N. Korean hackers are phishing

Apr 23 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that shoots first and asks questions later πŸ”«πŸ”«πŸ”«

Β Today’s hottest cybersecurity news stories:

  • 🍜 N. Korean hackers are phishing w/ AI, says Microsoft πŸ€–

  • 🐻 Russia’s APT28 drops GooseEgg via printer spooler flaw πŸ–¨οΈ

  • πŸšͺ Microsoft flaws allow hackers to gain β€˜rootkit-like’ powers 🦸

Korea criminals adopt AI 😏

🚨 North Korea-Linked State-Sponsored Hackers Enhance Operations with AI πŸ›‘οΈ

πŸ€– Microsoft has uncovered a concerning trend among North Korea-linked state-sponsored cyber actors, who have begun leveraging artificial intelligence (AI) to enhance the efficiency and effectiveness of their operations, according to the tech giant's latest report on East Asia hacking groups.

πŸ” Specifically, the report highlights Emerald Sleet (aka Kimusky or TA427), a group observed utilising AI-powered large language models (LLMs) to bolster spear-phishing campaigns targeting Korean Peninsula experts. These advancements in AI technology enable the adversary to conduct reconnaissance, research vulnerabilities, and draft spear-phishing messages with greater accuracy and sophistication.

🎯 In addition to spear-phishing, the group is known to engage in benign conversation starter campaigns to establish long-term exchanges of information on topics of strategic importance to the North Korean regime. Leveraging personas associated with think tanks and non-governmental organisations, Emerald Sleet enhances the legitimacy of its emails, increasing the likelihood of successful attacks.

πŸ”’ Recent tactics employed by North Korean hacking groups include the abuse of lax Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies to spoof personas and the incorporation of web beacons for target profiling. These tactics demonstrate the threat actors' agility in adjusting their strategies to evade detection and improve effectiveness.

πŸ’° While engaging in cryptocurrency heists and supply chain attacks, groups like Jade Sleet (linked to thefts totaling over $160 million) and Diamond Sleet (aka Lazarus Group) continue to pose significant threats. Lazarus Group, in particular, is noted for its use of intricate methods such as Windows Phantom DLL Hijacking and TCC database manipulation to deploy malware and undermine security protections.

πŸ” The Konni group has also launched a new campaign utilising Windows shortcut (LNK) files to deliver malicious payloads, employing obfuscation techniques to evade detection and locate embedded files.

πŸ›‘οΈ As state-sponsored hacking groups continue to evolve their tactics and techniques, enhanced cybersecurity measures and collaboration between industry and government entities are crucial to mitigating these threats effectively.

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Whatever you do, don’t let it hatch! 🐣🐣🐣

🚨 APT28 Exploits Windows Print Spooler Flaw with GooseEgg Malware πŸ›‘οΈ

πŸ” A new threat dubbed GooseEgg has emerged, attributed to the Russia-linked nation-state threat actor APT28, also known as Fancy Bear or Forest Blizzard. This sophisticated malware leverages a security vulnerability in the Microsoft Windows Print Spooler component to execute privilege escalation, posing a significant risk to targeted organisations.

πŸ”“ The flaw exploited by GooseEgg, tracked as CVE-2022-38028 with a CVSS score of 7.8, was patched by Microsoft in October 2022, following its discovery by the U.S. National Security Agency (NSA).

🌐 APT28 has employed GooseEgg in a series of targeted attacks against governmental, non-governmental, educational, and transportation sector organisations across Ukraine, Western Europe, and North America.

πŸ”¨ "Forest Blizzard has used the tool […] to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions," stated Microsoft's threat intelligence team.

πŸ“ Despite its seemingly simplistic nature, GooseEgg enables APT28 to execute various malicious actions, including remote code execution, backdoor installation, and lateral movement within compromised networks.

πŸ’‚β€β™‚οΈ APT28, specifically affiliated with Unit 26165 of the Russian Federation's GRU, has been operational for nearly 15 years, primarily focusing on intelligence collection to support Russian foreign policy initiatives.

πŸ”„ In recent operations, APT28 has demonstrated agility by exploiting other vulnerabilities, such as CVE-2023-23397 in Microsoft Outlook and CVE-2023-38831 in WinRAR, showcasing their ability to swiftly adopt public exploits into their arsenal.

