WTH? DPRK IT WFH: Justice Department says N. Korean hackers are getting remote IT jobs, posing as Americans.

The post North Korea IT Worker Scam Brings Malware and Funds Nukes appeared first on Security Boulevard.

Source: securityaffairs.com – Author: Pierluigi Paganini North Korea-linked Kimsuky APT attack targets victims via Messenger North Korea-linked Kimsuky APT group employs rogue Facebook accounts to target victims via Messenger and deliver malware. Researchers at Genius Security Center (GSC) identified a new attack strategy by the North Korea-linked Kimsuky APT group and collaborated with the Korea Internet & […]

La entrada North Korea-linked Kimsuky APT attack targets victims via Messenger – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

The US government has announced charges, seizures, arrests and rewards as part of an effort to disrupt a scheme that generates revenue for North Korea.

The post Woman Accused of Helping North Korean IT Workers Infiltrate Hundreds of US Firms appeared first on SecurityWeek.

The U.S. federal prosecutors on Thursday revealed charges against a North Korean job fraud nexus that ran its fraudulent scheme to generate illicit revenue for Kim Jong Un’s regime and support its sanctioned nuclear program. The U.S. Department of Justice indicted an Arizona woman, a Ukrainian man and three North Korean nationals for their alleged participation in job fraud schemes that placed overseas information technology workers – posing as U.S. citizens and residents - in remote positions at U.S. companies. This job fraud nexus scammed more than 300 U.S. companies and accumulated at least $6.8 million, said the unsealed indictment of Christina Marie Chapman, 49, from Litchfield Park, Arizona. The U.S. State Department said that between October 2020 and October 2023, Chapman, a U.S. citizen, helped North Korean IT workers under the aliases Jiho Han, Chunji Jin and Haoran Xu, to fraudulently obtain work as remote software and applications developers with companies in a range of sectors and industries including a major television network, a Silicon Valley technology company, an aerospace and defense company, an American car manufacturer, a luxury retail store and a U.S.-hallmark media and entertainment company.

“They also attempted - but failed - to gain similar employment at two U.S. government agencies,” the State Department said.

In pursuit of running the job fraud scheme, Chapman and her co-conspirators took help of identity fraud. “They compromised more than 60 identities of (legitimate) U.S. persons, impacted more than 300 U.S. companies, caused false information to be conveyed to the Department of Homeland Security on more than 100 occasions, created false tax liabilities for more than 35 U.S. persons, and resulted in at least $6.8 million of revenue to be generated for the overseas IT workers,” the Justice Department said.

Chapman’s Role in Job Fraud

Chapman hosted a “laptop farm,” for the North Korean IT workers at her residence, so that the computers appeared to be located within the United States on a daily basis.

“She also helped launder the proceeds from the scheme by receiving, processing, and distributing paychecks from the U.S. firms to these IT workers and others,” the State Department said.

Chapman was arrested on Wednesday in her hometown in Arizona and faces a litany of counts including conspiracy to defraud the United States, conspiracy to commit wire fraud, conspiracy to commit bank fraud, aggravated identity theft, conspiracy to commit identity fraud, conspiracy to launder monetary instruments, operating as an unlicensed money transmitting business, and unlawful employment of aliens.

Didenko, the Facilitator

The Justice department also named a Ukrainian national Oleksandr Didenko, 27, in the unsealed charges. Didenko allegedly run a multi-year scheme to create accounts at U.S.-based freelance IT job search platforms under false identities and sold these accounts to overseas IT workers. Remote workers used these false identities to apply for jobs with unsuspecting companies. To facilitate this fraudulent activity, Didenko hosted a website “UpWorkSell”, which advertised the ability for remote IT workers to buy or rent accounts on various platforms using identities other than their own. The complaint alleged that Didenko offered a full array of services to allow an individual to pose under a false identity and market themselves for remote IT work, and that he knew that some of his customers were North Korean. Didenko managed approximately 871 proxy identities, provided proxy accounts for three freelance IT hiring platforms and for three different money service transmitters, the complaint against Didenko said. Together with the co-conspirators, Didenko facilitated the operation of at least three U.S.-based “laptop farms,” hosting approximately 79 computers. The Justice Department said it raided four U.S. residences under Didenko’s control where he ran laptop farms. He also laundered $920,000 worth payments since July 2018 in the job fraud scheme. Didenko was arrested in Poland on May 7, and the State Department is seeking his extradition.

