The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) issued another joint Cybersecurity Advisory (CSA) focused on the cyber threat associated with cryptocurrency thefts and tactics. This advisory is specific to those tactics and techniques used by a North Korean state-sponsored advanced persistent threat (APT) group since 2020. This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima.
The advisory has noted that North Korean cyber actors are targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).
The activity described in this advisory involves social engineering of victims using a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems. The cyber actors then use the applications to gain access to the victim’s computer, propagate malware across the victim’s network environment, and steal private keys or exploit other security gaps. These activities enable additional follow-on activities that initiate fraudulent blockchain transactions.
Intrusions begin with numerous spearphishing messages sent to employees of cryptocurrency companies. These employees are often working in system administration or software development/IT operations (DevOps) and are using a variety of communication platforms. The messages often appear as a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications. These are referred to by the U.S. government as “TraderTraitor.” The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications.
The advisory suggests several mitigations to protect potentially targeted organizations in infrastructure, the financial sector, and in the blockchain and cryptocurrency industry. These mitigations include:
- Apply defense-in-depth security strategy.
- Implement patch management.
- Enforce credential requirements and multifactor authentication.
- Educate users on social engineering on social media and spearphishing.
- Implement email and domain mitigations.
- Implement endpoint protection security controls.
- Enforce application security.
- Disable macros in office products.
- Be aware of third-party downloads, especially those for cryptocurrency applications.
- Create an incident response plan to respond to possible cyber intrusions.
DNS Security Will be Critical to Your Defense
Over the past few years, it has been documented (https://attack.mitre.org/groups/G0032/ MITRE ATT&CK T1583.001) that the Lazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels. In some cases, the Lazarus Group has obtained SSL certificates for their C2 domains (https://attack.mitre.org/groups/G0032/ MITRE ATT&CK T1588.004).
As always, DNS is a common denominator for threat actors and Lazarus Group is not an exception. DNS is frequently used to set up and execute attack chains across the majority of cyberattacks, including those by the Lazarus Group. DNS is often used when an infected system communicates with the threat actors such as Lazarus Group through command and control (C&C) servers. DNS is critical infrastructure that everyone already relies on for connectivity, and can be used to improve your organization’s security posture.
Click here for a complete PDF version of this advisory.
You can see more information on the Lazarus Group here: https://attack.mitre.org/groups/G0032/.
For more information on North Korean state-sponsored malicious cyber activity, visit https://www.us-cert.cisa.gov/northkorea.
Learn more about DNS security here: https://www.infoblox.com/products/bloxone-threat-defense/
To find out more about how Infoblox can help protect your DNS infrastructure, please reach out to us via https://info.infoblox.com/contact-form/.
A June 2021 Gartner report recommends organizations leverage DNS logs for threat detection and forensic purposes with their Security Information and Event Management platforms.
Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland, including as a response to the unprecedented economic costs imposed on Russia by the U.S. and our allies and partners. Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported quickly, we can use this information to render assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.
Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to report@cisa.gov or (888) 282-0870.
