Website URL:
     * Edition: 
          + Asia 
          + Australia 
          + Europe 
          + India 
          + United Kingdom 
          + United States 
          + ZDNet around the globe:
          + ZDNet China 
          + ZDNet France 
          + ZDNet Germany 
          + ZDNet Korea 
          + ZDNet Japan 

   
   Search
     * Videos 
     * Windows 10 
     * 5G 
     * IoT 
     * Cloud 
     * AI 
     * Security 
     * more
          + TR Premium 
          + Build a Website 
          + Innovation 
          + Tonya Hall Show 
          + Best Smartphones 
          + Executive Guides 
          + Best VPN Services 
          + Web Hosting 
          + See All Topics 
          + White Papers 
          + Downloads 
          + Reviews 
          + Galleries 
          + Videos 
          + TechRepublic Forums 
     * Newsletters
     * All Writers
     * 
          + Preferences
          + Community
          + Newsletters
          + Log Out

     * 
     * 
          +
     * Menu
          + Videos 
          + Windows 10 
          + 5G 
          + IoT 
          + Cloud 
          + AI 
          + Security 
          + TR Premium 
          + Build a Website 
          + Innovation 
          + Tonya Hall Show 
          + Best Smartphones 
          + Executive Guides 
          + Best VPN Services 
          + Web Hosting 
          + See All Topics 
          + White Papers 
          + Downloads 
          + Reviews 
          + Galleries 
          + Videos 
          + TechRepublic Forums 
     * 
     * 
          +
               o Preferences
               o Community
               o Newsletters
               o Log Out
     * us
          + Asia 
          + Australia 
          + Europe 
          + India 
          + United Kingdom 
          + United States 
          + ZDNet around the globe:
          + ZDNet China 
          + ZDNet France 
          + ZDNet Germany 
          + ZDNet Korea 
          + ZDNet Japan 

   Special Feature
       Inside this Special Feature
     * Cyberwar and the Future of Cybersecurity 
     * US Cyber Command, DHS, and FBI expose new North Korean malware 
     * US, UK formally blame Russia for mass-defacement of Georgian websites 
     * Iranian hackers have been hacking VPN servers to plant backdoors in companies around the world 
     * FBI is investigating more than 1,000 cases of Chinese theft of US technology 
     * Ransomware attacks: Why and when it makes sense to pay the ransom 
     * These hackers broke into 10 telecoms companies to steal customers' phone records 
     * FBI warning: Foreign spies using social media to target government contractors 
     * Homeland Security: We've tested Windows BlueKeep attack and it works so patch now 
     * Cyberwarfare escalation just took a new and dangerous turn 
     * This 'most dangerous' hacking group is now probing power grids 
     * Cybersecurity basics still the key for preventing business email compromise 
     * Cybersecurity: You're probably over-confident about your defences or under-prepared for a breach 

   Part of a ZDNet Special Feature: Cyberwar and the Future of Cybersecurity

US Cyber Command, DHS, and FBI expose new North Korean malware

   US government agencies send out alert about new North Korean malware and phishing campaign.

     * 
     * 
     * 
     * 
     * 
     *

   Catalin Cimpanu 

   By Catalin Cimpanu  for Zero Day | February 14, 2020 -- 16:50 GMT (08:50 PST) | Topic: Cyberwar and the Future of Cybersecurity

   cybercom-hv.jpg

   Image via Cyber National Mission Force (CNMF)

   US Cyber Command, the Department of Homeland Security, and the Federal Bureau of Investigations have exposed today a new North Korean hacking operation.

   Authorities have published security advisories detailing six new malware families that are currently being used by North Korean hackers.

   According to the Twitter account of the Cyber National Mission Force (CNMF), a subordinate unit of US Cyber Command, the malware is being distributed via a North Korean phishing campaign.

     Malware attributed to #NorthKorea by @FBI_NCIJTF just released here: https://t.co/cBqSL7DJzI. This malware is currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions. #HappyValentines @CISAgov @DHS
     @US_CYBERCOM
     — USCYBERCOM Malware Alert (@CNMF_VirusAlert) February 14, 2020

   US Cyber Command believes the malware is used to provide North Korean hackers with remote access to infected systems in order to steal funds that are later transferred back to North Korea, as a way to avoid economic sanctions.

   The North Korean government has a long history of using hackers to steal funds from banks and cryptocurrency exchanges in order to evade economic sanctions and raise funds for its nuclear weapons and missile programs.

   In September 2019, the US Department of the Treasury imposed sanctions on the Pyongyang regime for the use of this exact tactic.

Six new North Korean malware families

   Along with the Twitter alert sent by US Cyber Command, the DHS' Cybersecurity and Infrastructure Security Agency (CISA) has also published today detailed reports on its website.

   The reports provide an in-depth analysis on the six new malware samples US authorities have been recently tracking. They are:
     * BISTROMATH - described as "a full-featured RAT"
     * SLICKSHOES - described as a malware dropper (loader)
     * CROWDEDFLOUNDER - described as a "32-bit Windows executable, which is designed to unpack and execute a Remote Access Trojan (RAT) binary in memory."
     * HOTCROISSANT - described as a "a full-featured beaconing implant" used for "conducting system surveys, file upload/download, process and command execution, and performing screen captures."
     * ARTFULPIE - described as "an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL."
     * BUFFETLINE - described as "a full-featured beaconing implant" that can "download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration."

   A seventh report updates information on HOPLIGHT, a proxy-based backdoor trojan the DHS and FBI exposed in April, last year.

CISA attributes malware to Lazarus Group

   CISA attributed the malware to a North Korean government-backed hacking group known as HIDDEN COBRA.

   This group, also known under the name of the Lazarus Group, is North Korea's largest and most active hacking division.

