Breach Roundup: How to Spot North Korean IT Workers – Source: www.databreachtoday.com

Cybercrime
,
Fraud Management & Cybercrime
,
Incident & Breach Response

Also: Ransomware Surged in 2023, MoneyGram Back in Service After Cyberattack

Anviksha More (AnvikshaMore) •
September 26, 2024    

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, advice on spotting North Korean staff; ransomware attacks rose; MoneyGram back online; FCC fined political operative; CISA warned of water system attacks; Ukraine restricted Telegram use; North Korean hackers used new malware; U.K. arrested alleged hacker; PSNI is in data leak talks.

See Also: Cloud NGFW : Best-in-class security and unparalleled simplicity on AWS

Companies building a remote workforce who don’t want to accidentally hire someone from the world’s most bonkers and sanctioned totalitarian regime should take a few basic steps, advised Google-owned threat intel company Mandiant.

The steps include requiring all applicants to turn on cameras during interviews “to ensure visual appearance matches online profiles,” Mandiant said in a blog post based on work with companies that hired North Korean nationals. Companies should check that the interviewee matches the provided identification and “ask questions to establish the consistency of a candidate’s responses in line with their purported background.”

The U.S. federal government has warned since at least 2022 that remote North Korean workers may not only collect an illicit paycheck but use their programming positions to facilitate Pyongyang hacking campaigns. Federal prosecutors this year have racked up multiple criminal indictments against individuals accused of aiding the Hermit Kingdom in circumventing sanctions by running laptop farms inside the U.S. through which North Korean nationals obtain IT work for Fortune 500 companies.

One telltale sign that a new recruit is shoveling hard currency into the beleaguered North Korean economy is a laptop using an IP-based keyboard video mouse as well as the installation of remote management tools such as AnyDesk or Chrome Remote Desktop. “Connections to these remote management solutions primarily originated from IP addresses associated with Astrill VPN, likely originating from China or North Korea,” Mandiant said.

Other tells: high reluctance to join video calls, telephone numbers that are Voice over Internet Protocol numbers, multiple remote admin tools installed on a single system as well as “mouse jiggling” software that keeps laptops active. “Keeping laptops on and running are key for the DPRK IT workers who often hold many jobs at once and need to appear online,” Mandiant said.

The company also described the quality of the North Korean workers’ coding as “below average.”

The Institute for Security and Technology’s Ransomware Task Force reported a 73% increase in recorded ransomware incidents worldwide in 2023 compared to the previous year, with 6,670 attacks recorded.

A Thursday report from the task force attributes the trend to big game hunting, where cybercriminals target high-value organizations for maximum payouts. Most notably, the Clop group exploited vulnerabilities in MOVEit file transfer software, contributing to approximately 666 incidents (see: Data Breach Toll Tied to Clop Group’s MOVEit Attack Surges).

Healthcare and construction sectors were the most targeted, and hospitals experienced nearly double the number of attacks, from 89 incidents in 2022 to 177 in 2023. The average recovery cost for hospitals reached $2.2 million, and ransomware payments skyrocketed, exceeding $1 billion in 2023 (see: CMS Now Says 3.1 Million Affected by MOVEit Hack).

Despite increased government and industry efforts to combat ransomware, the profitability of the ransomware-as-a-service model continues to incentivize attackers, the report says.

MoneyGram International came back online Thursday after a cyberattack on the money transfer system forced it to yank services offline on Monday.

Headquartered in Dallas, Texas, MoneyGram processes more than $200 billion in transactions annually in more than 200 countries. A survey report published by MoneyGram earlier this month says that of those who use the service to send money abroad, nearly half said they do so to cover family food costs while more than one-third said the money is to cover emergency expenses. More than one-third reported using the service to cover housing expenses.

The political consultant who generated an artificial intelligence deepfake of U.S. President Joe Biden’s voice in February must pay a $6 million fine to federal regulators. The U.S. Federal Communications Commission imposed the penalty on Democratic operative Steven Kramer on Thursday. “It is now cheap and easy to use artificial intelligence to clone voices and flood us with fake sounds and images,” said FCC Chairwoman Jessica Rosenworcel. “We need to call it out when we see it and use every tool at our disposal to stop this fraud.”

Kramer told The Associated Press in February that the calls were his attempt at a wake-up call about the dangers of AI-powered deepfakes. Then working for Biden primary challenger Rep. Dean Phillips – who denounced the calls – Kramer paid $500 to transmit a false message to nearly 4,000 potential New Hampshire voters on Jan. 21, who heard a voice they thought was Biden’s urging them not to participate in the Democratic primary.

The FCC said Kramer has 30 days to pay the fine or face collections from the Department of Justice. U.S. telecom company Lingo Telecom has already agreed to a $1 million fine for transmitting the calls. Kramer still faces criminal charges in New Hampshire tied to alleged voter suppression.

The U.S Cybersecurity and Infrastructure Security Agency on Wednesday published a warning about cyberattacks targeting critical infrastructure networks, specifically focusing on water and wastewater systems. Attackers don’t need to be uber-hackers since “unsophisticated” methods such as brute force attacks and using default credentials continue to let attackers access internet-exposed operational technology, the agency said.

CISA advised operators to strengthen defenses by changing default passwords, enabling multifactor authentication, securing human-machine interfaces behind firewalls, hardening VNC installations and applying latest patches.

CISA’s warning follows a Sunday cyberattack on the Arkansas City, Kansas, water treatment facility (see: FBI, US Homeland Security Investigate Water Facility Cyberattack).

Ukraine’s National Cybersecurity Coordination Center banned the use of Telegram within government agencies, military units and critical infrastructure due to national security concerns amid the ongoing war with Russia.

Secretary of the National Security and Defense Council Oleksandr Lytvynenko highlighted Telegram’s security risks in a Sept. 19 meeting. Ukraine Defense Intelligence Chief Kyrylo Budanov warned that Russian intelligence could potentially access user data, including deleted messages, making Telegram a serious security threat.

Officials from Ukraine’s Security Service and Armed Forces said that Russia actively uses Telegram for cyberattacks, phishing, malware distribution and missile strike coordination. The NCCC as a result restricted the app on official devices used by government, military and critical infrastructure personnel, except where specifically required.

The ban does not extend to ordinary citizens, and the app remains widely used for communication and news updates, including alerts on Russian airstrikes.

North Korean-linked threat group Kimsuky, also known as APT43, is using two new malware strains dubbed KLogEXE and FPSpy, according to researchers from Palo Alto Networks’ Unit 42. These additions bolster the capabilities of the group, which has been active since 2012 and is notorious for spear-phishing attacks.

KLogEXE is a C++ version of InfoKey, a keylogger previously linked to Kimsuky’s campaigns targeting Japanese organizations. It tracks keystrokes and mouse clicks and collects information about running applications.

FPSpy, a variant of malware previously exposed by AhnLab in 2022, enhances Kimsuky’s ability to gather system information, run commands, download additional payloads and enumerate drives and files.