[TheRecord] Watering hole attack found on popular North Korean-themed news site

A North Korean cyber-espionage group has breached one of the most popular North Korean-themed news sites on the internet in order to carry out a watering hole attack and infect some of the site’s visitors with malware.

The watering hole attack lasted from at least late March 2021 until early June 2021, security firm Volexity said in a report yesterday.

The attack kit consisted of two browser exploits, loaded on the site using a JavaScript file, which would infect users’ systems visiting the Daily NK website using old Internet Explorer and legacy Edge browsers.

According to Volexity, the attackers leveraged CVE-2020-1380, a vulnerability in the old IE, and CVE-2021-26411, a newer exploit in the IE and legacy Edge browsers. For both vulnerabilities, the threat actor used public proof-of-concept code posted online in previous months[12], the Volexity team said.

The final payloads of these attacks differed across time but included a Cobalt Strike backdoor beacon, which could be used to deploy other malware, or a new malware strain called BlueLight, which could be used to download and execute shellcode or other apps or search through local files.

The breadth of the attack and how many users were infected are currently unknown.

The Daily NK website is one of the Top 50,000 most popular websites on the internet, according to the Tranco unified traffic ranking. The website, operated out of South Korea and published in English, is known for its coverage of North Korean topics and is considered a top source and subject matter experts on North Korean politics.

Volexity pinned the intrusion into Daily NK’s servers on a North Korean cyber-espionage group known in the cyber-security community under codenames such as APT37, ScarCruft, Ricochet Chollima, and InkySquid.

A spokesperson for the Daily NK did not return a request for comment sent by The Record yesterday.

The post Watering hole attack found on popular North Korean-themed news site appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Singapore’s GovTech Announces New Vulnerability Rewards Programme

All posts, Security Week

The Singapore Government Technology Agency (GovTech) on Tuesday introduced a new Vulnerability Rewards Programme (VRP) on HackerOne that offers bug bounty rewards of up to $150,000. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[NCSC-FI News] SEC Breach Disclosure Rule Makes CISOs Assess Damage Sooner

A proposed rule requiring publicly traded companies to disclose a breach within four days of deeming it material will force CISOs to determine the consequences of cyberattacks sooner. The SEC proposal is being celebrated by some CISOs. Equifax’s Jamil Farshchi calls it “too good to be true” and says on LinkedIn that it will give […]

Read More

[SecurityWeek] Revelstoke Emerges From Stealth With SOAR Platform

All posts, Security Week

California-based Revelstoke on Tuesday emerged from stealth mode with a security orchestration, automation and response (SOAR) platform designed to help organizations customize and automate their security operations center (SOC). read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.