   Previously, the DOJ has charged a member of this group for their involvement in several security incidents, including the Sony 2014 hack, the attack on the Bangladesh bank in 2016, and for orchestrating the WannaCry ransomware outbreak in May 2017.

   In a screenshot shared with ZDNet, a member of Kaspersky GReAT, Kaspersky's elite hacker-hunting unit, pointed out that the malware samples also shared code with other North Korean malware strains used in past operations -- effectively confirming the CISA/FBI/Cyber Command attribution.
   kaspersky-similarities.png kaspersky-similarities.png

   Image: Kaspersky (supplied)

Continuing naming-and-shaming approach

   Today's revelations mark just another step in the US government's new approach to handling foreign cyber-security operations conducted against US targets.

Special feature

   Cyberwar and the Future of Cybersecurity 

   Cyberwar and the Future of Cybersecurity 

   Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly.

   Read More

   While in previous years the US government has avoided saying anything about attacks against government entities and the private sector, they recently adopted a "name-and-shame" approach.

   Previously, this included security alerts on the DHS/CISA websites and legal cases filed by the Department of Justice, but this recently expanded to the use of Treasury Department sanctions and White House press releases calling out foreign orchestrated cyber-attacks.

   In November 2018, the name-and-shame approach also added a new tactic when US Cyber Command began uploading "unclassified malware samples" to VirusTotal, and announced uploads via a Twitter account.

   Initial samples were linked to Russian and Iranian hacking groups.

   Subsequently, US Cyber Command also began uploading malware samples related to North Korean hacking activity -- in August, September, and November 2019.

   However, in neither of all previous cases has US Cyber Command ever attributed any malware samples to a state actor, leaving the attribution to experts from private cyber-security firms.

   As Cyberscoop pointed out today, this marks the first time that US Cyber Command has publicly linked one of these malware samples to a nation-state actor itself, rather than relying on the private sector.

Private sector urged to action

   But the purpose of today's security advisories was to raise awareness about ongoing North Korean hacking campaigns.

   The six+one CISA security advisories include indicators of compromise (IOCs) and YARA rules to help companies and government organizations search internal networks for any signs of North Korean malware.

   According to Cyberscoop, US officials have also sent private security alerts to the US private sector before today's public disclosure, urging companies to look into the current threat.

   The scale of the current North Korean attacks against US targets is unknown, but judging by the three similar exposés from last year, it is believed that North Korean attacks are coming in a constant wave.

   Since 2018, the DHS has now issued 23 reports on North Korean malware. The agency previously released reports on WannaCry, DeltaCharlie (two reports), Volgmer, FALLCHILL, BANKSHOT, BADCALL, HARDRAIN, SHARPKNOT, an unnamed remote access trojan/worm, Joanap and Brambul, TYPEFRAME, KEYMARBLE, FASTCash (two reports), and the older HOPLIGHT report.

   In January 2019, the DOJ, FBI, and US Air Force also intervened to take down the Joanap botnet, believed to have been built by North Korean hackers to aid in their operations and to serve as a network of proxies to disguise the origin of their attacks.

Security

     * FBI is investigating more than 1,000 cases of Chinese theft of US technology
     * Windows 7 bug prevents users from shutting down or rebooting computers
     * Lock My PC takes on tech scammers with free recovery key offering, software withdrawal
     * Scam, spam and phishing texts: How to spot SMS fraud and stay safe
     * Cybersecurity: A guide for parents to keep kids safe online
     * The security risks of running unsupported Windows 7 (ZDNet YouTube)
     * Best home security of 2020: Professional monitoring and DIY (CNET)
     * How to set up secure credential storage for Docker (TechRepublic)

  Related Topics:

   Government - US  Security TV  Data Management  CXO  Data Centers 

     * 
     * 
     * 
     * 
     * 
     *

   Catalin Cimpanu 

   By Catalin Cimpanu  for Zero Day | February 14, 2020 -- 16:50 GMT (08:50 PST) | Topic: Cyberwar and the Future of Cybersecurity

   Show Comments 
   LOG IN TO COMMENT
     * My Profile
     * Log Out

   | Community Guidelines
   

Join Discussion

   Add Your Comment
   Add Your Comment

   

Newsletters

   
   See All
    
   See All
   

Related Stories

     * McAfee acquires Light Point Security team to bring browser isolation tech to MVISION UCE McAfee acquires Light Point Security team to bring browser isolation tech to MVISION UCE 
       Security
       McAfee acquires Light Point Security team to bring browser isolation tech to MVISION UCE
     * Google patches Chrome zero-day under active attacks Google patches Chrome zero-day under active attacks 
       Security
       Google patches Chrome zero-day under active attacks
     * Mozilla enables DOH by default for all Firefox users in the US Mozilla enables DOH by default for all Firefox users in the US 
       Security
       Mozilla enables DOH by default for all Firefox users in the US
     * 5G enterprise deployments: Optimism abounds as do security concerns 5G enterprise deployments: Optimism abounds as do security concerns 
       5G
       5G enterprise deployments: Optimism abounds as do security concerns

   ZDNet
   Connect with us
      

   © 2020 CBS Interactive. All rights reserved. Privacy Policy | Cookies | Ad Choice | Advertise | Terms of Use | Mobile User Agreement
     * Topics
     * Galleries
     * Videos
     * Sponsored Narratives
     * CA Privacy/Info We Collect
     * CA Do Not Sell My Info

     * About ZDNet
     * Meet The Team
     * All Authors
     * RSS Feeds
     * Site Map
     * Reprint Policy

     * Manage | Log Out
     * Join | Log In
     * Membership
     * Newsletters
     * Site Assistance
     * ZDNet Academy
     * TechRepublic Forums