In a rare move, government officials have handed security researchers a seized server believed to be used by North Korean hackers to launch dozens of targeted attacks last year.
Known as Operation Sharpshooter, the server was used to deliver a malware campaign targeting governments, telecoms, and defense contractors — first uncovered in December. The hackers sent malicious Word document by email that would when opened run macro-code to download a second-stage implant, dubbed Rising Sun, which the hackers used to conduct reconnaissance and steal user data.
The Lazarus Group, a hacker group linked to North Korea, was the prime suspect given the overlap with similar code previously used by hackers, but a connection was never confirmed.
Now, McAfee says it’s confident to make the link.
“This was a unique first experience in all my years of threat research and investigations,” said Christiaan Beek, lead scientist and senior principal engineer at McAfee, told TechCrunch in an email. “In having visibility into an adversary’s command-and-control server, we were able to uncover valuable information that lead to more clues to investigate,” he said.
The move was part of an effort to better understand the threat from the nation state, which has in recent years been blamed for the 2016 Sony hack and the WannaCry ransomware outbreak in 2017, as well as more targeted attacks on global businesses.
In the new research seen by TechCrunch out Sunday, the security firm’s examination of the server code revealed Operation Sharpshooter was operational far longer than first believed — dating back to September 2017 — and targeted a broader range of industries and countries, including financial services and critical infrastructure in Europe, the U.K. and the U.S.
The research showed that server, operating as the malware’s command and control infrastructure, was written in the PHP and ASP web languages, used for building websites and web-based applications, making it easily deployed and highly scalable.
The back-end has several components used to launch attacks on the hackers’ targets. Each component has a specific role, such as the implant downloader, which hosts and pulls the implant from another downloader; and the the command interpreter, which operates the Rising Sun implant through an intermediate hacked server to help hide the wider command structure.
The researchers say that the hackers use a factory-style approach to building the Rising Sun, a modular type of malware that was pieced together different components over several years. “These components appear in various implants dating back to 2016, which is one indication that the attacker has access to a set of developed functionalities at their disposal,” said McAfee’s research. The researchers also found a “clear evolutionary” path from Duuzer, a backdoor used to target South Korean computers as far back as 2015, and also part of the same family of malware used in the Sony hack, also attributed to North Korea.
Although the evidence points to the Lazarus Group, evidence from the log files show a batch of IP addresses purportedly from Namibia, which researchers can’t explain.
“It is quite possible that these unobfuscated connections may represent the locations that the adversary is operating from or testing in,” the research said. “Equally, this could be a false flag,” such as an effort to cause confusion in the event that the server is compromised.
The research represents a breakthrough in understanding the adversary behind Operation Sharpshooter. Attribution of cyberattacks is difficult at best, a fact that security researchers and governments alike recognize, given malware authors and threat groups share code and leave red herrings to hide their identities. But obtaining a command and control server, the core innards of a malware campaign, is telling.
Even if the goals of the campaign are still a mystery, McAfee’s chief scientist Raj Samani said the insight will “give us deeper insights in investigations moving forward.”
Geico security breach exposed customers’ driver’s license numbers
A letter submitted by insurance company Geico to the California attorney general’s office details a data breach that took place earlier this year, exposing customers’ driver’s license numbers. The letter doesn’t include certain pertinent details such as how many people were potentially impacted by the security issue, though it did note the numbers may be used as part of unemployment benefits fraud.
The letter, which was first spied by TechCrunch, is dated April 9 and explains that the security incident took place from January 21 to March 1. During that time, the hacker(s) used customer data “acquired elsewhere” to get access to Geico subscribers’ driver’s license numbers using the company’s online sales system.
The company’s letter explains that it believes “this information could be used to fraudulently apply for unemployment benefits” in the customers’ names. For this reason, Geico customers who receive any unexpected mail from their state’s unemployment agency are encouraged to check it for signs of fraud taking place in their name.
Geico notes that it secured its website when it learned about the issue and that it investigated the cause of the breach. The company’s letter says that Geico has “implemented — and continues to implement — additional security enhancements to help prevent future fraud and illegal activities on our website.”
The company hasn’t yet published a security breach note on its website, but the letter is written to customers and explains that they will be offered a year’s subscription to IdentityForce for identity theft protection. The letter, it seems, includes a one-time code the customers can use to activate the free data monitoring service.
