Cybercriminals linked to North Korea are posing as IT recruiters to install malicious software on the devices of job seekers. As reported by Palo Alto Networks, this new method of attack is particularly effective as the malicious software can be applied to the servers of the targeted company by an unsuspecting employee. This extends the time needed to locate the source of the attack and identify the group behind it.
How does it work in practice? Cyber criminals make contact with an unsuspecting victim on LinkedIn, and then propose to have an online meeting. For this purpose, they send a link to false pages pretending to be legitimate video call applications. By going to the external page, the user exposes his device to a cyber attack. It is one of the key moments when the candidate should see a red flag, as there is a high probability that he is dealing with a fraudster.
This action presents a number of threats, both to the person whose devices have been infected, and to legitimate companies that the specialist will later work with. Malicious software can remain dormant for a long time, waiting for favorable conditions to export valuable data. This refers not only to the private information of the attacked user, but also to some employees using company equipment for private purposes. Such an employee can unknowingly provide fraudsters with a company device as a carrier of malicious software. A successful infection of an end device belonging to a company can result in the accumulation and exporting of confidential information.
Cyber criminals take advantage of the fact that some employees occasionally use their work computers or phones for personal purposes. Such a person can unintentionally opened a path for malicious software to the internal corporate network, causing serious damage. We would like to encourage employers to raise awareness among staff that such scenarios are very likely. We also caution employees to be vigilant when talking to recruiters. We advise you to carefully verify HR employees. From the employer’s perspective, we recommend thoroughly checking the candidate’s identity and exercising special caution when reviewing repositories on GitHub with a small number of updates− emphasizesGrzegorz LatosiÅ„ski, country director of Palo Alto Networks in Poland.
The specialists from Palo Alto Networks’ Unit 42 are noticing a continually growing activity of hackers from the Democratic People’s Republic of Korea. Initially, such ATP groups focused on South Korean government agencies, research institutions, and analytical centers. However, as they evolved, they also expanded their reach to Western countries, including the United States[a][1], thereby proving that they pose a global threat. The attackers are interested in both money and espionage.
Recently, researchers from Palo Alto Networks discovered two samples of malicious software used by the threat group Sparkling Pisces (aka Kimsuky). The group is famous for its sophisticated cyber espionage operations and advanced phishing attacks. The group’s most well-known action was the attack on Korea Hydro and Nuclear Power (KHNP) in 2014[a][2].
Known as the “king of spear phishing”[a][3], Sparkling Pisces is another group conducting hundreds of attacks aimed at persuading victims to download and run malicious software. The group recently attacked residents of South Korea, while masquerading as a legitimate South Korean company[a][4] and using a valid certificate to sign malicious software. Sparkling Pisces is also known for its complex and constantly evolving infrastructure.
Such organised groups of cybercriminals will be increasing their scale of operations in the coming years, so both state administrations and businesses should prepare for more difficult to manage attacks.
[1] https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
[2] https://www.industrialcybersecuritypulse.com/threats-vulnerabilities/throwback-attack-korea-hydro-and-nuclear-power-highlights-the-vulnerability-of-critical-systems/
[3] https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/
[4] https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2
Source: https://managerplus.pl/hakerzy-udaja-rekruterow-i-wysylaja-zlosliwe-oprogramowanie-10449
