North Korean Hackers Turn to Credential Harvesting in Latest Wave of Cyberattacks
February 6th, 2023
In a recent report, Proofpoint Inc. talks about TA444, a North Korean nation-state group known for targeting cryptocurrencies. The infamous North Korean advanced persistent threat (APT) group has changed its strategy, and has been connected to a new wave of email attacks as a part of “sprawling” credential harvesting activity.
Proofpoint is tracking the state-aligned threat actor under the name TA444, while it is being tracked by others in the cybersecurity community as BlueNoroff, APT38, Copernicium, and Stardust Chollima.
What is Credential Harvesting?
Credential harvesting is a method used by hackers to attack an organization to virtually access their credentials, which usually include emails, email addresses, usernames and passwords. Several techniques are used to do this and then this information may be sold by the hacker to third parties over the Dark Web.
Some of the techniques and processes used by hackers to access credentials illegally include: man-in-the-middle (MiTM), DNS poisoning and phishing.
What is TA444’s Recent Strategy?
According to the report, shared with The Hacker News, TA444 is “utilizing a wider variety of delivery methods and payloads alongside blockchain-related lures, fake job opportunities at prestigious firms, and salary adjustments to ensnare victims.”
This state-sponsored group’s motivation is towards making unlawful money for the North Korean regime, rather than the usual reasons like data theft and espionage.
According to The Record, Proofpoint’s senior threat researcher, Greg Lesnewich, TA444, the North Korean advanced persistent threat (APT) group, operates “with a startup mentality and a passion for cryptocurrency.” He went on to say that, “This threat actor rapidly ideates new attack methods while embracing social media as part of their MO.”
The company told the Hacker News that, “In 2022, TA444 took its focus on cryptocurrencies to a new level and has taken to mimicking the cybercrime ecosystem by testing a variety of infection chains to help expand its revenue streams.”
The attackers use phishing emails that are tailored to trap the victim, and have malicious attachments like: LNK files and ISO optical disk images. Also, bogus and compromised LinkedIn accounts that belong to company executives are used to engage victims before sending them infected links.
What Are the Basic Security Measures Your Organization Can Take Against Credential Harvesting?
The very first and basic measure is comprehensive password security. It is essential in order to defend against credential harvesting by cybercriminals. The very least every organization should do is to:
- Make it mandatory for all employees to use strong and unique passwords for all their accounts;
- Have all employees use multi-factor authentication (2FA) on all their accounts, which support it;
- Make sure that all your employees use a password manager.
Advancements like cloud computing have made supply chain vulnerabilities a huge threat for all organizations. Your company may not get attacked, but perhaps one of your vendors might be attacked, which will put your organization at risk too. It is a good idea for all organizations to be subscribed to a Dark Web monitoring service. These services scan the Dark Web forums, so they are in a position to inform organizations in case an employee’s password has been compromised and needs to be reset.
Disclaimer: Any opinions expressed in the blog do not necessarily reflect the opinions of Certrec. The content of this blog is meant for informational purposes only.