www.theregister.com
Open in
urlscan Pro
104.18.5.22
Public Scan
Submitted URL: https://t.co/eEdVCP82in
Effective URL: https://www.theregister.com/2022/04/15/lazarus_chemical_korea/
Submission: On April 18 via api from US — Scanned from DE
Effective URL: https://www.theregister.com/2022/04/15/lazarus_chemical_korea/
Submission: On April 18 via api from US — Scanned from DE
Form analysis
4 forms found in the DOMPOST /CBW/custom
<form id="RegCTBWFAC" action="/CBW/custom" class="show_regcf_custom" method="POST">
<h5>Manage Cookie Preferences</h5>
<ul>
<li>
<label>
<input type="checkbox" disabled="disabled" checked="checked" name="necessary" value="necessary">
<strong>Necessary</strong>. <strong>Always active</strong>
</label>
<label for="accordion_necessary" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_necessary">
<p class="accordion_info"> These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="tailored_ads" value="tailored_ads">
<strong>Tailored Advertising</strong>. </label>
<label for="accordion_advertising_tailored_ads" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg"
class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_advertising_tailored_ads">
<p class="accordion_info"> These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers,
and in some cases selecting advertisements that are based on your interests. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="analytics" value="analytics">
<strong>Analytics</strong>. </label>
<label for="accordion_analytics" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_analytics">
<p class="accordion_info"> These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our
sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. </p>
</div>
</li>
</ul> See also our <a href="https://www.theregister.com/Profile/cookies/">Cookie policy</a> and <a href="https://www.theregister.com/Profile/privacy/">Privacy policy</a>. <input type="submit" value="Accept Selected" class="reg_btn_primary"
name="accept" id="RegCTBWFBAC">
</form>
POST /CBW/all
<form id="RegCTBWFAA" action="/CBW/all" method="POST" class="hide_regcf_custom">
<input type="submit" value="Accept All Cookies" name="accept" class="reg_btn_primary" id="RegCTBWFBAA">
</form>
POST https://account.theregister.com/register/
<form action="https://account.theregister.com/register/" method="POST" id="aug_signup_link_0">
<h2 class="product_title">Get our <strong>weekly</strong> newsletter</h2><input type="hidden" name="thereg_weekly_digest" value="1"><input type="hidden" name="product" value="quick_weekly_newsletter"><input type="hidden" name="forename"
value="The Register"><input type="hidden" name="surname" value="Subscriber"><input type="hidden" name="g-recaptcha-response" value=""><input type="hidden" name="recaptcha" value="1"><input type="hidden" name="country" value="de"><input
type="hidden" name="submit" value="1">
<div class="valign"><input type="email" name="email" placeholder="Enter Email"
value=""><a class="bold quick_signup_augmentable upg yes_js reg_btn_secondary" data-product="quick_weekly_newsletter" data-pre-email-content="<h2 class=product_title>Get our <strong>Weekly</strong> newsletter</h2>" data-country="de" data-action="https://account.theregister.com/register/" href="https://account.theregister.com/register/?product=quick_weekly_newsletter">Subscribe</a>
</div>
</form>
POST https://account.theregister.com/register/
<form action="https://account.theregister.com/register/" method="POST" id="aug_signup_link_1"><input type="hidden" name="thereg_daily_headlines" value="1"><input type="hidden" name="product" value="quick_daily_newsletter"><input type="hidden"
name="forename" value="The Register"><input type="hidden" name="surname" value="Subscriber"><input type="hidden" name="g-recaptcha-response" value=""><input type="hidden" name="recaptcha" value="1"><input type="hidden" name="country"
value="de"><input type="hidden" name="submit" value="1"><input type="email" name="email" placeholder="Your Work Email Address" value=""><a class="reg_btn_secondary subscribe_newsletter_button quick_signup_augmentable" data-product="quick_daily_newsletter" data-country="de" data-action="https://account.theregister.com/register/" href="https://account.theregister.com/register/?product=thereg_daily_newsletter">
Subscribe
</a></form>
Text Content
Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customise your settings, hit “Customise Settings”. REVIEW AND MANAGE YOUR CONSENT Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer. MANAGE COOKIE PREFERENCES * Necessary. Always active Read more These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. * Tailored Advertising. Read more These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests. * Analytics. Read more These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. See also our Cookie policy and Privacy policy. Customise Settings Sign in TOPICS Security Off-Prem All Off-PremEdge + IoTChannelPaaS + IaaSSaaS (X) On-Prem All On-PremSystemsStorageNetworksHPCPersonal Tech (X) Software All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization (X) Offbeat All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us (X) Vendor Voice All Vendor VoiceAdobeAmazon Web Services (AWS) MigrationCofenseEchoworxGoogle CloudGoogle Cloud's ApigeeGoogle WorkspaceNutanixRapid7SophosVeeam (X) RESOURCES * Whitepapers * Webinars * Newsletters SITUATION PUBLISHING * The Next Platform * Devclass * Blocks and Files GET OUR WEEKLY NEWSLETTER Subscribe SECURITY NORTH KOREA'S LAZARUS CYBER-GANG CAUGHT 'SPYING' ON CHEMICAL SECTOR COMPANIES CRYPTO-COIN THEFT ISN'T ENOUGH TO KEEP THESE MISCREANTS BUSY Jessica Lyons Hardcastle Fri 15 Apr 2022 // 02:30 UTC 2 -------------------------------------------------------------------------------- 2 Copy North Korea's Lazarus cybercrime gang is now breaking into chemical sector companies' networks to spy on them, according to Symantec's threat intel team. While the Korean crew's recent, and highly profitable, thefts of cryptocurrency have been in the headlines, the group still keeps its spying hand in. Fresh evidence has been found linking a recent espionage campaign against South Korean targets to file hashes, file names, and tools previously used by Lazarus, according to Symantec. The security shop says the spy operation is likely a continuation of the state-sponsored snoops' Operation Dream Job, which started back in August 2020. This scheme involved using phony job offers to trick job seekers into clicking on links or opening malicious attachments, which then allowed the criminals to install spyware on the victims' computers. ClearSky and AT&T security researchers documented Dream Job campaigns targeting defense, government, and engineering organizations in 2020 and 2021. And earlier this year, Qualys security researchers documented a similar scam targeting Lockheed Martin job applicants. Symantec's threat hunting team says Lazarus' more-recent focus on chemical companies began in January, when the security firm detected network activity on "a number of organizations based in South Korea." In this case, the attacks usually begin with the victim receiving a malicious HTML file, which is somehow copied to a DLL file called scskapplink.dll that is used to compromise an application on the system. "The DLL file gets injected into INISAFE Web EX Client, which is legitimate system management software. The scskapplink.dll file is typically a signed Trojanized tool with malicious exports added," the Symantec threat hunters said, adding that the crime gang has used the following developer signatures: DOCTER USA, INC and "A" MEDICAL OFFICE, PLLC. The injected malicious code downloads and executes a backdoor payload from a command-and-control server that Symantec said uses the URL parameter key/values "prd_fld=racket." At this point, the malware repeatedly connects to the C2 server to execute shellcode and download additional malware to run. * Threat group builds custom malware to attack industrial systems * North Korea pulled in $400m in cryptocurrency heists last year – report * Uncle Sam accuses three suspected North Korean govt hackers of stealing $1.3bn+ from banks, crypto orgs * Mutating Verblecon malware in illicit cryptomining ... so far Additionally, the crooks use Windows Management Instrumentation (WMI) to move laterally across the network and inject into the MagicLine application by DreamSecurity on other computers. In one particular case that the threat hunters detail in the blog, the attackers stole credentials from the SAM and SYSTEM registry hive, and then spent several hours running unknown shellcode using a loader called final.cpl, which Symantec said was likely to collect the dumped system hives. In other instances, the security team said the attackers installed a BAT file to gain persistence in the network, and deployed post-compromise tools, including SiteShoter, which takes screenshots of web pages viewed on the