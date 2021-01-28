



North Korean country-sponsored hackers are targeting and attacking white hat security researchers. They use a combination of zero-day exploits, a VS project bundle with Trojan horses, and good old social engineering.

That is, says the Googles Threat Analysis Group (TAG), which is investigating perps. APT38 to blame (also known as Lazarus Group, DarkSeoul, ZINC, etc.)

And there is a lesson for all of us. Be careful with this week’s Security Blog Watch.

Your humble blogwatcher has curated a bit of these blogs for your entertainment. Needless to say, Shanti makes sharks jump.

GOOGTAG tag North Korea APT

What is Craic? Catalin Cimpanu reports that North Korean hackers have targeted security researchers via social media.

A North Korean government hacking group is targeting members of the cybersecurity community engaged in investigating vulnerabilities. The attack was discovered by TAG, a Google security team that specializes in hunting advanced persistent threat (APT) groups.

[Its been] It is linked to the Lazarus Group, a well-known project sponsored by the North Korean country. Some security researchers believe that a North Korean group is likely to have used a combination of Chrome and Windows 10 zero-day vulnerabilities to deploy malicious code.

Why Target Security Researchers? A vulnerability that threat groups can deploy in their own attack with little or no development cost to steal exploits of vulnerabilities discovered by infected researchers.

And John Porter tells a story that Google warns about new social engineering techniques.

Government-sponsored hackers based in North Korea are targeting individual security researchers in a variety of ways. [It] Worriedly, it seems to be exploiting an unpatched Windows 10 and Chrome vulnerability.

[TAG] Even if you’re running the latest versions of Windows 10 and Chrome, just visiting the hacker’s blog cites some cases where a researcher’s machine was infected. Attackers used various platforms such as Telegram, LinkedIn, and Discord.

Let’s go to the horse’s mouth. Google TAG’s Adam Weidemann Presses Panic Button New Campaign for Security Researchers:

The actors behind the campaign attributed it to a government-sponsored organization based in North Korea and have taken many steps to target researchers. I hope this post reminds people in the security research community that they are the target of government-backed attackers and stay vigilant.

Attackers have been observed to target specific security researchers with new social engineering techniques. After establishing the initial communication, the actor asks the target researcher if they would like to cooperate in the research of the vulnerability. [via] Visual Studio project. In a Visual Studio project [a] A DLL that runs via a Visual Studio build event. DLLs are custom malware that immediately initiates communication with actor-controlled C2.

Also, after visiting the actor’s blog, researchers observed some cases at risk. Shortly thereafter, a malicious service was installed on the researcher’s system and a backdoor in memory launched a beacon. The mechanism of infringement could not be confirmed.

Separate research activities using separate physical or virtual machines for general web browsing, interaction with other users in the research community, acceptance of files from third parties, and your own security research. It is recommended to do.

So who was hacked? Gareth Corfield tells the story of Alejandro Caceres I was targeted by a North Korean zero-day hacker.

“When I read about Google, I think I honestly said” holy **** “out loud. I thought it was insane. Have you been attacked by the nation-state? I! ?? “

A vulnerable broker he knew and trusted for some time introduced him to a new researcher called “New York-born” James Willy, Caceres. [said].. “We participated in a group chat of three people. He sent us a Visual Studio project to investigate the driver bug that caused the blue screen.”

“James” [said] It was linked to Google Chrome and got immediate attention for bug hunters. Vulnerabilities that affect software used by tens of millions of people around the world are rare and rewarding. “All the code was legal. It was a real crash that could impact security, but I wasn’t careful when I opened the Visual Studio project.” [But] Opening some Visual Studio projects can result in code execution. This was the North Korean attack vector.

From time to time, those evil nation-state hackers can really come after you. Being an ordinary bug hunting pro doesn’t remove you from your target.

But this anonymous coward is clearly not impressed.

A white hat that runs Windows 10, Chrome, and Visual Studio outside the sandbox doesn’t deserve to be called a hacker.

A unique exploit? No: Holy Water Park @ unpackerhasdj vu:

A recent attack on the defense industry has confirmed that the Lazarus Group is using this malware cluster named ThreatNeedle. Almost the same malware with the same RC4 key and duplicate infrastructure. I was surprised that it is the target of researchers at this point.

wait. Pause. Anyway, how can you tell that it was North Korea? martinusher is not sure:

There are certain dice and spinners, such as “Russia, China, Iran, Cuba, North Korea”, and news services are used to identify the “nation state” that caused the hack du Jules. I think that there.

I’m not excluding the nation-state, it’s just that there are far more criminals than the nation-state. I’m hoping that unethical people would have moved to a decent business opportunity, as there is plenty of money to come from the vulnerability.

surely. If it hadn’t been for the nasty kids, scooby359 would have escaped with it: [Youre firedEd.]

I’m always curious about how such seemingly underdeveloped countries can have such advanced cybersecurity skills.

Yeah. Brian Bixby agrees:

I’m still surprised that the stupidity of “North Korean super hackers” is still a problem. They have a single fiber line that goes through China’s Great Firewall (until a few years ago, it was the pair T-3 to Taiwan that was often crowded by Kim’s pornographic habits).

IIRC has one small data center nationwide with obsolete Chinese servers. They do not have the ability to hire a decent instructor for their small educated class to teach hacking.

Still, we are supposed to make our boots quiver that North Korean super hackers are coming to catch us. It seems much more likely that some criminals in China and Hong Kong are spoofing NK addresses.

On the other hand, QuantizableQuoll has the following warning:

The blog was also linked to various security subreddits. If you’re the type of person who visits those subreddits often, you’ll want to check your computer. What is the lesson of the story?

Social engineering isn’t just for norms. Ask all questions, whether you’re an IT expert, an Agile Dev (Sec) Ops Sprinter, or a 1337 Huxer.

And finally

Can we all agree? It’s enough sea shanti.

Before and at the end

You are reading the Security Blogwatch by Richi Jennings.

This week’s zomgsauce: Michael Brndli (via Unsplash)

