Amidst recent reports of renewed peace talks on the Korean peninsula, another cybersecurity firm has come forward with evidence that state-sponsored North Korean hackers have been repeatedly launching spear phishing campaigns targeting South Korean cryptocurrency exchanges and their users.
According to a Jan. 16 blog post from Recorded Future's Insikt Group team, the reputed North Korean APT actor known as Lazarus Group (or Hidden Cobra) appears to be behind a series of phishing emails, featuring four different lures, that were sent in the fall of 2017, before the two Korean nations' latest attempt at negotiations.
Two of the lures specifically targeted South Korean cryptocurrency exchanges, using job resumes that appear to have been stolen from legit South Korean computer scientists with cryptocurrency experience, while another targeted users of the UK-based cryptocurrency exchange Coinlink, with the intent of obtaining their emails and passwords. A fourth email targeted college students belonging to the organization Friends of MOFA (Ministry of Foreign Affairs), using content taken from a blog operated by the actual organization.
The emails contained malicious attachments created in the format for Korean word processor Hangul documents. Embedded PostScripts in these opened documents would trigger an exploit for CVE-2017-8291, an Artifex Ghostscript vulnerability that ultimately allowed attackers to infect user machines with a malicious DLL payload designed to collect device information and exfiltrate files. Further analysis revealed that this malware shares significant chunks of code with Destover, a Lazarus-linked information stealer that was used in an early WannaCry ransomware attack that took place prior to the global May 2017 attack.
Blog post authors and Recorded Future researchers Juan Andres Guerrero-Saade and Priscilla Moriuchi also noted that code in the malicious PostScripts contained some transliterated Chinese words, one of which was misused -- leading analysts to theorize these additions may have been intended as false flags to cast suspicions on China.
"This late 2017 campaign is a continuation of North Korea's interest in cryptocurrency, which we now know encompasses a broad range of activities including mining, ransomware, and outright theft," the blog post states. "Outside of the May WannaCry attack, the majority of North Korean cryptocurrency operations have targeted South Korean users and exchanges, but we expect this trend to change in 2018. We assess that as South Korea responds to these attempted thefts by increasing security (and possibly banning cryptocurrency trading) they will become harder targets, forcing North Korean actors to look to exchanges and users in other countries as well."
Recorded Future's report serves as further proof that cryptocurrency platforms, exchanges and users remain alluring targets for cybercriminals and adversarial nation-states. (Of course, this trend certainly bears watching, following a rough two days for Bitcoin, which lost more than 50 percent of its peak market value over Jan. 16 and 17, dipping below the $10,000 mark.)
Earlier this month, for example, Morphus Labs' Chief Research Officer Renato Marinho, and Johannes B. Ullrich, dean of Research at the SANS Technology Institute, reported on a January 2018 campaign that was secretly deploying XMRig, a legitimate Monero cryptominer, in victims' machines via Oracle's WebLogic application servers.
The unattributed attackers accomplished this feat by exploiting CVE 2017-10271, a remote code execution vulnerability found in the servers' WLS Security component. (Oracle issued a patch for the bug late last year, but server owners who failed to implement it remain vulnerable.)
Ullrich reported that the exploit appears to be a script released last December by a Chinese security researcher, while Marinho remarked that it's "pretty simple to execute and comes with a Bash script to make it easy to scan for potential victims."
Making matters worse, Oracle's PeopleSoft HR software, which can use WebLogic as a web server, was also found to be vulnerable and, in some cases, was exploited. "As you can probably imagine, a compromise of a PeopleSoft system is pretty much a worst-case compromise for an organization," Ullrich summarized in his write-up.
Furthermore, Onapsis reported on Jan. 17 that its researchers confirmed that the Oracle E-Business Suite (EBS), which typically stores business, sales, and financial data, can also be compromised by the exploit.
Based on additional research, Ullrich stated that the attacker successfully mined 611 Monero coins, which as of Jan. 17 equates to roughly $188,000 (it was $226,070 at the time of Ullrich's writing).
As for the victims, "Based on a quick reverse DNS lookup and an ASN lookup, I found a high concentration of affected IPs at cloud providers," Ullrich reported. "This isn't a surprise, since many organizations are moving their most critical data to the cloud to make it easier for the bad guys to get to it. Also, not a big surprise is the relatively high percentage of IPs in Oracle's cloud."
In related news, Radware has asserted in its just released 2017-18 Global Application & Network Security Report that the soaring value of cryptocoins (this most recent downtrend notwithstanding) is inviting increased malicious activity, including ransomware and stolen-content-for-ransom attacks against organizations, as well as distributed denial of service attacks against cryptocurrency platforms.
“The rapid adoption of cryptocurrencies and their subsequent rise in price has presented hackers with a clear upside that goes beyond cryptocurrencies' anonymity,” said Carl Herberger, VP of security solutions at Radware, in a press release.