Here's How North Korean Hackers Stole Data From Isolated Network Segment

securityweek.com ^ | 2/25/2021 | ionut

[bitt]

During an attack on the defense industry, the North Korea-linked threat group known as Lazarus was able to exfiltrate data from a restricted network segment by taking control of a router and setting it up as a proxy server.

For initial access, the group used phishing emails featuring COVID-19 themes and containing publicly available personal information of the intended victims. Next, they focused on credential harvesting and lateral movement, including gaining access to and exfiltrating data from restricted network segments.

Active since at least 2009, Lazarus has orchestrated multiple high-profile attacks. In 2019, they focused on crypto-currency exchanges, but switched to targeting COVID-19 research in 2020, including vaccine maker Pfizer. The group has also targeted security researchers, Google warned recently.

In a report this week, Kaspersky said Lazarus had been targeting the defense industry since at least mid-2020 using a malware cluster it named ThreatNeedle, which is an advanced cluster of the Manuscrypt malware (also known as NukeSped).

Through the use of spear-phishing, the attackers attempted to lure victims into opening a malicious Microsoft Office document and enabling macros to run, with multiple emails being delivered during the last two weeks of May 2020.

In early June, one malicious attachment was opened, providing the hackers with remote control of the system. The ThreatNeedle backdoor was deployed onto the victim’s system, allowing the adversary to perform reconnaissance and deploy additional payloads.

[bitt]

p

[Trumpisourlastchance]

Clever little buggers. Not surprised they have nukes & missiles to deliver them.

[Fury]

People need to stop opening emails from senders they do not know or are not expecting email from. Come on, man!

[rockrr]

Wasn’t much of a “restricted network segment” if operators had access to email or the internet...

[Fury]

And am not a big fan of running a router on a server. Get purpose built hardware for routing. More expensive, but the different underlying OS can provide some measure of attack surface “fragmentation”.

[Fury]

Agreed. We have VLANs where there is no off prem traffic allowed. That’s always a good practice if things are really meant to be “restricted”.

[ConservativeMind]

I don’t think you read that right.

They put a small proxy server into the standalone router. It’s easy to do to your own home router with alternate firmware.

[Fury]

I think that router was a Linux server running CentOS.

[ALASKA]

Have y’all noticed that ALL comments on YouTube have been disabled? You can’t comment on a bread-making video. Completely shut down. Across the platform.

[Fury]

I think that router was a Linux server running CentOS.

[cgbg]

People need to stop opening emails from senders they do not know or are not expecting email from.

HR has diversity goals to meet, ya know--that is much more important than hiring intelligent employees.

[farming pharmer]

Have y’all noticed that ALL comments on YouTube have been disabled? You can’t comment on a bread-making video. Completely shut down. Across the platform.

Yeah, I wonder what's going on with that?

[RitchieAprile]

I posted a reply on a music channel just a minute ago.