Security News

North Korean state-sponsored hackers known as APT37 have been discovered targeting journalists specializing in the DPRK with a novel malware strain. The malware is distributed through a phishing attack first discovered by NK News, an American news site dedicated to covering news and providing research and analysis about North Korea, using intelligence from within the country.

Lazarus - also known as APT38, BlueNoroff, and Stardust Chollima - is casting a wide net with this campaign, with targets including cryptocurrency exchanges, decentralized finance protocols, pay-to-earn cryptocurrency video games, and crypto-coin trading companies. The TraderTraitor apps come with a range of names, such as DAFOM, which purports to be a cryptocurrency portfolio app; TokenAIS and CryptAIS, for building AI-based trading portfolios for cryptocurrencies; and Esilet, for live cryptocurrency prices.

The U.S. Cybersecurity and Infrastructure Security Agency, along with the Federal Bureau of Investigation and the Treasury Department, warned of a new set of ongoing cyber attacks carried out by the Lazarus Group targeting blockchain companies. Targeted organizations include cryptocurrency exchanges, decentralized finance protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens.

The US government offered a reward up to $5 million for information that helps disrupt North Korea's cryptocurrency theft, cyber-espionage, and other illicit state-backed activities. The cash will be awarded "For information that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea, including money laundering, exportation of luxury goods to North Korea, specified cyber-activity and actions that support WMD proliferation," according to the Feds.

The Treasury Department's Office of Foreign Assets Control has sanctioned the address that received the cryptocurrency stolen in the largest cryptocurrency hack ever, the hack of Axie Infinity's Ronin network bridge. The Federal Bureau of Investigation said two North Korean hacking groups, Lazarus and BlueNorOff, were behind last month's Ronin hack.

The North Korean state-backed hacking crew, otherwise known as the Lazarus Group, has been attributed to yet another financially motivated campaign that leverages a trojanized decentralized finance wallet app to distribute a fully-featured backdoor onto compromised Windows systems. The app, which is equipped with functionalities to save and manage a cryptocurrency wallet, is also designed to trigger the launch of the implant that can take control of the infected host.

Threat actors from North Korea have been exploiting a vulnerability in Google Chrome to target certain users with remote code, particularly news outlets, software vendors and fintechs in the United States. On Feb. 10, Google's TAG team discovered two distinct threat actors using that vulnerability to target U.S.-based organizations spanning news media, IT, cryptocurrency and fintech industries.

Google's Threat Analysis Group on Thursday disclosed that it acted to mitigate threats from two distinct government-backed attacker groups based in North Korea that exploited a recently-uncovered remote code execution flaw in the Chrome web browser. The campaigns, once again "Reflective of the regime's immediate concerns and priorities," are said to have targeted U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries, with one set of the activities sharing direct infrastructure overlaps with previous attacks aimed at security researchers last year.

North Korean state hackers have exploited a zero-day, remote code execution vulnerability in Google Chrome web browser for more than a month before a patch became available, in attacks targeting news media, IT companies, cryptocurrency, and fintech organizations. Google's Threat Analysis Group attributed two campaigns exploiting the recently patched CVE-2022-0609 to two separate attacker groups backed by the North Korean government.

The notorious Lazarus Group actor has been observed mounting a new campaign that makes use of the Windows Update service to execute its malicious payload, expanding the arsenal of living-off-the-land techniques leveraged by the APT group to further its objectives. The Lazarus Group, also known as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, is the moniker assigned to the North Korea-based nation-state hacking group that's been active since at least 2009.