alt=An image depicting a computer screen with a "No Internet Connection" message, symbolizing North Korea's internet outage.
Cyber security
2024-10-19 Post a Comment

North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data

î „Ravie Lakshmanan

North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks.

“In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes,” Secureworks Counter Threat Unit (CTU) said in an analysis published this week. “In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024.”

The activity, the cybersecurity company added, shares similarities with a threat group it tracks as Nickel Tapestry, which is also known as Famous Chollima and UNC5267.

The fraudulent IT worker scheme, orchestrated with the intent to advance North Korea’s strategic and financial interests, refers to an insider threat operation that entails infiltrating companies in the West for illicit revenue generation for the sanctions-hit nation.

These North Korean workers are typically sent to countries like China and Russia, from where they pose as freelancers looking for potential job opportunities. As another option, they have also been found to steal the identities of legitimate individuals residing in the U.S. to achieve the same goals.

They are also known to request for changes to delivery addresses for company-issued laptops, often rerouting them to intermediaries at laptop farms, who are compensated for their efforts by foreign-based facilitators and are responsible for installing remote desktop software that allow the North Korean actors to connect to the computers.

What’s more, multiple contractors could end up getting hired by the same company, or, alternatively, one individual could assume several personas.

Secureworks said it has also observed cases where the fake contractors sought permission to use their own personal laptops and even caused organizations to cancel the laptop shipment entirely because they changed the delivery address while it was in transit.

Ransom for Stolen Data

“This behavior aligns with Nickel Tapestry tradecraft of attempting to avoid corporate laptops, potentially eliminating the need for an in-country facilitator and limiting access to forensic evidence,” it said. “This tactic allows the contractors to use their personal laptops to remotely access the organization’s network.”

In a sign that the threat actors are evolving and taking their activities to the next level, evidence has come to light demonstrating how a contractor whose employment was terminated by an unnamed company for poor performance resorted to sending extortion emails including ZIP attachments containing proof of stolen data.

“This shift significantly changes the risk profile associated with inadvertently hiring North Korean IT workers,” Rafe Pilling, Director of Threat Intelligence at Secureworks CTU, said in a statement. “No longer are they just after a steady paycheck, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defenses.”

To tackle the threat, organizations have been urged to be vigilant during the recruitment process, including conducting thorough identity checks, performing in-person or video interviews, and be on the lookout for attempts to re-route corporate IT equipment sent to the contractors declared home address, routing paychecks to money transfer services, and accessing the corporate network with unauthorized remote access tools.

“This escalation and the behaviors listed in the FBI alert demonstrate the calculated nature of these schemes,” Secureworks CTU said, pointing out the workers’ suspicious financial behavior and their attempts to avoid enabling video during calls.

“The emergence of ransom demands marks a notable departure from prior Nickel Tapestry schemes. However, the activity observed prior to the extortion aligns with previous schemes involving North Korean workers.”

read more
alt=A man in a hoodie is seated at a computer, focused on the screen in a cozy indoor setting.
Cyber security
2024-10-18 Post a Comment

Undercover North Korean IT workers now steal data, extort employers

By

North Korean IT professionals who trick Western companies into hiring them are stealing data from the organization’s network and asking for a ransom to not leak it.

Dispatching IT workers to seek employment at companies in wealthier nations is a tactic that North Korea has been using for years as a means to obtain privileged access for cyberattacks or to generate revenue for the country’s weapons programs.

Researchers at cybersecurity company Secureworks uncovered the extortion component during multiple investigations of such fraudulent schemes.

After the employment of a North Korean national with access to proprietary data (as part of their contractor role) terminated, the company would receive the first extortion email, the researchers explain.

To obtain the job and avoid raising suspicions afterwards, the fraudulent IT workers used a false or stolen identity and relied on laptop farms to route traffic between their real location and the company through a U.S.-based point.

They also avoided video during calls or resorted to various tricks while on the job to hide their face during video conferences, such as using artificial intelligence tools.

