Connect with us

Tech News

Researchers obtain a command server used by North Korean hacker group – TechCrunch

Published

on

In a rare move, government officials have handed security researchers a seized server believed to be used by North Korean hackers to launch dozens of targeted attacks last year.

Known as Operation Sharpshooter, the server was used to deliver a malware campaign targeting governments, telecoms, and defense contractors — first uncovered in December. The hackers sent malicious Word document by email that would when opened run macro-code to download a second-stage implant, dubbed Rising Sun, which the hackers used to conduct reconnaissance and steal user data.

The Lazarus Group, a hacker group linked to North Korea, was the prime suspect given the overlap with similar code previously used by hackers, but a connection was never confirmed.

Now, McAfee says it’s confident to make the link.

“This was a unique first experience in all my years of threat research and investigations,” said Christiaan Beek, lead scientist and senior principal engineer at McAfee, told TechCrunch in an email. “In having visibility into an adversary’s command-and-control server, we were able to uncover valuable information that lead to more clues to investigate,” he said.

The move was part of an effort to better understand the threat from the nation state, which has in recent years been blamed for the 2016 Sony hack and the WannaCry ransomware outbreak in 2017, as well as more targeted attacks on global businesses.

In the new research seen by TechCrunch out Sunday, the security firm’s examination of the server code revealed Operation Sharpshooter was operational far longer than first believed — dating back to September 2017 — and targeted a broader range of industries and countries, including financial services and critical infrastructure in Europe, the U.K. and the U.S.

The modular command and control structure of the Rising Sun malware. (Image: McAfee)

The research showed that server, operating as the malware’s command and control infrastructure, was written in the PHP and ASP web languages, used for building websites and web-based applications, making it easily deployed and highly scalable.

The back-end has several components used to launch attacks on the hackers’ targets. Each component has a specific role, such as the implant downloader, which hosts and pulls the implant from another downloader; and the the command interpreter, which operates the Rising Sun implant through an intermediate hacked server to help hide the wider command structure.

The researchers say that the hackers use a factory-style approach to building the Rising Sun, a modular type of malware that was pieced together different components over several years. “These components appear in various implants dating back to 2016, which is one indication that the attacker has access to a set of developed functionalities at their disposal,” said McAfee’s research. The researchers also found a “clear evolutionary” path from Duuzer, a backdoor used to target South Korean computers as far back as 2015, and also part of the same family of malware used in the Sony hack, also attributed to North Korea.

Although the evidence points to the Lazarus Group, evidence from the log files show a batch of IP addresses purportedly from Namibia, which researchers can’t explain.

“It is quite possible that these unobfuscated connections may represent the locations that the adversary is operating from or testing in,” the research said. “Equally, this could be a false flag,” such as an effort to cause confusion in the event that the server is compromised.

The research represents a breakthrough in understanding the adversary behind Operation Sharpshooter. Attribution of cyberattacks is difficult at best, a fact that security researchers and governments alike recognize, given malware authors and threat groups share code and leave red herrings to hide their identities. But obtaining a command and control server, the core innards of a malware campaign, is telling.

Even if the goals of the campaign are still a mystery, McAfee’s chief scientist Raj Samani said the insight will “give us deeper insights in investigations moving forward.”

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Tech News

The Dodge M80 Was A Throwback Truck Concept Ahead Of Its Time

Published

on

If Fisher-Price made combat vehicles in World War II, it might look like the Dodge M80 concept. The M80 was a retro-inspired vehicle in the same way that the PT Cruiser and Plymouth Prowler harkened back to the old days of motoring. Although unlike the PT Cruiser and the poor Prowler, the M80 didn’t make anyone who looked at it think cars in general were a bad idea. 

As reported by Canadian Driver in 2002, the Dodge M80’s exterior was entirely new, but it had familiar bones as it was based on the Dodge Dakota and was powered by a 3.7-liter 210-horsepower V6. With an estimated weight of just 2,500 pounds, it would have been a featherweight next to other trucks at the time. For comparison, a Ford Ranger from the same year had a curb weight of 3,085 pounds (via Edmunds). Where the M80 really shined was its proposed simplicity and capability. The interior was spartan and therefore easy to clean. Pictures of the concept show compartments galore, including a rear window that allowed either access to the bed while in the truck or effectively lengthened the truck bed. GMC is currently putting a similar feature to use in the EV version of the Sierra.

The Dodge M80 unfortunately never came to pass. As such, it was not able to breath life into the floundering compact truck market at the beginning of the new Millenium. Fortunately, the future is bright for small trucks with the introduction of the Ford Maverick and Hyundai Santa Cruz. 

Continue Reading

Tech News

Why You Need To Use Google Chrome’s Enhanced Safe Browsing Mode

Published

on

First, the basics. Activating Enhanced Safe Browsing in Chrome is a simple process: just click Settings, scroll to Privacy And Security > Safe Browsing, and select the Enhanced option. The importance of Enhanced Safe Browsing is a somewhat longer story. In short, no security is foolproof, and Google has historically erred on the side of making simple, accessible tools for consumers. Incognito Mode in particular is allegedly considered a bit of a joke over at Google HQ; some users are even suing over its limitations.

By contrast, Enhanced Safe Browsing focuses on the security holes hackers are most likely to exploit. Per Google, Enhanced Safe Browsing uses multiple strategies to guarantee user safety: it checks websites against a constantly updated list of unsafe locations, examines unusual URLs for potential phishing scams, and inspects downloads for dangerous or corrupted files. It even takes a sampling of potential threats a given user has encountered and syncs it with their Google Account, allowing for personalized security focused on the risks that the user is most likely to face. All this happens in real time, as the user goes about their browsing session.

Note that Enhanced Safe Browsing’s real-time service means sending more user data to Google than browsing in normal or Incognito Mode. That’s a concern worth being aware of: big companies have security breaches, too, and are by no means universally trustworthy when it comes to user data. That said, participating in the digital world more or less requires users to operate within the ecosystem of one of a handful of large companies. If your home or office is a Google shop, Enhanced Safe Browsing is unquestionably the most secure option available.

Continue Reading

Tech News

Musk Announces Twitter Ad Sharing Program For Creators, But There’s A Big Catch

Published

on

While Musk’s plan for ad revenue sharing sure sounds like a desperate attempt to lure creators as well as advertisers onto the platform, there’s a huge caveat. Only accounts subscribed to the Twitter Blue service will be eligible for an ad money cut. In a nutshell, if you seek to make money from reply section ads, you will first have to pay a sum of $8 per month to the company.

Musk also clarified that legacy verified accounts will have to pay for a Twitter Blue subscription in order to retain the blue check mark and command a cut from ads popping up in their reply sections. He has previously stated that a Twitter Blue subscription will be mandatory for retaining the coveted blue tick following a grace period.

“Twitter’s legacy Blue Verified is unfortunately deeply corrupted, so will sunset in a few months,” he wrote earlier this week. However, Musk’s announcement hasn’t really won a lot of fans. Plus, it also portends that ads will soon be a commonplace in the replies, opening a whole new universe for spammy ads and making it an even less desirable place to look for meaningful user interactions.

Continue Reading

Trending