Analyzing North Korea's internet activity.
Recorded Future's Insikt Group released a report on North Korea's use of the internet as a tool to bypass international sanctions. Recorded Future's researchers have observed a 300% increase in the country's online activity since 2017 and conclude that this indicates "the normalization and professionalization of internet use among the North Korean elite." They explain that North Korean internet users can be assumed to be among the country's ruling class, including senior leadership and their family members. Recorded Future says North Korean users began using DNS tunneling in mid-2019, which the researchers believe implies either the users' desire to obfuscate data exfiltration or to bypass the Kim regime's content restriction policies.
Pyongyang uses the internet to generate revenue primarily by conducting bank heists, low-level financial crime, and acquiring cryptocurrency through theft, scams, cryptojacking, and in some cases, legitimate mining. Recorded Future describes North Korea as "a nation run like a criminal syndicate." The researchers say the country's use of the internet to circumvent sanctions is unique, but not necessarily difficult to achieve. They expect to see other financially isolated countries adopting this model, specifically Venezuela, Iran, and Syria.
Gamaredon conducts espionage against Ukrainian military.
Researchers at SentinelLabs describe new activity by the Russia-aligned Gamaredon threat group. The threat actor is "exclusively targeting" Ukraine's national security institutions, and SentinelLabs has identified attacks on "more than five thousand unique Ukrainian entities" in recent months. The researchers note that Gamaredon's activities appear to increase as kinetic conflict decreases, and they conclude that "[f]rom a military perspective, Gamaredon offers a cost-efficiency balance in which attempts to advance on the battlefield do not immediately lead to escalation and retaliation. It is a sophisticated way to opt-out of the traditional zero-sum game of any military operation by achieving offensive advantage without losing a political stance in a peace process."
Gamaredon has updated its custom malware to rely more on scripting to achieve persistence rather than simply trying to deliver an executable payload. The malware includes .NET's more recent interoperability integrator for Visual Basic for Applications, "Microsoft.Vbe.Interop," which uses a fake Microsoft digital certificate. In keeping with the group's past activity, the malware is distributed via spearphishing with macro-laden Microsoft Office and Excel documents.
Web shell attacks are on the rise.
Microsoft warns that attackers are increasingly deploying web shells on vulnerable web servers to gain a foothold within organizations' networks. To deploy the web shells, attackers are exploiting vulnerabilities in unpatched web applications, including CVE-2019-0604 in Microsoft SharePoint and CVE-2019-16759 in vBulletin. The shells often hide behind innocuous-looking file names, such as "index.aspx," "css.aspx," and "default.php."
Notable threat actors making use of this technique include North Korea's Lazarus Group (which Microsoft tracks as ZINC), the GALLIUM threat actor (which Cybereason believes is linked to China's APT10), and Russia's Turla group (known to Microsoft as KRYPTON).
Microsoft recommends monitoring internet-facing servers for new file writes and keeping an eye out for any processes that shouldn't be there, particularly "net.exe," "ping.exe," "systeminfo.exe," and "hostname.exe."
Chinese cybercriminal enterprises are expanding.
McAfee says the Chinese cybercriminal underground is following in the footsteps of Russia's underground with the rise of large, organized criminal groups. One of the drivers of this trend is Chinese groups' gradual adoption of deep web criminal networks to conduct business, rather than relying on one-to-one communication through Tencent's QQ instant messaging service. China's criminal groups have also expanded their targeting to include international targets, as opposed to primarily focusing on Chinese businesses.
Many Chinese cybercriminals specialize in data theft, and they sometimes rent out their services to conduct political or economic espionage for criminal customers. As a result, McAfee says it's becoming more difficult to distinguish criminal hacking from state-sponsored activity, since Chinese government hackers have a similar focus on espionage.
Public GitHub repos expose sensitive data.
Palo Alto Networks Unit 42 analyzed over 24,000 public GitHub uploads and identified a total of 12,000 pieces of potentially sensitive data. These included 2,328 hardcoded usernames and passwords, 1,089 OAuth tokens, 2,144 private keys, and 2,464 API keys. 18% of the hardcoded passwords were among the top ten most common passwords, including "password," "secret," "admin," and "1234." Additionally, the researchers state that "due to the high occurrence of these passwords appearing within URL API requests to common cloud services, like Redis, PostgreSQL, MongoDB, and AMPQ, it is highly likely these same pseudo complex passwords are used within cloud environments themselves."
Unit 42 emphasizes that based on their findings, "[t]he evidence points to nearly half of every scanned CloudFormation template (CFT) containing a potentially vulnerable configuration."
Bitbucket used to host malicious cracked software.
Cybereason discovered an attack campaign abusing Bitbucket to distribute an "arsenal" of malware via cracked versions of popular software, including Photoshop and Microsoft Office. While the use of code repository platforms to host malicious applications is nothing new, this campaign is notable both for the number of different malware samples delivered as well as for the scale of its apparent success.
The researchers linked a number of different Bitbucket repositories to the same threat actor, and conclude that "over 500,000 machines have been infected by the campaign so far, with hundreds of machines affected every hour." The campaign involves at least seven different strains of malware, including the STOP Ransomware, the IntelRapid cryptocurrency stealer, a dropper for the XMRig cryptominer, and the information stealing Trojans Predator, Azorult, Vidar, and Amadey bot.
Bitbucket's owner Atlassian removed the repositories after being notified by Cybereason, but the Register notes that these types of attacks are too widespread to stamp out entirely. Accordingly, users are advised to simply refrain from trying to download cracked software.