The Week in Security: North Korean APT targets developers, this Barbie is a cybercriminal

This week: a North Korean APT group targets developers via GitHub. Also: This Barbie is a cybercriminal.

This Week’s Top Story

North Korean Cyberspies Target GitHub Developers

The Lazarus advanced persistent threat (APT) group — a North Korean state-sponsored cybergang — is running yet another impersonation scam. The group is donning the persona of a developer or recruiter to deploy social engineering attacks, funneling tech community members to its repository containing malicious node package manager (npm) dependencies. GitHub is warning that accounts linked to Lazarus have been uncovered on that platform as well as on LinkedIn, Telegram, and Slack.

Lazarus is thought to be run by North Korea’s Foreign Intelligence and Reconnaissance Bureau. The hacker group is believed to mount financially motivated attacks as part of a program to fund the North Korean state, as well as more traditional cyber-espionage campaigns. In this case, Lazarus targeted developer accounts connected to the blockchain, cryptocurrency, or online gambling sectors. The goal was to deploy a two-stage malware attack on each target. First, it connected with a developer or recruiter and invited them to the Lazarus repository, which houses compromised npm packages that act as the first stage in the attack. These malicious packages then download and deploy the second-stage malware on the victim’s machine.

GitHub has yet to release details about the second part of the attack. However, Phylum researchers shared a technical overview of the first-stage malware and an attack chain in which the first package fetches a token from a remote server and the second package then uses that token to access the malicious script. The script then executes an action that negates TLS certificate validation, which may open the door to attackers engaging in malicious HTTP requests within corporate environments that have deployed their own root certificates for authenticating such communications, Phylum noted. Beyond this step, however, the second-stage malware and its goals are unknown.

Despite reports that no GitHub or npm systems were compromised and that the accounts linked to the attack have been suspended, this targeted attempt highlights the resourcefulness of the North Korean state actors and their growing interest in targeting developers and development environments.

Organizations that believe they have been compromised are advised to review their security logs for indicators of compromise (IoCs). Those include “action:repo.add_member” events correlating with one of the APT repositories that GitHub has listed in its IoCs. For organizations that discover they have executed content from one of the listed, malicious repositories, it is prudent to reset or wipe the devices and change any passwords or tokens that could have been exposed.

News Roundup

Here are the stories we’re paying attention to this week.

Everyone's got Barbie Fever. But you could also catch a Barbie computer virus. Here's how (USA Today)

It seems that even cybercriminals are fans of the new blockbuster Barbie movie. In the weeks leading up to the film’s release, there were at least 100 new instances of malware with Barbie-related filenames found in various online postings, including YouTube videos and movie pirating sites. Most malware had the intention of hacking into unwitting victims’ phones and computers via phishing campaigns that used fake websites, sweepstakes, and other compromised links. The current global obsession with Barbie is the latest incarnation of a common cybercrime tactic, where specialized audiences are targeted because they are perceived as emotional and therefore vulnerable.

SEC Adopts New Rule on Cybersecurity Incident Disclosure Requirements (Dark Reading)

The U.S. Securities and Exchange Commission (SEC) adopted a new rule that requires publicly traded companies to “disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.” To disclose these incidents, companies must fill out Form 8-K within four business days of determining if an incident is material, as defined by the SEC. This new rule has raised questions about the cybersecurity benefits of mandatory disclosure, with calls for greater accountability set against arguments that the new requirement may alert bad actors of previously unknown vulnerabilities they can now exploit before it is patched.

Decoy Dog: New Breed of Malware Posing Serious Threats to Enterprise Networks (The Hacker News)

Modeled on an open-source remote-access Trojan called Pupy RAT, Decoy Dog is a serious upgrade. The "new and improved" malware contains a suite of powerful, previously unknown capabilities – including the ability to move victims to another controller, which allows attackers to maintain communication with compromised machines for longer periods of time, while avoiding detection.

Zero-Day Vulnerabilities Discovered in Global Emergency Services Communications Protocol (Dark Reading)

Due to vulnerabilities found in Terrestrial Trunked Radio (TETRA), a radio voice and data standard mainly used by emergency services, countless global emergency response teams are now open to cyberattacks. These vulnerabilities allow for real-time or delayed decryption, message injection, user de-anonymization, or session key-pinning attacks. More importantly, high-end adversaries can leverage these weak points to listen in on communications, track movements, or manipulate critical infrastructure network communications.

ALPHV ransomware adds data leak API in new extortion strategy (BleepingComputer)

The ALPHV ransomware gang, also referred to as BlackCat, is trying to put more pressure on its victims by providing an API for its leak site to increase visibility for its attacks. This step follows Estée Lauder’s refusal to pay BlackCat’s ransom demand. It appears to be an escalation from BlackCat in an effort to get victims to pay, and it is unclear whether it will work.

Ivanti Zero-Day Vulnerability Exploited in Attack on Norwegian Government (SecurityWeek)

On Monday, Norwegian authorities announced that a dozen government ministries had been targeted in a cyberattack. It has since been reported that the attack was launched using a vulnerability in software provided by Invanti. The flaw relates to an unauthenticated API access issue that can be leveraged remotely to access users’ personally identifiable information (PII) and make limited changes to the server. It affects all supported versions, including 11.10, 11.9, 11.8, and older releases. As soon as Invanti releases a patch, users are urged to install it because the flaw is very easy to exploit. Note that these flaws could also impact Pulse Connect Secure and MobileIron products, since Ivanti acquired them in 2020.