πŸ” "Forest Blizzard's objective in deploying GooseEgg is to gain elevated access to target systems and steal credentials and information," highlighted Microsoft, emphasising the threat posed by APT28's continued activities.

πŸ“‘ GooseEgg's capabilities include executing provided DLLs or executables with elevated permissions, facilitated by a batch script launcher. The malware verifies successful exploitation using commands like whoami.

πŸ’» This disclosure coincides with IBM X-Force's revelation of new phishing attacks by the Gamaredon actor, targeting Ukraine and Poland with iterations of the GammaLoad malware, suggesting an escalation in threat actor resources and capabilities.

πŸ”’ As cyber threats evolve, organisations must remain vigilant, promptly applying security patches and adopting robust defence strategies to mitigate the risk posed by sophisticated threat actors like APT28.

🎣 Catch of the Day!! 🌊🐟🦞

πŸƒΒ The Motley Fool: β€œFool me once, shame on β€” shame on you. Fool me β€” you can't get fooled again.” Good ol’ George Dubya πŸ˜‚ Let us tell who’s not fooling around though; that’s the CrΓΌe πŸ‘€ at Motley Fool. You’d be a fool (alright, enough already! πŸ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! πŸ› Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets πŸ€‘Β (LINK)

🚡 Wander: Find your happy place. Cue Happy Gilmore flashback πŸŒοΈβ›³πŸŒˆπŸ•ŠοΈ Mmmm Happy Place… πŸ˜‡ So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway 🏞️😍 (LINK)

🌊 Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts βšΎπŸ‘»πŸΏ (Great movie, to be fair πŸ™ˆ). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty πŸ˜‘). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho πŸ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! 🌿 (LINK)

Microsoft needs to Root this problem out πŸ’€

🚨 Exploiting DOS-to-NT Path Conversion Unveils Rootkit-Like Capabilities πŸ”

πŸ›‘οΈ In a groundbreaking revelation, security researcher Or Yair from SafeBreach has unveiled how threat actors can leverage the DOS-to-NT path conversion process to acquire rootkit-like capabilities, enabling them to conceal and impersonate files, directories, and processes.

πŸ” "When a user executes a function with a path argument in Windows, the DOS path undergoes conversion to an NT path," explained Yair during his presentation at the Black Hat Asia conference.

πŸ”’ This conversion process, which is executed by most user-space APIs in Windows, removes trailing dots from any path element and trailing spaces from the last path element. This inherent flaw creates what Yair terms as "MagicDot paths," empowering unprivileged users with rootkit-like functionality.

πŸ‘₯ These capabilities enable malicious actors to execute a series of nefarious actions without requiring admin permissions, all while remaining undetected. Among the exploits made possible are the ability to conceal files and processes, manipulate prefetch file analysis, deceive Task Manager and Process Explorer users, trigger denial-of-service (DoS) attacks on Process Explorer, and more.

🚨 The exploitation of this flaw has led to the discovery of four security shortcomings, three of which have been addressed by Microsoft:

  • Elevation of Privilege (EoP) Deletion Vulnerability: Allows deletion of files without necessary privileges (to be fixed in a future release).

  • Β Elevation of Privilege (EoP) Write Vulnerability: Enables writing into files without required privileges by tampering with the restoration process from a volume shadow copy (CVE-2023-32054).

  • Β Remote Code Execution (RCE) Vulnerability: Facilitates creation of a crafted archive leading to code execution upon file extraction (CVE-2023-36396).

  • Denial-of-Service (DoS) Vulnerability: Impacts Process Explorer when launching processes with lengthy executable names without file extensions (CVE-2023-42757).

πŸ” Yair emphasised that this research sheds light on how seemingly innocuous issues can be exploited to develop significant vulnerabilities, underscoring the broader implications for software vendors beyond Microsoft Windows.

🌐 This revelation not only exposes critical vulnerabilities in widely used desktop OS but also serves as a wake-up call for software vendors to diligently address known issues persisting across software versions, ensuring robust security measures.

πŸ—žοΈ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles