Cyber Security Headlines: North Korea targets security researchers, the UK’s National Protective Security Authority, bank failures hit crypto

North Korea targets security researchers

Mandiant reports it spotted the North Korea-linked threat actors UNC2970 operating a phishing campaign since June 2022. The campaign uses three new malware families, specifically focusing on security researchers. It used job recruitment-based lures in a spearphishing approach. These lures impersonated legitimate recruiters and eventually shifted conversations to WhatsApp, where it would deliver malicious Word docs to install a backdoor. 

(Ars Technica)

UK launches National Protective Security Authority

The UK announced the new body as part of its MI5 domestic intelligence service, as a successor to its Centre for the Protection of National Infrastructure. The NPSA will specifically work with UK organizations, informing them of “state-sponsored attempts at stealing sensitive research and information.” In announcing the new organization, the UK government specifically cited emerging geopolitical threats from Russia’s Ukraine invasion and “China’s economic coercion.” The NPSA will work with the National Cyber Security Centre to provide training, tooling, and guidance. 

(The Record)

Bank failures bleed into crypto

The collapse of both Silvergate Capital and Silicon Valley Bank already saw significant impacts to the cryptocurrency industry. Now another major player will make it harder to move cryptocurrency payments. Over the weekend, banking regulators seized Signature Bank. Like with SVB, the federal government guaranteed all deposits for depositors of the bank. However this seizure pay make it much harder for commercial clients to continue making payments in cryptocurrency. Signature’s Signet and the Silvergate Exchange Network represented core real-time payment platforms with instant settlement services. Federal guarantees of deposits did help rally bitcoin and other cryptocurrency prices, but stablecoins seem to have faired the worst in this banking crisis, with the USDC stablecoin losing its peg to the US dollar down to $0.87 at one point over the weekend. 


Fake ChatGPT spreads real malware

A technical report from Guardio Labs researcher Nati Tal highlighted a fake ChatGPT Chrome extension spreading malware. The extension can hijack Facebook business accounts by harvesting cookies. Then it creates rogue admin accounts to retain access. The operators use this to push Facebook paid ads that attempt to further hijack other accounts. The extension saw 2,000 installs a day from March 3 before Google pulled it on March 9th. Threat actor definitely see potential using the promise of early and exclusive access to ChatGPT as a lure. Last month Cyble reported a social engineering campaign using ChatGPT access as a way to download infostealers. And researchers reported numerous malicious ChatGPT apps on the Google Play Store.

(Hacker News)

Emotet comes back from vacation

After a three-month hiatus, researchers report the pernicious threat group resumed activity. It appears Emotet operators now aim to target high-value corporate networks with malicious emails. The end result seems to be obtaining access that it can sell to ransomware groups. This marks a significant shift for the group, which started as a banking trojan and operated more recently as a massive botnet. Deep Instinct’s Threat Research team reports it saw the group attaching malicious Word files in its emails with macros that could eventually execute its DLL. Emotet appears to get around traditional security scanning by making the initial attack file and payloads inflated to 500 megabytes. 

(SC Media)

Estonia’s elections targeted by cyberattack

The head of the National Cyber Security Centre-Estonia informed The Record that threat actors unsuccessfully targeted the country’s parliamentary election earlier this month. This came as Estonia used its internet voting system for the first time in the election. Officials said attackers did not successfully enter its electoral system, specifying “nothing out of the ordinary happened.” Estonia said that cyberthreat activities were consistent with what its seen over the last year since Russia invaded Ukraine. Officials declined to give specifics on the attack. 

(The Record)

AI-generated YouTube videos spread infostealers

Researchers at CloudSEK warned that it observed a 200-300% increase month-over-month on the amount of YouTube videos with links to infostealing malware in the description. In some instances, threat actors hijack legitimate accounts to push malware laden videos. Researchers say threat actors increasingly use AI-generated content to quickly push out new videos. While threat actors retain access to channels for only a few hours, they seem proficient at quickly publishing malicious content and using SEO poisoning techniques to quickly get them views. Generally links promise free software downloads for things like PhotoShop and AutoCAD, but instead install infostealers. 

(The Hacker News)

CISA works to diversify cybersecurity 

The US Cybersecurity and Infrastructure Security Agency signed a memorandum of understanding to enter into a partnership with the nonprofit Women in CyberSecurity, or WiCyS. This partnership will seek to raise awareness of job opportunities for women in the industry and create “a pipeline for the next generation of women.” This will include a new nine-month mentorship program with CISA. In 2022, the International Information System Security Certification Consortium estimated women made up roughly 25% of the global cybersecurity workforce. CISA director Jen Easterly recently called for women and underrepresented minorities to make up half the workforce by 2030. 

(The Register)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.