Mandiant experts noticed that North Korean hackers have focused their attention and attacks on information security specialists. Attackers try to infect researchers with malware in the hope of infiltrating the networks of companies that the targets work for.

Let me remind you that we also wrote that Nearly 50% of Cybersecurity Leaders Will Change Jobs by 2025, and also that Microsoft accused Russia and North Korea of attacks on pharmaceutical companies.

The media also wrote that FBI Links North Korean Lazarus Hackers to Harmony Hack and $100 Million Theft.

Mandiant says it first discovered the North Korean hacking campaign in June 2022 while tracking a phishing campaign targeting a US technology client. Then the hackers tried to infect the target with three new malware families (Touchmove, Sideshow and Touchshift).

Shortly thereafter, there was a spate of attacks on American and European media by the UNC2970 group, which Mandiant links to North Korea. For these attacks, UNC2970 used spear-phishing emails disguised as job offers in an attempt to coerce their targets into installing the malware.

Researchers say that UNC2970 recently changed tactics and now switched from using phishing emails to using fake LinkedIn accounts allegedly owned by HR. Such accounts carefully imitate the identities of real people in order to deceive the victims and increase the chances of the attack being successful.

After contacting the victim and making her an “interesting job offer”, the attackers try to transfer the conversation to WhatsApp, and then use either the messenger itself or email to deliver the backdoor, which Mandiant called Plankwalk, as well as other malware families.

Plankwalk and other malware in the group mainly use macros in Microsoft Word. When the document is open and macros are enabled, the target machine downloads and executes the malicious payload from the hackers’ servers (mostly hacked WordPress sites). As a result, a ZIP archive is delivered to the target machine, which, among other things, contains a malicious version of the TightVNC remote desktop application that Mandiant monitors under the name LIDSHIFT.

One of the documents used for the attacks can be seen below, where the hackers impersonate the New York Times.

As a result, Plankwalk paves the way for introducing additional tools to the target machine, including:

1. TOUCHHIFT is a dropper that downloads other malware, ranging from keyloggers and screenshot utilities to full-featured backdoors;
2. TOUCHSHOT – takes screenshots every three seconds;
3. TOUCHKEY – a keylogger that captures keystrokes and intercepts data from the clipboard;
4. HOOKSHOT is a tunneling tool that connects via TCP to communicate with the server management server;
5. TOUCHMOVE – a loader designed to decrypt and execute a payload;
6. SIDESHOW is an AC/C++ backdoor that runs arbitrary commands and communicates via HTTP POST requests with its command and control server.

It is also reported that UNC2970 used Microsoft Intune to manage endpoints and download a PowerShell script containing a payload in the form of a CLOUDBURST backdoor written in C. It is assumed that UNC2970 uses this legitimate application to bypass endpoint protection.

The post North Korean Hackers Attack Cybersecurity Specialists by Offering Them Jobs via LinkedIn appeared first on Gridinsoft Blog.

Information security researchers from the Check Point Software team said that phishers love the Microsoft brand. 43% of all attempts at phishing attacks were associated with it – attackers tried to influence people working remotely during the second wave of the pandemic.

Top brands most frequently used in phishing attacks:

1. Microsoft (43% of all phishing attacks attempts with the use of brand names worldwide)
2. DHL (18%)
3. LinkedIn (6%)
4. Amazon (5%)
5. Rakuten (4%)
6. IKEA (3%)
7. Google (2%)
8. Paypal (2%)
9. Chase (2%)
10. Yahoo (1%)

How a brand-based phishing attack works

In a phishing attack that is using brands, criminals try to imitate the official website of a well-known company using a domain name, URL and design similar to the original website.

Victims can receive a link to the fake page via email or SMS. They can also be redirected to a phishing site while browsing the web or from a malicious mobile application. Fake sites often contain a form designed to steal credentials, billing information or other personal information.

Examples of phishing attacks using brands:

A phishing email allegedly from DHL – an example of password theft

In November, Check Point researchers noticed a malicious phishing email that used the DHL trademark. Then the attackers tried to steal user passwords. The email that came from a fake email address Parcel.docs@dhl.com contained the following text:

“RE: Your DHL Parcel (available to receive) – []”. Cybercriminals tried to trick the victim into clicking a malicious link that redirected to a fake login page. There, the user had to enter his password, which would then be sent to the attackers’ site.

Phishing email allegedly from Microsoft – an example of credential theft.

In December, Check Point researchers discovered a malicious phishing email that attempted to steal user credentials from a Microsoft Office 365 account. In the subject of the email was indicated: “Daily Document Delivery # – “, and the content that mimicked eFax. After the user clicked on the link, he was lead to another document that redirected the user to a fake Microsoft login page.

Let me remind you that I talked about cybercriminals that started using Google services more often in phishing campaigns.

The post Hackers majorly use Microsoft and DHL brands in phishing attacks appeared first on Gridinsoft Blog.

Many developers are trying to remove such terms from their source code, applications, and online services.

For example, the developers of Android, the Go programming language, the PHPUnit library and the Curl utility have recently announced their intention to find alternatives for whitelist/blacklist. In turn, the authors of the OpenZFS project are already working on replacing the terms master/slave, used to describe the relationships between storage environments.

Although many projects do not use these terms directly in their source code or user interfaces, they turned their attention to their source repositories. The fact is that most of these projects manage source code using Git or GitHub, while Git and GitHub, in particular, use the name master for the default repository.

The developers of GitHub and Git write that they are already “working on the problem”, and a number of open source projects have already supported Black Lives Matter and themselves have changed the names of their repositories from default to various alternatives (such as main, default, primary, root, etc.). These include OpenSSL, Ansible, PowerShell, the P5.js JavaScript library, and many others.

Also in early July, developers of Microsoft, LinkedIn, Google, and Twitter also announced similar change. They all promised to change the technical language of their products and infrastructure and eliminate terms such as enslaver, slave, blacklist, whitelist and so on.

Linux developers also did not stand aside, and a discussion of more inclusive terminology has been going on for quite long time.

As it was recently reported, the issue has finally been resolved: Linus Torvalds made the appropriate commit and approved the new project policy regarding the design of code in the Linux 5.8 kernel branch (although initially it was proposed to make changes to the 5.9 branch).

It is expected that the new rules will be applied to the new code, while they do not plan to carry out revision of the old one, although the developers do not exclude that, in the end, the “renaming” will affect a considerable part of the existing code. Outdated terms will be allowed only in case of acute necessity.

The terms master/slave are now recommended to be replaced with the following analogues:

• primary, main/secondary, replica, subordinate;
• initiator, requester/target, responder;
• controller, host/device, worker, proxy;
• leader/follower;
• director/performer.

In turn, the terms blacklist / whitelist advise replacing with more neutral versions:

• denylist/allowlist
• blocklist/passlist.

Let me remind you also that Google vice president says “black hat” is not a neutral term.

The post Linus Torvalds approved exclusion of the terms slave, blacklist and others from the Linux kernel code appeared first on Gridinsoft Blog.