Overview of the scheme
Overview of the scheme
Source: Secureworks

In July, American cybersecurity company KnowBe4 revealed that they were among the hundreds of victimized companies, and in their case, the threat actor attempted to install an infostealer on the company’s computer.

Secureworks tracks the group organizing and coordinating North Korea’s IT worker army as “Nickel Tapestry,” while Mandiant uses the UNC5267 name.

One example of a Nickel Tapestry campaign in mid-2024 that Secureworks investigated is that of a company that had proprietary data stolen almost immediately after employing an external contractor

The data was transferred to a personal Google Drive cloud storage using the company’s virtual desktop infrastructure (VDI).

After terminating the employment due to poor performance, the company began receiving extortion emails from external Outlook and Gmail addresses containing samples of the stolen data in ZIP archives.

The threat actors demanded a six-figure ransom to be paid in cryptocurrency in exchange to not leaking the data publicly.

Secureworks’ investigation revealed that Nickel Tapestry had used Astrill VPN and residential proxies to mask their real IP address during the malicious activities, while AnyDesk was used for remote accessing the systems.

The researchers warn that North Korean IT workers often coordinate to refer one another to companies.

Organizations should be cautious when hiring remote workers or freelancers, and look for signs of fraud like changes in payment accounts and laptop shipment addresses, submission of generic-looking resumes, atypical correspondence hours, and unwillingness to enable camera during interviews.

read more
alt=1. Windows 10 security update for April 2019, enhancing system protection and addressing vulnerabilities.
Cyber security
2024-08-28 Post a Comment

Windows Downdate tool lets you ‘unpatch’ Windows systems

By

SafeBreach security researcher Alon Leviev has released his Windows Downdate tool, which can be used for downgrade attacks that reintroduce old vulnerabilities in up-to-date Windows 10, Windows 11, and Windows Server systems.

In such attacks, threat actors force up-to-date targeted devices to revert to older software versions, thus reintroducing security vulnerabilities that can be exploited to compromise the system.

Windows Downdate is available as an open-source Python-based program and a pre-compiled Windows executable that can help downgrade Windows 10, Windows 11, and Windows Server system components.

Leviev has also shared multiple usage examples that allow downgrading the Hyper-V hypervisor (to a two-year-old version), Windows Kernel, the NTFS driver, and the Filter Manager driver (to their base versions), and other Windows components and previously applied security patches.

“You can use it to take over Windows Updates to downgrade and expose past vulnerabilities sourced in DLLs, drivers, the NT kernel, the Secure Kernel, the Hypervisor, IUM trustlets and more,” SafeBreach security researcher Alon Leviev explained.

“Other than custom downgrades, Windows Downdate provides easy to use usage examples of reverting patches for CVE-2021-27090, CVE-2022-34709, CVE-2023-21768 and PPLFault, as well as examples for downgrading the hypervisor, the kernel, and bypassing VBS’s UEFI locks.”

Leviev-Windows-Downdate-tweet

As Leviev said at Black Hat 2024 when he disclosed the Windows Downdate downgrade attack—which exploits the CVE-2024-21302 and CVE-2024-38202 vulnerabilities—using this tool is undetectable because it cannot be blocked by endpoint detection and response (EDR) solutions and Windows Update keeps reporting that the targeted system is up-to-date (despite being downgraded).

“I discovered multiple ways to disable Windows virtualization-based security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks. To my knowledge, this is the first time VBS’s UEFI locks have been bypassed without physical access,” Leviev said.

“As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term “fully patched” meaningless on any Windows machine in the world.”

While Microsoft released a security update (KB5041773) to fix the CVE-2024-21302 Windows Secure Kernel Mode privilege escalation flaw on August 7, the company has yet to provide a patch for CVE-2024-38202, a Windows Update Stack elevation of privilege vulnerability.

Until a security update is released, Redmond advises customers to implement recommendations shared in the security advisory published earlier this month to help protect against Windows Downdate downgrade attacks.

Mitigation measures for this issue include configuring “Audit Object Access” settings to monitor file access attempts, restricting update and restore operations, using Access Control Lists to limit file access, and auditing privileges to identify attempts to exploit this vulnerability.

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights