News

North Korea hackers targeted security companies

In its first edition of new Threat Horizons report Google, among other detected cyber threats, mentioned state-sponsored North Korean hackers that employed a little plain tactic pretending to be Samsung recruiters. Threat actors made fake job offers to employees at South Korean security companies which sell anti-malware software.

Those fake emails apart from the text of the message itself contained a PDF attachment. However hackers malformed the PDFs so that it would not open in a standard PDF reader. In case the potential victim will complain that the file doesn’t open up, hackers would also provide them with an allegedly “Secure PDF Reader” app. The link redirected those unsuspecting to a file, modified version of PDFTron. Hackers specifically altered this pdf reader to install a backdoor trojan on the victim’s computers.

Codenamed “Zinc”, the same group conducted earlier attacks on security researchers

The Google Threat Analysis Group thinks that is the same hacker group who earlier targeted different security researchers mainly on Twitter and other social networks late 2020 and throughout 2021. Identified by Google under the codename “Zinc” they quite surprised the cyber security specialists with their tactics. According to the same report it is not the first time threat actors used a malformed pdf reader. Last year hackers tried to use the altered version of SumatraPDF to decrypt and drop an implant. They also added legitimate PE that were embedded within the viewer itself. Cyber security specialists note that they saw other threat groups recently using an alike technique of delivering a malicious PDF viewer to view malformed PDFs.

The report bases itself on the threat intelligence data from the Threat Analysis Group, Google Cloud Threat Intelligence for Chronicle, Trust and Safety, and other internal teams. Google plans the other future threat intelligence reports that will cover trend tracking, threat horizon scanning and Early Warning announcements about emerging threats requiring immediate action.

The New York Times once wrote an interesting article about North Korean cyber power

Besides the North Korean hacker group, the first edition of Threat Horizons reports also on BlackMatter signs of activity, fraudsters who use new TTP to abuse Cloud resources and Russian threat group APT28\ Fancy Bear launching Gmail phishing campaign. The report brought up the detected fact of compromised Google Cloud instances that threat actors used for cryptocurrency mining, too. For each case TAG provided possible risk mitigation solutions for the Google customers.

First edition of Google`s Threat Horizons covers significant amount of data

For each exploited vulnerabilities Threat Horizons provide percentage of instances that are the following:

  • Leaked credentials (4%);
  • Misconfiguration of Cloud instance or in third party software (12%);
  • Other unspecified issues (12%);
  • Vulnerability in third party software in the Cloud instance that was exploited (26%);
  • Weak or no password for user account or no authentication for APIs.
  • In most cases, threat actors tried to pump traffic to Youtube and obtain profit from cryptocurrency mining. For the resultant actions after compromise the percentage are next:

  • Send spam (2%);
  • Launch DDoS bot (2%);
  • Host unauthorized content on the Internet (4%);
  • Host malware (6%);
  • Launch attacks against other targets on the internet (8%);
  • Conduct port scanning of other targets on the internet (10%);
  • Conduct cryptocurrency mining (86%).
  • TAG also noted that totals do not add up to 100% as some compromised instances were used to perform multiple malicious activities.

    Andrew Nail

    Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.

    Recent Posts

    Remove Chernars.com Pop-up Ads

    About Chernars.com Chernars.com pop-ups can not open out of nowhere. If you have actually clicked…

    16 hours ago

    Remove Eclipse-adblocker.pro Pop-up Ads

    About Eclipse-adblocker.pro Eclipse-adblocker.pro pop-ups can not open out of nowhere. If you have actually clicked…

    17 hours ago

    Remove Initiateadvancedcompletelythe-file.top Pop-up Ads

    About Initiateadvancedcompletelythe-file.top Initiateadvancedcompletelythe-file.top pop-ups can not open out of nowhere. If you have actually clicked…

    17 hours ago

    Remove Pbmsoultions.com Pop-up Ads

    About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…

    3 days ago

    Remove Prizestash.com Pop-up Ads

    About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…

    3 days ago

    Remove Verifiedbreaking.com Pop-up Ads

    About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…

    3 days ago