As we share an increasing amount of personal information online, we create more opportunities for threat actors to steal our identities. Read More
Related Posts
North Korean Hackers Breached Leading Russian Missile & Military Engineering Company
North Korean Hackers Breached Leading Russian Missile & Military Engineering Company
North Korean threat actors actively grabbed the attention of security experts, revealing fruitful campaign insights over the year, including:-
New reconnaissance tools
Multiple new supply chain intrusions
Elusive multi-platform targeting
New sly social engineering tactics
Last year, a group of North Korean hackers that falls under the elite category secretly infiltrated the internal networks of one of the major Russian missile developers for five months.
Cybersecurity researchers at SentinelOne Labs recently identified that North Korean hackers hacked the internal networks of one of the leading Russian Missile and Military engineering company.
North Korean Hackers Breached Top Russian Missile Company
SentinelOne Labs’ analysts discovered a DPRK-linked implant in a leaked email collection during the North Korean threat actor investigation, uncovering a larger unrecognized intrusion.
The targeted organization is NPO Mashinostroyeniya, a Russian missile and spacecraft manufacturer that holds confidential missile tech sanctioned and owned by JSC Tactical Missiles Corporation KTRV.
Leaked data contains unrelated emails, implying accidental or non-related activity. Still, it offers valuable insight into the following things:-
Network design
Security gaps
Other attackers
Unrelated email alerts (Source – SentinelOne Labs)
Compromise Through Email
NPO Mashinostroyeniya emails reveal IT staff discussions on suspicious communications and DLL files. After the intrusion, they sought AV support to address detection issues.
Email between NPO Mash Employees (Source – SentinelOne Labs)
Experts discovered a version of OpenCarrot Windows OS backdoor, linked to Lazarus group, enabling full machine compromise and network-wide attacks with proxying C2 communication.
Here the analyzed OpenCarrot was used as a DLL file that is designed for persistence and implements more than 25 Lazarus group backdoor commands with diverse functionalities like:-
Reconnaissance
Filesystem manipulation
Process manipulation
Reconfiguration
Connectivity
Backdoor command indexing (Source – SentinelOne Labs)
North Korean threat actors lack OPSEC, enabling researchers to gather unique insights on unreported activities and track campaign evolution through infrastructure connections.
Experts linked JumpCloud intrusion to North Korean threat actors, noticing domain theme similarities with NPO Mash.
Though not definitive, it sparks curiosity about threat actor infrastructure creation and management procedures, along with other connections.
Security analysts confidently attribute intrusion to North Korean-associated threat actors, showcasing North Korea’s covert missile development agenda through direct compromise of a Russian Defense-Industrial Base (DIB) organization.
IoCs
MD5:
9216198a2ebc14dd68386738c1c59792
6ad6232bcf4cef9bf40cbcae8ed2f985
d0f6cf0d54cf77e957bce6dfbbd34d8e
921aa3783644750890b9d30843253ec6
99fd2e013b3fba1d03a574a24a735a82
0b7dad90ecc731523e2eb7d682063a49
516beb7da7f2a8b85cb170570545da4b
SHA1:
07b494575d548a83f0812ceba6b8d567c7ec86ed
2217c29e5d5ccfcf58d2b6d9f5e250b687948440
246018220a4f4f3d20262b7333caf323e1c77d2e
8b6ffa56ca5bea5b406d6d8d6ef532b4d36d090f
90f52b6d077d508a23214047e680dded320ccf4e
f483c33acf0f2957da14ed422377387d6cb93c4d
f974d22f74b0a105668c72dc100d1d9fcc8c72de
redhat-packages[.]com
centos-packages[.]com
dallynk[.]com
yolenny[.]com
606qipai[.]com
asplinc[.]com
bsef.or[.]kr
192.169.7[.]197
160.202.79[.]226
96.9.255[.]150
5.134.119[.]142
Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.
The post North Korean Hackers Breached Leading Russian Missile & Military Engineering Company appeared first on Cyber Security News.
