North Korean state-sponsored advanced persistent threat group TA444 has engaged in a credential harvesting campaign targeting the U.S. and Canada with OneDrive phishing emails beginning last month, according to SecurityWeek.
Phishing emails sent by TA444 lure recipients into clicking a SendGrid URL redirecting to a credential harvesting page that establishes legitimacy using the ClearBit logo-rendering service, according to a Proofpoint report. Such a shift in attack tactics for TA444, which originally targeted cryptocurrencies in 2017 before increasing macro usage for malware delivery last year, may represent the group's expanding attack playbook, a side job aimed at evading North Korean sanctions, or an infrastructure compromise by another threat actor, the report noted.
Proofpoint researchers found that the December phishing campaign yielded nearly twofold of TA444's email volumes for the entirety of 2022. Moreover, the campaign has been attributed to TA444 based on the attacker's infrastructure exclusivity.
"The emails also had valid DMARC and SPF records, indicating that the sender has control of that domain," researchers added.
New attacks with the updated SysUpdate toolkit have been deployed by Chinese advanced persistent threat operation Budworm, also known as APT27, Emissary Panda, Bronze Union, Lucky Mouse, Iron Tiger, and Red Phoenix, against an Asian government and a Middle East-based telecommunications provider, reports The Hacker News.
Forty-five malicious NPM and PyPI packages have been deployed by threat actors to facilitate extensive data theft operations as part of a campaign that commenced on Sept. 12, according to BleepingComputer.
Sixty thousand emails from U.S. State Department accounts were noted by a staffer working for Sen. Eric Schmitt, R-Mo., to have been exfiltrated by Chinese threat actors during the widespread compromise of Microsoft email accounts that commenced in May, according to Reuters.