General Worldwide activity:

1st: US government targets North Korea’s illicit IT workforce with new sanctions

Overview: The U.S. government announced new sanctions against North Korea related to its army of illicit IT workers that have fraudulently gained employment to finance the regime’s weapons of mass destruction programs. North Korea maintains thousands of “highly skilled” IT workers around the world, primarily in China and Russia, which “generate revenue that contributes to its unlawful weapons of mass destruction and ballistic missile programs,” according to an announcement from the U.S. Treasury Department on Tuesday. These individuals, which in some cases earn upwards of $300,000 a year, deliberately obfuscate their identities, locations and nationalities using stolen identities and falsified documentation to apply for jobs with employers located in “wealthier countries.” They have secretly worked in various positions and industries, including the fields of “business, health and fitness, social networking, sports, entertainment, and lifestyle,” the announcement read.

Breakdown: We have seen sanctions in the past from the U.S. Government in response to heavy APT level activity from certain countries. Many of these sanctions have come from the Department of Justice once they have overwhelming evidence they can use to attribute specific attacks to certain groups or even specific individuals. There is very little that can be done at the nation state level outside of country-to-country sanctions when activity is at this level. These are protected and well-funded groups, backed by large countries such as Russia, China, Iran and as the case here, North Korea. As a country backing their APT groups, North Korea tends to focus on financial fraud and theft, trying to steal as much cryptocurrency as they can get their hands on each year, to continue to fund attacks and other sources.

2nd: IT employee impersonates ransomware gang to extort employer

Overview: A 28-year-old United Kingdom man from Fleetwood, Hertfordshire, has been convicted of unauthorized computer access with criminal intent and blackmailing his employer. A press release published yesterday by the South East Regional Organized Crime Unit (SEROCU) explains that in February 2018, the convicted man, Ashley Liles, worked as an IT Security Analyst at an Oxford-based company that suffered a ransomware attack. Like many ransomware attacks, the threat actors contacted the company’s executives, demanding a ransom payment. Due to his role in the company, Liles took part in the internal investigations and incident response effort, which was also supported by other members of the company and the police. However, during this phase, Liles is said to have attempted to enrich himself from the attack by tricking his employer into paying him a ransom instead of the original external attacker.

Breakdown: This is a perfect example of a very high-level insider threat risk coming true for this organization. An individual, on the security team, took advantage of his involvement to attempt to defraud the company, and he was perfectly staged to do so based on his involvement in the investigation and incident response process. This can serve as a perfect example to build insider threat into a tabletop scenario, for security awareness training across the company, or to discuss general DFIR practices at your organization with the Executive team to work through how they would respond in such an event.

3rd: Interview With a Crypto Scam Investment Spammer

Overview: Renaud Chaput is a freelance programmer working on modernizing and scaling the Mastodon project infrastructure — including joinmastodon.org, mastodon.online, and mastodon.social. Chaput said that on May 4, 2023, someone unleashed a spam torrent targeting users on these Mastodon communities via “private mentions,” a kind of direct messaging on the platform. The messages said recipients had earned an investment credit at a cryptocurrency trading platform called moonxtrade[.]com. Chaput said the spammers used more than 1,500 Internet addresses across 400 providers to register new accounts, which then followed popular accounts on Mastodon and sent private mentions to the followers of those accounts.

Breakdown: Brian Krebs constantly puts out interesting content, that is well researched and takes a slightly different spin on activities, by taking the time necessary to track down original sources. In this case we get a detailed look into a crypto spam campaign and scammer activity related to that campaign, with reporting tied to the individual who watched it happen. A great read to see how this was done and the process of responding to the spamming.

4th: 25 Years Later: Reflecting on L0pht’s 1998 Congress Testimonial and the Evolution of Cybersecurity

Overview: I look back on L0pht’s testimony before Congress in 1998 with a mix of pride and reflection. It’s been twenty-five years since our group of hackers (or vulnerability researchers, if you will) stepped up to raise awareness about the importance of internet security in front of some of the world’s most powerful lawmakers. This event marked the beginning of a long journey towards increased cybersecurity awareness and implementation of measures to protect our digital world. Let’s take a look at how far we’ve come and what still needs to be done.

Breakdown: As a “hacker history” aficionado, I love to see articles written by a member of one of the most famous original hacker groups, before hacker became so tied in with criminal activity. In this case, Chris has been sharing his outlook on those events and the present for years, but this was a special look back at the testimony and the effects that had on the world overall. It is a quick read with many excellent references for further research if you are interested or have not seen reporting around some of this historical activity.

5th: The Underground History of Russia’s Most Ingenious Hacker Group

Overview: ASK WESTERN CYBERSECURITY intelligence analysts who their “favorite” group of foreign state-sponsored hackers is — the adversary they can’t help but grudgingly admire and obsessively study — and most won’t name any of the multitudes of hacking groups working on behalf of China or North Korea. Not China’s APT41, with its brazen sprees of supply chain attacks, nor the North Korean Lazarus hackers who pull off massive cryptocurrency heists. Most won’t even point to Russia’s notorious Sandworm hacker group, despite the military unit’s unprecedented blackout cyberattacks against power grids or destructive self-replicating code. Instead, connoisseurs of computer intrusion tend to name a far more subtle team of cyberspies that, in various forms, has silently penetrated networks across the West for far longer than any other: a group known as Turla.

Breakdown: We go from the story above, about hacker history and trying to make things better, to a wonderfully written story on the complete opposite side of things. One of the top APT groups in the world with a history of successful attacks over a very long time span, Turla has the respect at least of many people in the info security field for their prowess. The U.S. DoJ and FBI just did a large-scale takedown on one of their operations, and it is another in-depth look at a mature APT group and how they function.

Contact Us

contact@hunterstrategy.net

Our Website

Top five Cyber Threat Intel stories of the week: 05/22 to 05/26/2023