Security News

North Korean nation-state actors affiliated with the Reconnaissance General Bureau have been attributed to the JumpCloud hack following an operational security blunder that exposed their actual IP address. The intrusion directed against JumpCloud took place on June 22, 2023, as part of a sophisticated spear-phishing campaign that leveraged the unauthorized access to breach fewer than five customers and less than 10 systems in what's called a software supply chain attack.

North Korean state-sponsored hackers have been linked to two recent cyberattack campaigns: one involving a spear-phishing attack on JumpCloud and the other targeting tech employees on GitHub through a social engineering campaign. "Fewer than 5 JumpCloud customers were impacted and fewer than 10 devices total were impacted, out of more than 200,000 organizations who rely on the JumpCloud platform for a variety of identity, access, security, and management functions,".

An analysis of the indicators of compromise associated with the JumpCloud hack has uncovered evidence pointing to the involvement of North Korean state-sponsored groups, in a style that's reminiscent of the supply chain attack targeting 3CX. The findings come from SentinelOne, which mapped out the infrastructure pertaining to the intrusion to uncover underlying patterns. "The North Korean threat actors demonstrate a high level of creativity and strategic awareness in their targeting strategies," SentinelOne security researcher Tom Hegel told The Hacker News.

US-based enterprise software company JumpCloud was breached by North Korean Lazarus Group hackers, according to security researchers at SentinelOne and CrowdStrike. In a report published on Thursday, SentinelOne Senior Threat Researcher Tom Hegel linked the North Korean threat group to the JumpCloud hack based on multiple indicators of compromise shared by the company in a recent incident report.

A North Korean satellite allegedly designed for reconnaissance was not viable for its alleged intended purpose, according to South Korea's military on Wednesday. North Korea attempted to put the satellite into orbit on May 31, but it instead plunged into the sea soon after it was launched.

Security analysts have discovered a previously undocumented remote access trojan named 'EarlyRAT,' used by Andariel, a sub-group of the Lazarus North Korean state-sponsored hacking group. In a more recent report from WithSecure, it was discovered that a North Korean group using a newer variant of DTrack, possibly Andariel, gathered valuable intellectual property for two months.

The North Korea-aligned threat actor known as Andariel leveraged a previously undocumented malware called EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. "Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control server," Kaspersky said in a new report.

Their prospects of picking up your work have receded further, after the US Department of the Treasury's Office of Foreign Assets Control made it illegal to do business with one: Chinyong Information Technology Cooperation Company, aka Jinyong IT Cooperation Company. Treasury asserted the outsourcer "Employs delegations of DPRK IT workers that operate in Russia and Laos.".

The North Korean advanced persistent threat group known as Kimsuky has been observed using a piece of custom malware called RandomQuery as part of a reconnaissance and information exfiltration operation. "Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report published today.

The Korean National Police Agency warned that North Korean hackers had breached the network of one of the country's largest hospitals, Seoul National University Hospital, to steal sensitive medical information and personal details. The intrusion techniques observed in the attacks, the IP addresses that have been independently linked to North Korean threat actors, the website registration details, the use of specific language and North Korean vocabulary.