Hive0145 is targeting Spain, Germany, Ukraine with Strela Stealer malware in invoice phishing tactic
Category Archives: News
AI Threat to Escalate in 2025, Google Cloud Warns
2025 could see our biggest AI fears materialize, according to a Google Cloud forecast report
Lazarus Group Uses Extended Attributes for Code Smuggling in macOS
Lazarus APT has been found smuggling malware onto macOS devices using custom extended attributes, evading detection
Mapping License Plate Scanners in the US
DeFlock is a crowd-sourced project to map license plate scanners.
It only records the fixed scanners, of course. The mobile scanners on cars are not mapped.
The post Mapping License Plate Scanners in the US appeared first on Schneier on Security.
Amazon MOVEit Leaker Claims to Be Ethical Hacker
An individual who posted data allegedly stolen via MOVEit from Amazon and other big-name firms claims not to be malicious
Microsoft Fixes Four More Zero-Days in November Patch Tuesday
Microsoft has addressed four zero-day vulnerabilities this month, two of which have been exploited
Fake Job Ads and Fake Identities: How North Korea Gets Its Hands on Our Data
Data theft has become an undeniable geopolitical weapon, and no player has mastered this art quite like North Korea.
Rather than relying solely on traditional hacking methods, the regime has adopted a far more insidious approach — exploiting the vulnerabilities of the job market. This might be why fake job ad scams saw a 28% spike in 2023.
As these methods become more advanced, both companies and individuals need to stay vigilant to protect themselves from this rising threat.
Keep reading to learn how this threat works and how to defend your company against it.
The Growing Threat of North Korean Cyber Actors
With limited access to global markets due to international sanctions, the North Korean regime has developed sophisticated hacking capabilities that focus on stealing sensitive information, financial assets, and intellectual property.
These actors, often state-backed organizations like the Lazarus Group, have been involved in major attacks, including the Sony Pictures hack in 2014 and the WannaCry ransomware incident.
Their approach combines sophisticated hacking techniques with social engineering, allowing them to slip through traditional cybersecurity defenses. They often pose as legitimate job seekers or employers, using fake job ads and resumes to gain access to corporate networks. Once inside, they steal sensitive information such as corporate IP, financial data, and personal details.
But their tactics don’t stop at fake identities. North Korean hackers are also experts at faking entire websites to further their espionage goals.
They might take a page about invoice factoring for SMBs, copy everything, but redirect potential leads to a phishing page. These sites are designed to capture login credentials, personal information, and other sensitive data, making it easier for hackers to penetrate the target company’s systems undetected.
These hackers also use spear phishing, a highly targeted form of phishing. They research their victims and send emails that seem to come from trusted sources. These emails often contain malicious attachments or links that, once clicked, give the hackers access to the victim’s computer or network.
How They Use Fake Identities in Cyber Espionage
North Korean cyber actors are experts in using fake identities to conduct cyber espionage. They create synthetic identities, complete with fabricated resumes, professional profiles, and even fake references, to infiltrate companies and organizations.
These fake personas often appear highly qualified, sometimes posing as software developers, engineers, or other skilled professionals. The goal is to gain access to sensitive data, corporate networks, and intellectual property without raising suspicion.
These actors commonly use platforms like LinkedIn or job boards to build credible profiles that attract recruiters or hiring managers. Once hired or engaged in a business relationship, they can exploit access to sensitive information, such as internal emails, financial data, or proprietary technology.
This method allows them to bypass traditional security measures, as companies may not immediately flag a trusted employee or contractor as a potential threat.
How They Use Fake Job Ads to Target Developers
The ads typically offer high-paying remote or freelance positions, using credible job titles and descriptions to mimic real opportunities. The goal is to lure unsuspecting developers into engaging with these ads and unknowingly exposing their devices to malicious software.
Developers with expertise in frameworks like Salesforce, AWS, or Docker are particularly targeted because of their access to critical systems and data. This makes them an attractive entry point for hackers looking to infiltrate organizations.
Once hackers gain access through these developers, they can further penetrate corporate networks, potentially compromising the entire organization.
These scams are especially dangerous because they exploit human trust and bypass traditional security measures. The increasing sophistication of these tactics makes it essential for developers and companies to be cautious when responding to job offers.
Verifying the legitimacy of job ads and the companies behind them is crucial to avoid falling victim to such attacks.
The Impact on Companies and Developers
These hackers primarily aim to infiltrate organizations and steal sensitive data such as intellectual property, financial details, and employee information. Developers, given their access to critical systems, are prime targets. A single breach through a compromised developer can open the door to deeper network infiltration, putting the entire organization at risk.
Smaller companies are especially vulnerable. But what keeps them in such a state?
Many of them don’t prioritize having identity theft insurance, so they rely on meager cybersecurity systems and fail to conceal their employee database from the DPRK’s Bureau 121.
This notorious state-funded group of North Korean hackers exploits weak security defenses, making smaller businesses easy prey. The consequences can be devastating — ranging from stolen proprietary information to severe financial losses and reputational damage.
The risk is even higher for businesses that rely on AI tools for lead generation and data collection. If not properly configured, these tools can be manipulated by hackers to pull data from fake sites. While AI tools offer efficiency, they can inadvertently collect data from phishing sites, leaving the business exposed to cyberattacks.