Nextdoor app targets toxic behavior with anti-racism warning
Nextdoor, the app that allows neighbors to connect with each other and share details about their communities, is introducing a new feature that will detect and warn against potentially racist content. The company announced the new feature today, explaining that it will ask users to reconsider their posts before sharing them if certain offensive language is detected.
If you’ve ever used Nextdoor, you’re likely familiar with some of the drama that can take place on community boards — as well as abusive behavior that not only ruins the experience for everyone, but that can also be harmful to people living in the community. Nextdoor’s new feature aims to reduce those messages.
The company says that it has rolled out an anti-racism prompt that will appear in the app when certain phrases are detected. Though the user won’t be blocked from posting, they will be asked to consider editing their content before publishing it to ensure it doesn’t violate the company’s policy and bring harm to users.
For example, Nextdoor has banned the use of the phrase ‘White Lives Matter’ and doesn’t allow the use of ‘Blue Lives Matter’ or ‘All Lives Matter’ if the post aims to ‘undermine racial equality.’ Users will see the warning starting this week on mobile devices.
This isn’t the first time Nextdoor has introduced a prompt designed to reduce problematic content on its platform. Back in 2019, Nextdoor introduced a warning called the ‘Kindness Reminder’ that spots ‘offensive language’ and encourages the user to edit their post or comment before sharing it.
Facebook plans huge audio push with Soundbites, podcasts, and tools
Facebook has announced some big plans related to audio and its place on the company’s primary social media platform. Starting later this year, the company plans to introduce multiple changes for its users, including the addition of sound creation tools backed by artificial intelligence and a new audio format the company calls Soundbites.
Podcasts are quite popular at the moment, and so it makes sense that Facebook would want to get in on the audio market. According to the company, it has ‘seen the continuing rise of audio on’ Messenger and WhatsApp, both of which enable users to record short voice clips rather than typing out messages.
Facebook plans to build upon this feature in a way that makes it both easier and more fun, it said in an announcement on Monday. This can include the ability to send the audio equivalent of reaction GIFs, such as a sound clip of cricket chirping to get your point across to someone.
These will be joined by some larger efforts, the first of which will be what Facebook calls ‘a sound studio in your pocket.’ Put simply, the company plans to introduce audio creation tools on mobile, making it possible for users to produce ‘magically great’ audio using AI tech. What would be the point of this?
Facebook says users can, for example, create background audio for their Stories, including the use of content from the company’s Sound Collection. Joining these tools will be Facebook’s new Soundbites audio format, which will be reserved for short audio clips — someone could, for example, share a Soundbite of them telling a joke rather than typing it out.
Likewise, Facebook says you’ll soon be able to play podcasts directly in its app, including in the background with your phone’s screen turned off. The feature will include podcast episodes and show recommendations made based on the user’s expressed interests, plus users will be able to follow and share shows.
Finally, Facebook says it will soon test Live Audio Rooms, a groups feature that will enable communities of people to participate in live audio sessions. This feature will enter testing this summer, while the podcasts will arrive ‘in the next few months,’ the same timeframe in which the company plans to start testing its Soundbites format.
Marvel drops first teaser for Shang-Chi and the Legend of Ten Rings
Simu Liu stars as a martial artist trying to escape his past in Shang-Chi and the Legend of the Ten...
More J&J troubles: Vaccine manufacturing halted and more possible clot cases
Enlarge / The Emergent BioSolutions plant, a manufacturing partner for Johnson & Johnson’s Covid-19 vaccine, in Baltimore, Maryland, on April...
Facebook is expanding Spotify partnership with new ‘Boombox’ project – TechCrunch
Facebook is deepening its relationship with music company Spotify and will allow users to listen to music hosted on Spotify...
Geico security breach exposed customers’ driver’s license numbers
A letter submitted by insurance company Geico to the California attorney general’s office details a data breach that took place...
Facebook announces new audio products – TechCrunch
Facebook reveals its Clubhouse competitor, Parler will return to Apple’s App Store and a helicopter flies on Mars. This is...
Social1 year ago
CrashPlan for Small Business Review
Gadgets3 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Mobile3 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Social2 years ago
iPhone XS priciest yet in South Korea
Cars2 years ago
What’s the best cloud storage for you?
Security2 years ago
Google latest cloud to be Australian government certified
Social2 years ago
Apple’s new iPad Pro aims to keep enterprise momentum
Cars2 years ago
SK Telecom and Samsung to collaborate on 5G for enterprise