DPRK Cyberespionage This Week
South Korea’s Gyeonggi Nambu Provincial Police Agency has revealed that North Korean threat actor Kimsuky targeted South Korean contractors involved in a joint military exercise between the US and South Korea. The attack used spearphishing techniques in an attempt to steal information. While the agency confirmed that no military-related information was stolen, it found that the attack used an IP address that was previously used in a 2014 hack against a South Korean nuclear reactor operator. This highlights the ongoing cyber threat posed by North Korea.
Cisco Talos has also uncovered a new remote access Trojan (RAT) called CollectionRAT, which is being used by North Korea’s Lazarus Group. CollectionRAT consists of various RAT capabilities, including running arbitrary commands and managing files on an infected endpoint. The malware code is executed on the fly, using a packed Microsoft Foundation Class (MFC) library-based Windows binary. The Lazarus Group is also changing tactics and increasingly relying on open-source tools and frameworks in the initial access phase of their attacks.
US Intelligence Community Warns of Cyber Threats to Space Systems
US intelligence agencies have issued a warning about cyber espionage threats targeting the space industry. The FBI, the National Counterintelligence and Security Center (NCSC), and the Air Force Office of Special Investigations (AFOSI) have outlined the dangers posed by foreign intelligence entities (FIEs) to the US space sector. FIEs recognize the commercial space industry’s importance to the US economy and national security, making it a target for cyberattacks. These attacks aim to gain access to space-related innovation, assets, technologies, and expertise. The bulletin also highlights the likelihood of cyberattacks against satellite systems once a future war ensues.
China’s Cyberespionage Campaign Against Vulnerable Barracuda Appliances
The FBI has issued an alert warning that Barracuda’s Email Security Gateway (ESG) appliances are vulnerable to compromise by suspected Chinese government threat actors. The cyber actors exploited a vulnerability that allowed them to insert malicious payloads onto the ESG appliances. These payloads enabled persistent access, email scanning, credential harvesting, and data exfiltration. The FBI advises all affected appliances to be isolated and replaced immediately, and networks should be scanned for connections to the provided indicators of compromise.
The Cyber Phase of Russia’s Hybrid War Against Ukraine
While cyberattacks and instances of cyberespionage in Russia’s war against Ukraine have been relatively quiet lately, disinformation campaigns continue to persist. Recent themes in Russian influence operations have attempted to portray Poland as eager to reclaim territories that were annexed by the Soviet Union at the end of World War II. Russian influence operations often depict Russia as the victim of aggression, with Ukraine serving as a proxy for the United States. These disinformation campaigns aim to undermine Ukraine’s government and its relationship with the US.
Recent Trends in Cybercriminal Tactics and Techniques
Several reports have highlighted recent trends in cybercriminal tactics and techniques. Sophos’s Active Adversary report reveals that the speed of ransomware attacks has significantly increased since the beginning of 2023. Defenders now have less time to respond to ransomware attacks. HP Wolf Security’s Security Threat Insights Report notes a spike in QakBot spam activity in Q2 2023. QakBot campaigns used unique infection chains to bypass detection tools and security policies. Trustwave SpiderLabs has observed a rise in business email compromise (BEC) attacks, with an increase in attacks during the first quarter of the year. Kroll has also noted an increase in supply chain risk, driven by the Cl0p ransomware group’s exploitation of the MOVEit transfer vulnerability.
Furthermore, Abnormal Security has found that Microsoft is the most commonly spoofed brand used in phishing attacks. Microsoft-branded attacks accounted for a significant percentage of phishing attempts in 2023. Attackers often target Microsoft credentials to compromise an organization’s Microsoft 365 environment. There has also been an increase in grammatically correct phishing emails, indicating that attackers are using generative AI tools to create their phishing templates. Additionally, TransUnion has reported record levels of synthetic identity fraud, particularly in the auto finance industry.
These recent trends highlight the evolving tactics and techniques employed by cybercriminals, emphasizing the need for organizations to remain vigilant and implement robust cybersecurity measures.