[TheRecord] Watering hole attack found on popular North Korean-themed news site

A North Korean cyber-espionage group has breached one of the most popular North Korean-themed news sites on the internet in order to carry out a watering hole attack and infect some of the site’s visitors with malware.

The watering hole attack lasted from at least late March 2021 until early June 2021, security firm Volexity said in a report yesterday.

The attack kit consisted of two browser exploits, loaded on the site using a JavaScript file, which would infect users’ systems visiting the Daily NK website using old Internet Explorer and legacy Edge browsers.

According to Volexity, the attackers leveraged CVE-2020-1380, a vulnerability in the old IE, and CVE-2021-26411, a newer exploit in the IE and legacy Edge browsers. For both vulnerabilities, the threat actor used public proof-of-concept code posted online in previous months[12], the Volexity team said.

The final payloads of these attacks differed across time but included a Cobalt Strike backdoor beacon, which could be used to deploy other malware, or a new malware strain called BlueLight, which could be used to download and execute shellcode or other apps or search through local files.

The breadth of the attack and how many users were infected are currently unknown.

The Daily NK website is one of the Top 50,000 most popular websites on the internet, according to the Tranco unified traffic ranking. The website, operated out of South Korea and published in English, is known for its coverage of North Korean topics and is considered a top source and subject matter experts on North Korean politics.

Volexity pinned the intrusion into Daily NK’s servers on a North Korean cyber-espionage group known in the cyber-security community under codenames such as APT37, ScarCruft, Ricochet Chollima, and InkySquid.

A spokesperson for the Daily NK did not return a request for comment sent by The Record yesterday.

The post Watering hole attack found on popular North Korean-themed news site appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Fake Android, iOS apps promise lucrative investments while stealing your money

All posts, ZDNet

Hundreds of malicious cryptocurrency, stock, and banking apps have been discovered by researchers. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SecurityWeek] The VC View: Identity = Zero Trust for Everything

All posts, Security Week

Identity very much seems to be an acquired taste… Most everyone’s first experience with identity comes down to usernames and passwords. And that’s enough for most users, “just let me get past this screen so I can do what I’m trying to do.” read more Source: Read More (SecurityWeek RSS Feed)

Read More

[SANS ISC] Microsoft October 2021 Patch Tuesday, (Tue, Oct 12th)

All posts, Sans-ISC

This month we got patches for 81 vulnerabilities. Of these, 3 are critical, 3 were previously disclosed and 1 is being exploited according to Microsoft. The exploited vulnerability (CVE-2021-40449) is an elevation of privilege affecting Win32k on virtually all supported Windows versions. According to the advisory, a local attacker may elevate privileges with no user […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.