Wednesday, April 17, 2024

North Korean Hackers Use 0-Day Exploits to Attack Security Researchers

Google’s Threat Analysis Group (TAG) has issued an update regarding an ongoing campaign by North Korean threat actors targeting security researchers. 

This campaign, which first came to light in January 2021, involved using 0-day exploits to compromise the security of researchers engaged in vulnerability research and development.

Over the past two and a half years, TAG has diligently tracked and disrupted multiple campaigns orchestrated by these North Korean actors, unearthing 0-day vulnerabilities and safeguarding online users. 

Recently, TAG identified a new campaign bearing similarities to the previous one. Disturbingly, they have confirmed the active exploitation of at least one 0-day vulnerability in the past few weeks, prompting them to take immediate action.

TAG has reported this vulnerability to the affected vendor, and efforts are underway to patch it. 

While their analysis of this campaign is ongoing, TAG has chosen to provide early notification to the security research community. 

This is a stark reminder that security researchers can become targets of government-backed attackers, underscoring the importance of maintaining vigilance in security practices.

The tactics employed by these North Korean threat actors mirror those from the prior campaign. 

They contact potential targets through social media platforms such as X (formerly Twitter) and gradually build trust. 

Actor-controlled Twitter profile

Once a rapport is established, they transition to encrypted messaging apps like Signal, WhatsApp, or Wire. 

Subsequently, the threat actors send malicious files containing at least one 0-day exploit hidden within popular software packages.

Upon successful exploitation, the malicious code performs a series of anti-virtual machine checks and transmits the collected data, including screenshots, to a command and control domain controlled by the attackers. 

The shellcode used in these exploits exhibits similarities to previous North Korean exploits.

In addition to 0-day exploits, these threat actors have developed a standalone Windows tool to download debugging symbols from central symbol servers, including Microsoft, Google, Mozilla, and Citrix

However, this tool can also download and execute arbitrary code from attacker-controlled domains, posing a significant risk to those who have used it.

GitHub repository for GetSymbol

TAG strongly advises individuals who have downloaded or run this tool to take precautions, including ensuring their systems are clean, which may require complete OS reinstallation.

As part of its commitment to combating these severe threats, TAG utilizes its research findings to enhance the safety and security of Google’s products. 

They swiftly add identified websites and domains to Safe Browsing to protect users from further exploitation. 

Additionally, TAG notifies targeted Gmail and Workspace users of government-backed attacker alerts, encouraging potential targets to activate Enhanced Safe Browsing for Chrome and ensure their devices are up-to-date.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


Latest articles

Trustifi’s Email Security Awareness Training – Empowering MSPs to Train & Protect Clients

In today's digital landscape, email security has become a critical concern for businesses of...

Personal Data Exposed in Massive Global Hack: Understanding the Implications & Guarding Privacy- Axios Security Group

In a digital age where information is the new currency, the recent global hack...

Ex-Security Engineer Jailed For Hacking Decentralized Cryptocurrency Exchanges

Ahmed exploited a vulnerability in a decentralized cryptocurrency exchange's smart contract by injecting fabricated...

Omni Hotels & Resorts Hack: Attackers have Stolen Customer Information

Omni Hotels & Resorts has revealed that it was the target of a recent...

Connect:fun Attacking Organizations Running Fortinet’s FortiClient EMS

A new exploit campaign has emerged, targeting organizations that utilize Fortinet’s FortiClient EMS.Dubbed...

TA558 Hackers Compromised 320+ Organizations’ FTP & SMTP Servers

TA558, a financially motivated threat actor identified in 2018, is targeting several countries but...

Blackjack Hackers Destroyed 87,000 Sensors Using Lethal ICS Malware

A group of cybercriminals known as "Blackjack" has launched a devastating attack on industrial...

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles