Cyberattacks Target Websites of German Airports, Admin


The websites of German airports, public administration bodies and financial sector organizations have been hit by cyberattacks instigated by a Russian “hacker group”, authorities said Thursday.

The Federal Cyber Security Authority (BSI) had “knowledge of DDoS attacks against targets in Germany”, a spokesman told AFP.

A distributed denial-of-service (DDoS) attack is designed to overwhelm the target with a flood of internet traffic, preventing the system from functioning normally.

The attacks were aimed “in particular at the websites of airports”, as well as some “targets in the financial sector” and “the websites of federal and state administrations”, the spokesman said.

The attack had been “announced by the Russian hacker group Killnet”, the 
BSI spokesman said. 

The group’s call to arms was in response to Chancellor Olaf Scholz’s announcement Wednesday that Germany would send Leopard 2 tanks to Ukraine to help repel the Russian invasion, according to financial daily Handelsblatt.

Attributing Thursday’s attacks directly to the hacker group, however, was “particularly hard”, the BSI spokesman said.

“They call for action and then a lot of people take part,” he said. The attacks made “some websites unavailable”, the BSI said, without there being “any indication of direct impacts on (the organisations’) services”.

Attacks on public administrations were “largely repelled with no serious 
impacts”, the BSI said.

The interior ministry for southwestern Baden-Wuerttemberg state acknowledged “nationwide” DDoS attacks since Wednesday evening against websites, including those of public administration and the regional police.

Germany is on high alert for cyberattacks in the wake of Russia’s war in Ukraine.

The Federal Office for Information Security said in October that the threat level for hacking attacks and other cybercrime activities was higher “than ever”.

The post Cyberattacks Target Websites of German Airports, Admin appeared first on SecurityWeek.

North Korean APT Expands Its Attack Repertoire


The advanced persistent threat (APT) tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated (that is, has had its infrastructure abused by other hackers). 

TA444 is a North Korean state-sponsored threat group tracked by Proofpoint as actively targeting cryptocurrencies since at least 2017. It has overlaps with other DPRK groups such as APT38, Bluenoroff, BlackAlicanto, Stardust Chollima, and Copernicum – but not enough in Proofpoint’s telemetry to be specifically tied to any one of these.

For example, Mandiant has described activity known as CryptoCore and Dangerous Password as a “likely subgroup of APT38”. Proofpoint adds SnatchCrypto, and defines all three as campaigns operated by TA444. If both sets of researchers are correct, it may be that TA444 is a subgroup of APT38. Nevertheless, the overlapping nature of differently named DPRK groups makes it difficult to delineate them clearly, and many people still refer to the umbrella name of Lazarus.

In its first publicly available report on the TA444 group, Proofpoint notes that like other DPRK groups, it is likely tasked with stealing currency to offset sanctions against the state. Around 2017 it began to focus on stealing cryptocurrency. “TA444 had two main avenues of initial access,” notes the report: “an LNK-oriented delivery chain and a chain beginning with documents using remote templates.”

In 2022, however, while continuing to use these methods, it increased its usage of macros for malware delivery. Usually, when threat actors experiment with new delivery mechanisms, they continue to use their existing payloads. Not so with TA444 in 2022. “This suggests,” say the researchers, “that there is an embedded, or at least a devoted, malware development element alongside TA444 operators.”

In early December 2022, the researchers observed a new approach from TA444 – a relatively basic credential harvesting phishing campaign. A TA444 C2 domain began distributing OneDrive phishing emails “rife with typos” to targets in the US and Canada. The infrastructure used suggests it was TA444; the campaign suggests otherwise.

The researchers offer three possibilities: it could be TA444 simply expanding its repertoire; the group could be moonlighting from its primary purpose of sidestepping North Korea’s sanctions; or a different threat actor could have hijacked TA444’s infrastructure.

Whatever the reason, the phishing campaign in December nearly doubled the total volume of TA444 emails observed by Proofpoint for the whole of 2022. Emails were sent to Admin at the target domain. The From entry was “admin[@]sharedrive[.]ink – and the subject was ‘linvoice’ (that is, Invoice starting with a lowercase L rather than uppercase I).

Graphical user interface
Description automatically generated
New style phishing email from TA444

The lure entices the target to click on a SendGrid URL, which redirects to the attackers’ credential harvesting page, which in turn uses common phishing tactics such as loading the victim’s iconography via the logo-rendering service ClearBit.