The North Korean Trio

The three North Korean workers "are linked to the DPRK’s Munitions Industry Department, which oversees the development of the DPRK’s ballistic missiles, weapons production, and research and development programs," the State Department said. The department said the workers tried to get hired at two unnamed U.S. government agencies but failed three separate times. Details about the three North Korean IT workers are scarce but the State Department released an image of Jiho Han on its Rewards for Justice platform where it also announced a bounty of up to $5 million for information on any of these North Korean IT workers that leads to the disruption of financial mechanisms of the people engaged. [caption id="attachment_68911" align="aligncenter" width="1024"] Credit: U.S. Department of State[/caption]   The FBI also released an alert about North Korean IT workers and their scheme to defraud U.S. businesses and fund Pyongyang’s illicit activities.

Targeting of Illicit IT Worker Activities

The latest announcement comes almost a year after the U.S. Treasury announced sanctions on four entities that employed thousands of North Korean IT workers that help illicitly finance the regime's missile and weapons of mass destruction programs. The treasury, at the time, said North Korea had scores of “highly skilled” IT workers around the globe who “generate revenue that contributes to its unlawful WMD and ballistic missile programs.” These individuals, who can earn up to $300,000 annually, “deliberately” obscure their identities, locations and nationalities, using proxy accounts, stolen identities and falsified or forged documentation to apply for jobs, the Treasury said. The 15-member United Nations Security Council has long prohibited North Korea from engaging in nuclear tests and ballistic missile launches. Since 2006, the country has been under stringent UN sanctions, continuously bolstered by the Council to sever financial support for its weapons of mass destruction (WMD) development endeavors. Yet, Pyongyang has amassed a staggering $3 billion funding for its nuclear program from cyberattacks particularly on cryptocurrency related companies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A Dutch court ruling on Tuesday found one of the co-founders of the now-sanctioned Tornado Cash cryptocurrency mixer service guilty of laundering $1.2 billion illicit cybercriminal proceeds. He was handed down a sentence of 5 years and 4 months in prison, as a result. Alexey Pertsev, a 31-year-old Russian national and the developer of Tornado Cash, awaited trial in the Netherlands on money laundering charges after his arrest in Amsterdam in August 2022, just days after the U.S. Treasury Department sanctioned the service for facilitating malicious actors like the Lazarus Group in laundering their illicit proceeds from cybercriminal activities. “The defendant declared that it was never his intention to break the law or to facilitate criminal activities,” according to a machine translated summary of the judgement. Instead Pertsev intended to offer a legitimate solution with Tornado Cash to a growing crypto community that craved privacy. He argued that “it is up to the users not to abuse Tornado Cash.” Pertsev also said that given the technical specifications of the cryptocurrency mixer service, it was impossible for him to prevent the abuse. However, the District Court of East Brabant disagreed, asserting that the responsibility for Tornado Cash's operations lay solely with its founders and lacked adequate mechanisms to prevent abuse. “Tornado Cash functions in the way the defendant and his cofounders developed Tornado Cash. So, the operation is completely their responsibility,” the Court said. “If the defendant had wanted to have the possibility to take action against abuse, then he should have built it in. But he did not.”

“Tornado Cash does not pose any barrier for people with criminal assets who want to launder them. That is why the court regards the defendant guilty of the money laundering activities as charged.”

Tornado Cash functioned as a decentralized cryptocurrency mixer, also known as a tumbler, allowing users to obscure the blockchain transaction trail by mixing illegally and legitimately obtained funds, making it an appealing option for adversaries seeking to cover their illicit money links. Tornado Cash laundered $1.2 billion worth of cryptocurrency stolen through at least 36 hacks including the theft of $625 million from the Axie Infinity hack in March 2022 by North Korea’s Lazarus Group hackers. The Court used certain undisclosed parameters in selecting these hacks due to which only 36 of them were taken into consideration. Without these parameters, more than $2.2 billion worth of illicit proceeds from Ether cryptocurrency were likely laundered. The Court also did not rule out the possibility of Tornado Cash laundering cryptocurrency derived from other crimes. The Court further described Tornado Cash as combining “maximum anonymity and optimal concealment techniques” without incorporating provisions to “make identification, control or investigation possible.” It failed to implement Know Your Customer (KYC) or anti-money laundering (AML) programs as mandated by U.S. federal law and was not registered with the U.S. Financial Crimes Enforcement Network (FinCEN) as a money-transmitting entity. "Tornado Cash is not a legitimate tool that has unintentionally been abused by criminals," it concluded. "The defendant and his co-perpetrators developed the tool in such a manner that it automatically performs the concealment acts that are needed for money laundering." In addition to the prison term, Pertsev was ordered to forfeit cryptocurrency assets valued at €1.9 million (approximately $2.05 million) and a Porsche car previously seized.