Cyber Security News
Hackers are Selling Exploits for Foxit Read: Patch ASAP!
Hackers are Selling Exploits for Foxit Read: Patch ASAP!
[[{“value”:”
A threat actor has announced the sale of an exploit targeting a vulnerability in Foxit Reader, a widely used PDF viewer.
This vulnerability could potentially allow remote code execution, posing a significant risk to millions of users worldwide.
Foxit has responded by releasing updates to patch these vulnerabilities.
Users are urged to update their software immediately to protect against potential attacks.
The Vulnerability in Detail
Foxit Reader, known for its lightweight design and comprehensive feature set, has become a popular alternative to Adobe Reader. However, its widespread use also makes it a target for cybercriminals.
Document
Free Webinar : Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
:
The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, that helps you to quantify risk accurately:
The vulnerability in question affects Foxit PDF Reader 12.0.2 and earlier versions on Windows, as well as Foxit PDF Editor (previously named Foxit PhantomPDF) versions 12.0.2.12465 and earlier, including all previous 12. x and 11. x versions, and 10.1.9.37808 and earlier.
On the macOS platform, affected software includes Foxit PDF Editor for Mac 12.0.1.0720, 12.0.0.0601, 11.1.3.0920, and earlier, as well as Foxit PDF Reader for Mac 12.0.1.0720 and earlier versions.
The Threat Actor’s Announcement
An unidentified threat actor has put the exploit up for sale. It reportedly allows for remote code execution by exploiting a vulnerability in Foxit Reader.
According to the announcement, the exploit operates by running a malicious build when a specially crafted PDF file is opened and reloaded in the official Reader, potentially allowing attackers to take control of affected systems.
In response to the threat, Foxit has released updates for its PDF software on both Windows and macOS platforms.
The updates, Foxit PDF Editor for Mac 12.0.2 and Foxit PDF Reader for Mac 12.0.2, along with Foxit PDF Reader 12.1 and Foxit PDF Editor 12.1 for Windows, address the security and stability issues identified.
Affected Versions and Updates
ProductAffected VersionsPlatformFoxit PDF Editor for Mac (previously PhantomPDF)12.0.1.0720, 12.0.0.0601, 11.1.3.0920 and earliermacOSFoxit PDF Reader for Mac (previously Reader)12.0.1.0720 and earliermacOSFoxit PDF Reader12.0.2.12465 and earlierWindowsFoxit PDF Editor (previously PhantomPDF)12.0.2.12465 and all previous 12.x versions, 11.2.3.53593 and all previous 11.x versions, 10.1.9.37808 and earlierWindows
Urgent Call to Action
Users of Foxit Reader and Foxit PDF Editor on both Windows and macOS platforms are strongly advised to update their software to the latest versions immediately.
Doing so will patch the vulnerabilities and protect against potential exploits.
Foxit has made the updates available on its official website, ensuring users can easily access and install the necessary software to secure their systems.
The announcement of an exploit sale targeting Foxit Reader underscores the importance of maintaining up-to-date software to protect against cybersecurity threats.
By promptly applying the latest patches from Foxit, users can safeguard their systems from potential remote code execution attacks.
As cyber threats evolve, staying informed and vigilant is more crucial than ever.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post Hackers are Selling Exploits for Foxit Read: Patch ASAP! appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Hive RAT Creators and $3.5M Cryptojacking Mastermind Arrested in Global Crackdown
Hive RAT Creators and $3.5M Cryptojacking Mastermind Arrested in Global Crackdown
[[{“value”:”Two individuals have been arrested in Australia and the U.S. in connection with an alleged scheme to develop and distribute a remote access trojan called Hive RAT (previously Firebird).
The U.S. Justice Department (DoJ) said the malware "gave the malware purchasers control over victim computers and enabled them to access victims’ private communications, their login credentials, and”}]] Read More
The Hacker News | #1 Trusted Cybersecurity News Site