Proofpoint has ‘moderate to moderately high’ confidence that the campaign is operated by TA444, based on the exclusivity of TA444’s infrastructure. “The emails also had valid DMARC and SPF records, indicating that the sender has control of that domain,” add the researchers.

Related: FBI Confirms North Korean Hackers Behind $100M Horizon Bridge Heist

Related: Lazarus Group Targets South Korea via Supply Chain Attack

Related: North Korea APT Lazarus Targeting Chemical Sector

Related: North Korea’s Lazarus Targets Energy Firms With Three RATs

The post North Korean APT Expands Its Attack Repertoire appeared first on SecurityWeek.

FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist


The FBI has officially attributed last year’s Horizon bridge hack and cryptocurrency heist to a threat group widely believed to be operating on behalf of the North Korean government.

The Horizon bridge is designed to enable cryptocurrency holders to move assets between Harmony’s network and the Ethereum network, Binance Chain and Bitcoin.

In June 2022, news broke that someone had managed to steal $100 million from the Horizon bridge — specifically the Ethereum side — after obtaining and decrypting private keys. 

Shortly after the cryptocurrency heist came to light, blockchain analytics firm Elliptic named North Korea’s Lazarus hacking group as the prime suspect. 

The FBI confirmed on Monday that the Lazarus group, which is also tracked as APT38, is behind the cyberattack on the Horizon bridge

The agency noted that US authorities are identifying and disrupting North Korea’s cryptocurrency theft and laundering activities, which are used by the regime to fund its ballistic missile and weapons of mass destruction programs. 

“On Friday, January 13, 2023, North Korean cyber actors used Railgun, a privacy protocol, to launder over $60 million worth of ethereum (ETH) stolen during the June 2022 heist. A portion of this stolen ethereum was subsequently sent to several virtual asset service providers and converted to bitcoin (BTC),” the FBI said. 

The agency said part of these funds were frozen with the help of virtual asset service providers, while the rest have been moved to nearly a dozen addresses, which have been made public. 

North Korean state-sponsored hackers are believed to be behind several high-profile cryptocurrency heists and this is not the first time the US government has officially blamed them for an attack. 

In April 2022, the US blamed the Lazarus group for the $600 million Ronin Validator hack.

According to blockchain analysis company Chainalysis, Lazarus stole $400 million worth of crypto assets in 2021.

Related: North Korea APT Lazarus Targeting Chemical Sector

Related: North Korea’s Lazarus Targets Energy Firms With Three RATs

The post FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist appeared first on SecurityWeek.

FBI Chief Says He’s ‘Deeply concerned’ by China’s AI Program


FBI Director Christopher Wray said Thursday that he was “deeply concerned” about the Chinese government’s artificial intelligence program, asserting that it was “not constrained by the rule of law.”

Speaking during a panel session at the World Economic Forum in Davos, Switzerland, Wray said Beijing’s AI ambitions were “built on top of massive troves of intellectual property and sensitive data that they’ve stolen over the years.”

He said that left unchecked, China could use artificial intelligence advancements to further its hacking operations, intellectual property theft and repression of dissidents inside the country and beyond.

“That’s something we’re deeply concerned about, and I think everyone here should be deeply concerned about,” he said.

{ Read: Ethical AI, Possibility or Pipe Dream? }

More broadly, he said, “AI is a classic example of a technology where I have the same reaction every time. I think, ‘Wow, We can do that?’ And then I think, ‘Oh god, they can do that.’”

Such concerns have long been voiced by U.S. officials. In October 2021, for instance, U.S. counterintelligence officials issued warnings about China’s ambitions in AI as part of a renewed effort to inform business executives, academics and local and state government officials about the risks of accepting Chinese investment or expertise in key industries.

Earlier that year, an AI commission led by former Google CEO Eric Schmidt urged the U.S. to boost its AI skills to counter China, including by pursuing “AI-enabled” weapons.

A spokesperson for the Chinese Embassy in Washington did not immediately respond to a request seeking comment Thursday about Wray’s comments. Beijing has repeatedly accused Washington of fearmongering and attacked U.S. intelligence for its assessments of China.

RelatedBias in Artificial Intelligence: Can AI be Trusted?

RelatedEU Proposes Rules for Artificial Intelligence to Limit Risks

Related: Becoming Elon Musk – the Danger of Artificial Intelligence

Related: Facial Recognition Firm Clearview AI Fined $9.4 Million by UK Regulator

The post FBI Chief Says He’s ‘Deeply concerned’ by China’s AI Program appeared first on SecurityWeek.