Other Tornado Cash Co-Founders Face Trials Too

A year after Pertsev’s arrest, the U.S. Department of Justice unsealed an indictment where the two other co-founders, Roman Storm and Roman Semenov, were charged with conspiracy to commit money laundering, conspiracy to operate an unlicensed money-transmitting business and conspiracy to violate the International Emergency Economic Powers Act. Storm goes to trial in the Southern District of New York later in September, while Semenov remains at large. The case has drawn a debate amongst two sides – privacy advocates and the governments. Privacy advocates argue against the criminalization of anonymity tools like Tornado Cash as it gives users a right to avoid financial surveillance, while governments took a firm stance against unregulated offerings susceptible to exploitation by bad actors for illicit purposes. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The US government warns of a North Korean threat actor abusing weak email DMARC settings to hide spear-phishing attacks.

The post US Says North Korean Hackers Exploiting Weak DMARC Settings  appeared first on SecurityWeek.

The South Korean National Police Agency sounded an alarm Tuesday for a targeted campaign from the North Korean hacker groups aimed at stealing the country’s defense technology. The announcement disclosed multiple successful breaches of hacking groups Lazarus, Andariel, and Kimsuky, which are all linked to Pyongyang’s stealthy hacking cartel. Exploiting vulnerabilities in both primary targets and their subcontractors, these groups planted malware capable of siphoning off valuable technological data. North Korean hacker groups directly infiltrated defense industry companies, hacked their partners with relatively weak security, stole the company's server account information, and then infiltrated major servers with malware, the police announcement said. The findings came from a joint operation by the National Police Agency and the Defense Acquisition Program Administration, which unearthed a series of compromises dating back to late 2022. Many affected companies were unaware of the breaches until authorities intervened. North Korean hackers have a common goal of stealing defense technology and are conducting an all-out attack by deploying multiple hacking groups in this campaign, making their attack methods more elaborate and diverse, the police agency said.

North Korean Hacker Groups Use Diverse Tactics

The police report delineates three distinct cases, each illustrating the diverse tactics employed by the hacking groups to pilfer defense-related technology. In one instance the Lazarus hackers breached a defense company's networks in November 2022 by exploiting loopholes in their network management. They targeted an external network server, infected it with malware, and leveraged an open port meant for testing to infiltrate the internal network. This allowed them access to sensitive data stored on employee computers, which they then exfiltrated to an overseas cloud server. The breach affected six computers, and evidence of the data leak was identified through analysis of both the victim company's systems and the overseas servers. [caption id="attachment_64775" align="aligncenter" width="895"] Lazarus hacker group’s attack chain. Credit: National Police Agency of South Korea[/caption] In the second case the Andariel hacker group gained access to defense industry data by compromising an employee account, which maintained servers for a defense industry partner. By injecting malicious code into the partner's servers around October 2022, they were able to extract and leak stored defense technology data. This breach exploited a loophole in how employees used their personal and professional email accounts for official system access. [caption id="attachment_64772" align="aligncenter" width="895"] Andariel hacker group attack chain. Credit: National Police Agency of South Korea[/caption] Lastly, Kimsuky seized upon a vulnerability in a defense subcontractor's email server between April and July 2023. T Over several months, they stole technical data by exploiting a flaw that allowed the download of large files sent via email from external sources without requiring login credentials. This method bypassed security measures, enabling the hackers to access and extract sensitive information undetected. [caption id="attachment_64773" align="alignnone" width="895"] Kimsuky hacker group’s attack chain. Credit: National Police Agency of South Korea[/caption] The National Police Agency said, “It is expected that North Korea’s hacking attempts targeting defense technology will continue, so not only defense companies but also partner companies must separate internal and external networks, change email passwords periodically, and set up account authentication such as two-step authentication.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A North Korea-linked threat actor hijacked the update mechanism of eScan antivirus to deploy backdoors and cryptocurrency miners.

The post North Korean Hackers Hijack Antivirus Updates for Malware Delivery appeared first on SecurityWeek.

The federal grants will support Samsung’s new chip manufacturing hub in Taylor, Texas, along with the expansion of an existing site in Austin.

© Adam Davis/EPA, via Shutterstock