Steps Companies Should Take to Protect Themselves
As the threat of North Korean cyber actors grows, companies must implement robust measures to protect themselves from infiltration through fake job ads and synthetic identities. The risks posed by these tactics require a proactive and multilayered approach to cybersecurity, with a focus on securing the recruitment process and internal networks.
Strengthen Hiring Practices
Companies need to implement rigorous background checks and verification processes for all job applicants. This includes verifying credentials, contacting previous employers, and using advanced tools to detect fraudulent resumes.
Automated identity verification systems can help identify discrepancies in job applications and flag synthetic identities before they gain access to sensitive data.
Cybersecurity Training for Employees
Training HR teams and hiring managers to spot the warning signs of fake job ads and synthetic identities is critical. Regular cybersecurity training sessions should cover phishing techniques, social engineering tactics, and the latest threat intelligence on cyber actors like North Korea.
This empowers employees to remain vigilant and reduces the likelihood of falling victim to these schemes.
Implement Access Controls
Limiting access to sensitive information and systems is an effective way to reduce the damage from potential breaches. Companies should implement least-privilege policies, ensuring that employees and contractors only have access to the data and systems they need for their roles.
Multi-factor authentication (MFA) should also be enforced for accessing sensitive areas of the network, adding an additional layer of security.
Monitor and Audit Network Activity
Continuous monitoring and auditing of network activity can help detect unusual behaviors that may indicate the presence of a malicious actor. Implementing tools that analyze user behavior, flag unusual login patterns, or detect abnormal data flows can catch cyber actors who manage to slip past initial defenses.
Also, keeping security policies and procedures up to date ensures that the company is prepared for evolving threats. This includes regularly reviewing and revising cybersecurity protocols, hiring processes, and employee training programs based on the latest intelligence and security trends.
Conclusion
Cyber espionage is no longer confined to covert government operations; it’s happening right now in job postings and inboxes around the world.
The stakes are high for companies and developers alike, as state-sponsored actors sharpen their methods, using sophisticated strategies to penetrate corporate defenses.
Protecting against this new breed of threat requires vigilance and a deep understanding of how attackers exploit the weakest links—often, the hiring process itself.
This is not a problem that can be solved with software alone. It demands a cultural shift, where security is embedded in every aspect of business operations and geopolitics alike, requiring the cooperation of everyone from interbank networks to NATO itself.
Microsoft Patch Tuesday, November 2024 Edition
Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November’s patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today.
The zero-day flaw tracked as CVE-2024-49039 is a bug in the Windows Task Scheduler that allows an attacker to increase their privileges on a Windows machine. Microsoft credits Google’s Threat Analysis Group with reporting the flaw.
The second bug fixed this month that is already seeing in-the-wild exploitation is CVE-2024-43451, a spoofing flaw that could reveal Net-NTLMv2 hashes, which are used for authentication in Windows environments.
Satnam Narang, senior staff research engineer at Tenable, says the danger with stolen NTLM hashes is that they enable so-called “pass-the-hash” attacks, which let an attacker masquerade as a legitimate user without ever having to log in or know the user’s password. Narang notes that CVE-2024-43451 is the third NTLM zero-day so far this year.
“Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems,” Narang said.
The two other publicly disclosed weaknesses Microsoft patched this month are CVE-2024-49019, an elevation of privilege flaw in Active Directory Certificate Services (AD CS); and CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server.
Ben McCarthy, lead cybersecurity engineer at Immersive Labs, called special attention to CVE-2024-43602, a remote code execution vulnerability in Windows Kerberos, the authentication protocol that is heavily used in Windows domain networks.
“This is one of the most threatening CVEs from this patch release,” McCarthy said. “Windows domains are used in the majority of enterprise networks, and by taking advantage of a cryptographic protocol vulnerability, an attacker can perform privileged acts on a remote machine within the network, potentially giving them eventual access to the domain controller, which is the goal for many attackers when attacking a domain.”
McCarthy also pointed to CVE-2024-43498, a remote code execution flaw in .NET and Visual Studio that could be used to install malware. This bug has earned a CVSS severity rating of 9.8 (10 is the worst).
Finally, at least 29 of the updates released today tackle memory-related security issues involving SQL server, each of which earned a threat score of 8.8. Any one of these bugs could be used to install malware if an authenticated user connects to a malicious or hacked SQL database server.
For a more detailed breakdown of today’s patches from Microsoft, check out the SANS Internet Storm Center’s list. For administrators in charge of managing larger Windows environments, it pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.
As always, if you experience any problems applying any of these updates, consider dropping a note about it in the comments; chances are excellent that someone else reading here has experienced the same issue, and maybe even has found a solution.
The AI Fix #24: Where are the alien AIs, and are we being softened up for superintelligence?
In episode 24 of The AI Fix, Mark makes an unforgivable error about the Terminator franchise, our hosts wonder if a “seductive” government chatbot will make it easier to talk about tax, a radio station abandons its three month AI experiment after a week, and OpenAI parks its tanks on Google’s lawn.
Graham gets cosmic and wonders why we aren’t surrounded by advanced alien AIs, our hosts argue about whether the moon landings or the invention of the cheese sandwich were more consequential events in human history, and Mark tells Graham that artificial superintelligence is just around the corner.
All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.
TA455’s Iranian Dream Job Campaign Targets Aerospace with Malware
The TA455 phishing campaign used fake job offers on LinkedIn to deploy malware