North Korean Hackers Target Software Developers in Job Interview Scam

Apr 29 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that cuts through the bull πŸ’©

Β Today’s hottest cybersecurity news stories:

  • πŸ“¦ Fake npm packages trick devs into downloading python backdoor 🐍

  • πŸ“… 7-year-old MS Office flaw used to target Ukraine w/ Cobalt Strike ⚑

  • πŸ’³ Proxy-driven credential stuffing attacks are exploding, says Okta πŸ—„οΈ

There’s a snake in the grass 🐍

🚨 N. Korean Hackers Target Software Developers in Job Interview Scam πŸŽ£πŸ’»πŸ•΅οΈβ€β™‚οΈ

An ongoing social engineering campaign dubbed DEV#POPPER is duping software developers with fake job interviews, leading to the unwitting installation of a Python backdoor. πŸ’ΌπŸ”“

The Deceptive Scheme πŸŽ­πŸ”

North Korean threat actors are behind the campaign, according to cybersecurity firm Securonix. Under the guise of employment opportunities, developers are tricked into downloading and executing malicious Node JS payloads disguised as legitimate software tasks. These payloads, including the BeaverTail malware, facilitate unauthorised access to victims' systems. πŸ•΅οΈβ€β™‚οΈπŸ”—

Recurring Threats πŸ’¬πŸ’»

This tactic mirrors previous activities like Contagious Interview, identified by Palo Alto Networks Unit 42, and Operation Dream Job by the Lazarus Group. Both involve luring victims with fake job offers and delivering malware, highlighting a persistent threat landscape in the cybersecurity realm. Contagious Interview, specifically targeting developers, utilises fake identities in freelance job portals and leverages npm packages to deploy malware such as BeaverTail and InvisibleFerret. πŸš¨πŸ’°

Complex Attack Chain πŸ“ˆπŸ”’

The attack begins with a ZIP archive hosted on GitHub, containing seemingly benign npm modules housing malicious JavaScript files. Once executed, these files deploy a Python backdoor named InvisibleFerret, allowing attackers to syphon sensitive data and execute commands remotely. The InvisibleFerret backdoor, retrieved from a remote server, grants the attackers access to the compromised system, enabling a range of malicious activities, including system information gathering, command execution, file enumeration and exfiltration, and clipboard and keystroke logging. πŸŒπŸ”“

Stay Vigilant πŸš¨πŸ‘€

As threat actors continue to refine their tactics, vigilance during job interviews and other communications is crucial. Maintaining a security-focused mindset can help prevent falling victim to these sophisticated social engineering attacks. Stay informed and cautious when engaging in any online activities, especially those involving potential employment opportunities. πŸ’ͺπŸ”’

Russian hackers: Step into my Office πŸ’€

🚨 Cyber Strike Targets Ukraine with Microsoft Office Flaw Exploit πŸ’»πŸŽ―

A targeted cyber operation aimed at Ukraine has been uncovered, exploiting a nearly seven-year-old vulnerability in Microsoft Office to deploy the infamous Cobalt Strike tool. πŸ•΅οΈβ€β™‚οΈπŸ’Ό

Sneaky, Sneaky πŸŽ­πŸ”

The attack, revealed by cybersecurity firm Deep Instinct, kicks off with a PowerPoint slideshow file, possibly distributed via Signal messaging app. While it's not confirmed, the filename implies a Signal origin. The file masquerades as a U.S. Army mine clearing manual but harbours a remote relationship to an external OLE object, leveraging the CVE-2017-8570 flaw in Microsoft Office for remote code execution. πŸ“‚πŸ”“

Intricate Execution πŸ“ˆπŸ› οΈ

Upon exploitation, a heavily obfuscated script loads an HTML file with JavaScript code, establishing persistence on the victim's system and dropping a malicious payload masquerading as the Cisco AnyConnect VPN client. This payload injects a cracked Cobalt Strike Beacon into system memory, awaiting commands from a remote server. πŸ§©πŸ”’

Uncertain Origins, Ambiguous Goals β“πŸŽ―

Despite military-themed lures, the attacker's choice of domain names, like weavesilk[.]space and petapixel[.]fun, seems unrelated. It's unclear why these obscure sites were chosen to deceive military personnel. Moreover, the attack's exact purpose remains unknown. πŸ€”πŸ’­

Sandworm Strikes Ukraine's Critical Infrastructure ⚑

Meanwhile, CERT-UA disclosed attacks by the Russian state-sponsored group UAC-0133, a sub-cluster within Sandworm, targeting energy, water, and heating suppliers in Ukraine. The attacks, aimed at sabotaging critical operations, employ malware like Kapeka and its Linux variant BIASBOAT, along with GOSSIPFLOW and LOADGRIP. Sandworm, linked to Russian military intelligence, is known for disruptive and destructive operations against Ukraine since at least 2009. 🚨πŸ”₯

Stay vigilant against cyber threats, and remember: even the oldest vulnerabilities can be exploited by skilled adversaries. Keep your systems updated and your cybersecurity defences strong. πŸ’ͺπŸ”’

Listen to your good Doctor Okta πŸ‘¨β€βš•οΈ

🚨 Okta Warns of Surge in Credential Stuffing Attacks πŸ”’πŸ›‘οΈ

Identity and access management (IAM) services provider Okta has raised the alarm over a notable increase in credential stuffing assaults targeting online services. πŸ“ˆπŸ’»

Rising Threat Landscape πŸŒπŸ”

Okta's alert, published Saturday, highlights a significant surge in the "frequency and scale" of credential stuffing attacks, fueled by the widespread availability of residential proxy services, combo lists, and automation tools. These attacks have intensified over the past month, signalling a concerning trend in cyber threats. πŸ“ˆπŸ’₯

Unprecedented Assaults πŸ’£πŸ”

The spike in attacks aligns with recent advisories from Cisco, shedding light on a global uptick in brute-force attacks targeting VPN services, web app authentication interfaces, and SSH services since March 18, 2024. These assaults, originating from TOR exit nodes and anonymizing tunnels, have targeted a wide range of devices, including VPN appliances and routers from various vendors. πŸ”’πŸŒ

Okta's Discovery πŸ•΅οΈβ€β™‚οΈπŸ”Ž

Okta's Identity Threat Research unearthed a surge in credential stuffing activity from April 19 to April 26, 2024, with the attacks leveraging similar infrastructure. An alarming aspect of these assaults is their reliance on anonymizing services like TOR, routing millions of requests through residential proxies such as NSOCKS, Luminati, and DataImpulse. πŸ“‰πŸ”“

Understanding Credential Stuffing πŸ€”πŸ”

Credential stuffing attacks exploit credentials obtained from data breaches or phishing campaigns to gain unauthorised access to user accounts on unrelated services. The attackers leverage anonymizing services to obscure their malicious traffic, making detection and attribution challenging. πŸ‘₯πŸ”

Mitigation Measures πŸ›‘οΈπŸ”‘

To counter the threat of account takeovers, Okta recommends enforcing strong passwords, implementing two-factor authentication (2FA), blocking requests from suspicious locations or IP addresses with poor reputations, and supporting passkeys. These proactive measures can help organisations bolster their defences against credential stuffing attacks and safeguard user accounts. πŸ’ͺπŸ”’

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles