North Korea Exploited VPN Flaw to Hack South’s Nuclear Research Institute
South Korea’s state-run Korea Atomic Energy Research Institute (KAERI) on Friday disclosed that its internal network was infiltrated by suspected attackers operating out of its northern counterpart.
The intrusion is said to have taken place on May 14 through a vulnerability in an unnamed virtual private network (VPN) vendor and involved a total of 13 IP addresses, one of which — “27.102.114[.]89” — has been previously linked to a state-sponsored threat actor dubbed Kimsuky.
KAERI, established in 1959 and situated in the city of Daejeon, is a government-funded research institute that designs and develops nuclear technologies related to reactors, fuel rods, radiation fusion, and nuclear safety.
“Currently, the Atomic Energy Research Institute is investigating the subject of the hacking and the amount of damage,” the entity said in a statement.
The development comes following a report from SISA Journal, which disclosed the breach, alleging that the agency was attempting to cover up the hack by denying such an incident took place.
KAERI attributed it to a “mistake in the response of the working-level staff.”
Google Releases New Framework to Prevent Software Supply Chain Attacks
As software supply chain attacks emerge as a point of concern in the wake of SolarWinds and Codecov security incidents, Google is proposing a solution to ensure the integrity of software packages and prevent unauthorized modifications.
Called “Supply chain Levels for Software Artifacts” (SLSA, and pronounced “salsa”), the end-to-end framework aims to secure the software development and deployment pipeline — i.e., the source ➞ build ➞ publish workflow — and mitigate threats that arise out of tampering with the source code, the build platform, and the artifact repository at every link in the chain.
Google said SLSA is inspired by the company’s own internal enforcement mechanism called Binary Authorization for Borg, a set of auditing tools that verifies code provenance and implements code identity to ascertain that the deployed production software is properly reviewed and authorized.
It comprises four different levels of progressive software security sophistication, with SLSA 4 offering a high degree of confidence that the software has not been improperly tinkered.
SLSA 1 — Requires that the build process be fully scripted/automated and generate provenance
SLSA 3 — Requires that the source and build platforms meet specific standards to guarantee the auditability of the source and the integrity of the provenance
Phishing Campaign that Imitates Legitimate WeTransfer Applications
The Cofense Phishing Defense Center has discovered a current phishing attempt that uses bogus websites to impersonate official WeTransfer applications. Threat actors can use this to get around email security gateways and trick users into providing their credentials. WeTransfer is a file-sharing website that makes it simple for users to share files. The malicious URL link that connects to the WeTransfer phishing landing page is hidden below the «Get your files» button.
Threat actors provide a list of typical document names to make this appear more authentic. «Com.» The most prevalent tactic used in phishing campaigns to acquire user trust is spoofing the email address. When the user clicks the button in the last stage of the attack, they are sent to a false WeTransfer page. To download the shared file, the user must first provide their credentials.
In recent weeks, the PDC has seen over 40 identical campaigns reported by well-conditioned users to spot suspicious emails across all of our customers’ settings. This phishing campaign is aimed to get around SEGs by impersonating a legitimate file-sharing platform.
Latest Campaign by Molerats Hackers Target Middle Eastern Governments
After two months of break, a Middle Eastern advanced persistent-threat organization has resurfaced and is targeting government institutions in the Middle East — global government bodies affiliated with geopolitics as a part of its recent malicious activities. Proofpoint, a company headquartered in Sunnyvale, ascribed this action to a politically motivated threat actor tracked as TA402, colloquially known as Molerats or GazaHackerTeam. TA402 is supposed to work for objectives that are consistent with military or Palestinian state goals. The threat actor has been operating for a decade with a history of compromising associations mainly in Israel and Palestine.
The last step on the infection chain entailed an extraction of the archive to drop a customized implant named LastConn, which is a new version or upgrade of a backdoor called SharpStages that was revealed in December 2020 by Cybereason researcher,
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT