complaint.

  • More than 100 users have used the tool — known as Godzilla Botnet, Skynet Botnet and InfraShutdown — to deploy their own DDoS attacks, per federal officials.
  • This is also unusual: Building and selling hacker tools is more common in the cybercrime world and rarely seen in the political hacking space.

Zoom in: The private sector played a prominent role in helping the FBI identify the people running this group.

  • PayPal’s own internal investigation after its attack uncovered certain accounts tied to Anonymous Sudan, according to the complaint.
  • Those accounts then helped the FBI identify potential email addresses linked to Ahmed Omer, specifically, according to the affidavit.

What’s next: If convicted, Ahmed Omer could face a maximum sentence of life in prison, while Alaa Omer could face a maximum of five years.

read more
alt=A man wearing a police vest stands confidently in front of a building, ready for duty.
Cyber security
2024-10-18 Post a Comment

Hacker allegedly behind attacks on FBI, Airbus, National Public Data arrested in Brazil

Jonathan Greig

Federal law enforcement in Brazil arrested a hacker allegedly behind several brazen, high-profile cyberattacks.

In a statement on Wednesday, Brazil’s Department of Federal Police (DFP)said they launched “Operation Data Breach” to investigate several intrusions on their own systems as well as others internationally.

“A search and seizure warrant and a preventive arrest warrant was served in the city of Belo Horizonte/MG against an investigated person suspected of being responsible for two publications and sales of Federal Police data, on May 22, 2020 and on February 22, 2022,” DFP said.

“The prisoner boasted of being responsible for several cyber intrusions carried out in some countries, claiming, on websites, to have disclosed sensitive data of 80,000 members of InfraGard, a partnership between the FBI and private critical infrastructure entities in the United States of America.”

DFP did not name the suspect, but a threat actor known as USDoD has long boasted of being behind the December 2022 breach of the FBI’s InfraGard platform that is used by law enforcement to coordinate with companies.

The hacker — who has been linked to Brazil by several cybersecurity researchers — also claimed breaches of European aerospace giant Airbus, the U.S. Environmental Protection Agency and several other organizations that often could not be verified.

The same threat actor caused widespread alarm in April when they posted a database on the criminal marketplace Breached claiming it came from U.S. background check giant National Public Data. The database included about 899 million unique Social Security numbers, likely of both living and deceased people.

A bankruptcy filing by National Public Data explicitly names USDoD, noting that the hacker “has had a great deal of success breaching other institutions including the FBI, Airbus, and TransUnion.”

DFP confirmed that the person they arrested is “responsible for leaking large databases of personal information, including those of companies such as Airbus and the United States Environmental Protection Agency.”

“The person under investigation must answer for the crime of hacking into a computer device, qualified by obtaining information, with an increase in the sentence for the commercialization of the data obtained,” they said.

“The investigation will continue to identify any other cyber intrusions that were committed by the person under investigation.”

A person claiming to be USDoD came forward in August and spoke to a news outlet, admitting to being a 33-year-old man named Luan G. from the state of Minas Gerais in Brazil.

“I want to say thank you, it is time to admit I got defeated and I will retire my Jersey. Yes, this is Luan speaking. I won’t run, I’m in Brazil, the same city where I was born,” he told HackRead.

“I am a huge valuable target and maybe I will talk soon to whoever is in charge but everyone will know that behind USDoD I’m a human like everyone else, to be honest, I wanted this to happen, I can’t live with multiple lives and it is time to take responsibility for every action of mine and pay the price doesn’t matter how much it may cost me.”

The person claimed they had already been identified by cybersecurity experts working for Crowdstrike and other companies like Intel471. Local news outlets reported at the time that Crowdstrike shared its findings with the Brazilian government.

Other researchers have used social media accounts and more to trace the identity back to Luan.

The arrest is just the latest attempt by Brazilian law enforcement to limit the operations of hackers in their country. In January, Brazilian police disrupted the operation of a criminal group responsible for the banking malware called Grandoreiro that was used to steal €3.6 million ($3.9 million) since 2019.

In 2022, they carried out eight search and seizure warrants as part of an investigation into attacks claimed by the Lapsus$ Group.

read more
alt=A man in a hoodie is seated at a computer, focused on the screen in a cozy indoor setting.
Cyber security
2024-10-18 Post a Comment

Undercover North Korean IT workers now steal data, extort employers

By

North Korean IT professionals who trick Western companies into hiring them are stealing data from the organization’s network and asking for a ransom to not leak it.

Dispatching IT workers to seek employment at companies in wealthier nations is a tactic that North Korea has been using for years as a means to obtain privileged access for cyberattacks or to generate revenue for the country’s weapons programs.

Researchers at cybersecurity company Secureworks uncovered the extortion component during multiple investigations of such fraudulent schemes.

After the employment of a North Korean national with access to proprietary data (as part of their contractor role) terminated, the company would receive the first extortion email, the researchers explain.

To obtain the job and avoid raising suspicions afterwards, the fraudulent IT workers used a false or stolen identity and relied on laptop farms to route traffic between their real location and the company through a U.S.-based point.

They also avoided video during calls or resorted to various tricks while on the job to hide their face during video conferences, such as using artificial intelligence tools.

Overview of the scheme
Overview of the scheme
Source: Secureworks

In July, American cybersecurity company KnowBe4 revealed that they were among the hundreds of victimized companies, and in their case, the threat actor attempted to install an infostealer on the company’s computer.

Secureworks tracks the group organizing and coordinating North Korea’s IT worker army as “Nickel Tapestry,” while Mandiant uses the UNC5267 name.

One example of a Nickel Tapestry campaign in mid-2024 that Secureworks investigated is that of a company that had proprietary data stolen almost immediately after employing an external contractor

The data was transferred to a personal Google Drive cloud storage using the company’s virtual desktop infrastructure (VDI).

After terminating the employment due to poor performance, the company began receiving extortion emails from external Outlook and Gmail addresses containing samples of the stolen data in ZIP archives.

The threat actors demanded a six-figure ransom to be paid in cryptocurrency in exchange to not leaking the data publicly.

Secureworks’ investigation revealed that Nickel Tapestry had used Astrill VPN and residential proxies to mask their real IP address during the malicious activities, while AnyDesk was used for remote accessing the systems.

The researchers warn that North Korean IT workers often coordinate to refer one another to companies.

Organizations should be cautious when hiring remote workers or freelancers, and look for signs of fraud like changes in payment accounts and laptop shipment addresses, submission of generic-looking resumes, atypical correspondence hours, and unwillingness to enable camera during interviews.

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights