A look at North Korean crypto stealing tactics
The Record’s Jonathan Greig broke down a recently report on these tactics from Proofpoint, hightling the work of the APT TA444. The report describes the group as working “with a startup mentality and a passion for cryptocurrency.” While the groups activities overlap with other North Korean-linked threat actors, like Lazarus Group, it stands out as seemingly only interested in generating revenue, rather than cyber espionage.
In the past, the group spread malware through malicious documents, but in 2022 expanded to using email marketing tools. These tools allowed it to more easily get past spam filters and seem legitimate. It combines this with aggressive social media strategies, contacting potential victims on LinkedIn with faked job offers. The United States Treasury Department estimates the group used various cryptocurrency mixers to launder over $120 million.
Russia saw record DDoS attacks
A new report from the Russian telco Rostelecom disclosed that in 2022 it identified 21.5 million critical web attacks, with DDoS attack impacting 600 organizations in the country across private business and state services. Russian government serviced accounted for 30% of all DDoS attacks, with total DDoS attack up 12 times from the previous year. While one attack lasted three months, most were not very powerful or long lasting. The Russian service DLBI also estimates that in the last year, data leaks impacted 75% of all Russian citizens.
China leads in facial recognition tech exports
The Brookings Institution published a new study from Harvard and MIT, looking technology exports by country. It found China led all exports with 201 deals involving sending the technology abroad. US firms came in second with 128 deals. China also led the US in AI export deals, with 250 export deals compared to 136. Combined the two countries accounted for 23.5% of all AI export deals. One of the reports authors, Harvard economist David Yang, sayid while recent US foreign policy seeks to limit China’s development of new capabilities, it generally doesn’t limit the transfer of existing tech. China can lead facial recognition exports because it “already developed a comprehensive suite of surveillance AI tech that it can sell.”
(Wired)
Kronos Malware Reemerges
Experts believe Kronos malware emerged from leaked Zeus malware source code, sold to Russian actors back in 2011. A newer variant emerged in 2014. It served as a vector for downloading other malware. After that it emerged again in 2918 as a banking trojan referred to as Osiris. This contained some differences but used the same underlying techniques. The latest resurrection of this malware seems to have come last year, attacking financial institutions as a malicious Chrome extension named Seguridad. This variant looked to steal sensitive information from a device, like login credentials and tokens. Security Intelligence reports attacks successfully used it against a financial institution in Mexico.
And now a word from our sponsor, SafeBase
India’s new mobile OS makes big security claims
India continues to maintain a contentious relationship with tech platforms, including mobile operating systems like Android. That OS dominates the Indian market. A recent Supreme Court ruling will see Google opening up Play Store services more broadly in the country. But last week the Indian Institute of Technology announced a new mobile OS called BharOS, aimed as a home grown alternative. India’s minister for education and skill development and entrepreneurship Dharmendra Pradhan demonstrated it this week.
Pradhan claimed the OS shipped with no preloaded apps, shared no user data, and worked with private app stores. He also claimed the OS couldn’t run malware, but provided no details about how this is even remotely possible. Screenshots of the OS show what looks like the Android keyboard app with design elements that look similar to Android. Prior reporting also says its based on the Linux kernel, so it would seem malware would be eminently possible on the platform.
Hacked WordPress sites redirect to ad pages
According to a new report from Sucuri, a recently campaign infected WordPress sites with a malicious index.php file. This initially sent users to fake CAPTCHA scam pages, but recently switched to sending visitors to sketchy ad networks. Some of the ads include ones for malicious “ad blockers” that actually spur installing more malware on a system. This campaign seems like it goes back to at least 2017, but recently increased activity in December 2022 to impact over 3,600 sites.
Blackberry malware report
That finding comes from the company’s Quarterly Threat Intelligence Report, which disclosed it stopped 1.75 million malware attacks in 90 days. The most common malware used came from Emotet, the Qakbot phishing network, and the GuLoader infostealer. The report also found that, despite its repudiation, attackers continue to find ways of targeting macOS. It found data stealer Dock2Master the most commonly installed app. The report found the app at 34% of client organizations using macOS on their networks.
Yahoo is back on top…with phishing
Check Point released its report on the most spoofed brands for Q4 2022. It found that Yahoo overtook DHL as the most imitated brand, used in 20% of all phishing attempts in the wild. Malicious emails tried to entice click through by offering prize money from Yahoo contents. DHL only moved down one on the list, down to 16% of all phishing attempts, while Microsoft came in third. Overall Check Point found the tech industry saw the most brand imitators in phishing messages, followed by shipping brands and social networks.