Cyber Defense eMagazine February Edition for 2023
Cyber Defense eMagazine February Edition for 2023 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, Editor-in-Chief and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
Cyber Defense eMagazine February Edition for 2023 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cyber security expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group as well as Yan Ross, Editor-in-Chief and many more writers, partners and supporters who make this an awesome publication! Thank you all and to our readers! OSINT ROCKS! #CDM #CDMG #OSINT #CYBERSECURITY #INFOSEC #BEST #PRACTICES #TIPS #TECHNIQUES
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
It was identified that the threat actors were exfiltrating the data to malicious domains, such as<br />
shopandtravelusa[.]com, while they also hosted a webmail login that appeared possibly to be a phishing<br />
site. So, it’s possible that this could have been a multi-use command-and-control server – something that<br />
North Korean threat actors have a track record <strong>for</strong>.<br />
For example, on 27 June 2022, Twitter user “Phantom XSec” reported that a North Korean phishing site<br />
with a link containing a (naver[.]challengedrive[.]42web.io) was targeting “defectors” in South Korea,<br />
showcasing a link that contained a Base64-encoded Google drive URL and victim email. The site would<br />
then ask users to identify themselves be<strong>for</strong>e they were able to download the malicious Google drive link.<br />
Threats will persist.<br />
Our own research shows that many of the TTPs used by weaponised document attacks were not only<br />
similar, but also had identical footprints and IOCs, allowing us to attribute the metadata to a single threat<br />
actor.<br />
Given the methods used and trail of data points uncovered, it is highly likely that each of the weaponised<br />
document attack methods discussed here can be attributed to a threat actor operating out of North Korea,<br />
likely tied to the infamous Lazarus group. North Korean cyber criminals are known <strong>for</strong> their continued<br />
reliance on ageing malicious infrastructure.<br />
We don’t think this will change as threat actors continue to evolve their techniques.<br />
About the Author<br />
Brett Raybould - EMEA Solutions Architect, Menlo Security<br />
Brett is passionate about security and providing solutions to organisations<br />
looking to protect their most critical assets. Having worked <strong>for</strong> over 15 years <strong>for</strong><br />
various tier 1 vendors who specialise in detection of inbound threats across web<br />
and email as well as data loss prevention, Brett joined Menlo Security in 2016<br />
and discovered how isolation provides a new approach to solving the problems<br />
that detection-based systems continue to struggle with.<br />
<strong>Cyber</strong> <strong>Defense</strong> <strong>eMagazine</strong> – <strong>February</strong> <strong>2023</strong> <strong>Edition</strong> 158<br />
Copyright © <strong>2023</strong>, <strong>Cyber</strong> <strong>Defense</strong> Magazine. All rights reserved worldwide.