infected machine. "They were also seen using an IP logging tool (IP Logger), a protocol used to turn computers on remotely (WakeOnLAN), a file and directory copier (FastCopy), and the File Transfer Protocol (FTP) executed under the MagicLine process," Symantec noted. US THREATENS TO FREEZE LAZARUS ASSETS The security firm's research comes as the US Treasury Department linked the Pyongyang-backed criminals to last month's security breach of video game Axie Infinity's Ronin Network in which crooks made off with about $625 million in cryptocurrency. Meanwhile Washington is also pursuing a UN Security Council resolution that would freeze Lazarus' assets and be a direct blow to the North Korean government's coffers. The move, according to Reuters, is part of a larger draft resolution that would impose further sanctions on North Korea for its renewed ballistic missile launches. In addition to battling Kim Jong-un's cyber goons, the Feds are warning critical infrastructure operators to be on high alert for miscreants targeting industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices. A joint alert from CISA, the Department of Energy, NSA, and the FBI said that some of the at-risk devices include programmable logic controllers from Schneider Electric and Omron Electronics as well as Open Platform Communications Unified Architecture servers. Threat groups have created custom tools to scan for, compromise, and eventually control affected devices after gaining initial access to an organization's operational technology networks. ® Get our Tech Resources Share Copy 2 Comments SIMILAR TOPICS * North Korea * Security * Symantec BROADER TOPICS * APAC NARROWER TOPICS * Authentication * Black Hat * Bug Bounty * Common Vulnerability Scoring System * Cybercrime * Cybersecurity * Cybersecurity and Infrastructure Security Agency * Cybersecurity Information Sharing Act * Data Breach * Data Protection * Data Theft * DDoS * Digital certificate * Encryption * Exploit * Firewall * Hacker * Hacking * Identity Theft * Infosec * Kenna Security * NCSC * Palo Alto Networks * Password * Phishing * Ransomware * REvil * Spamming * Spyware * Surveillance * TLS * Trojan * Trusted Platform Module * Vulnerability * Wannacry * Zero trust Corrections Send us news -------------------------------------------------------------------------------- OTHER STORIES YOU MIGHT LIKE * Fake it until you make it: Can synthetic data help train your AI model? Yes and no. It's complicated. Katyanna Quach Mon 18 Apr 2022 // 11:33 UTC The saying "data is the new oil," was reportedly coined by British mathematician and marketing whiz Clive Humby in 2006. Humby's remark rings true more now than ever with the rise of deep learning. Data is the fuel powering modern AI models; without enough of it the performance of these systems will sputter and fail. And like oil, the resource is scarce and controlled by big businesses. What do you do if you're a small computer vision company? You can turn to fake data to train your models, and if you're lucky it might just work. The market for synthetic data generation grew to over $110 million in 2021 and is expected to increase to $1.15 billion by the end of 2027, according to a report published by research firm Cognilytica. Continue reading * AI models to detect how you're feeling in sales calls Plus: Driverless Cruise car gets pulled over by police, and more Katyanna Quach Mon 18 Apr 2022 // 09:52 UTC 15 In brief AI software is being offered to sales teams to analyze whether potential customers appear interested during virtual meetings. Sentiment analysis is often used in machine-learning research to detect emotions in underlying text or video, and the technology is now being applied to help people see how possible future clients are feeling in sales pitches to improve results, Protocol reported this month. The COVID-19 pandemic has moved a lot of meetings virtually as employees work from home. "It's very hard to build rapport in a relationship in that type of environment," said Tim Harris, director of product marketing at Uniphore, a software company specializing in conversational analytics. Continue reading * An early crack at network management with an unfortunate logfile It's a backronym, right? Richard Speed Mon 18 Apr 2022 // 07:30 UTC 21 Who, Me? Come with us on a journey back to the glory days of Visual Basic 6, misplaced enthusiasm and an unfortunate naming incident. Welcome to Who, Me? Today's tale comes from a reader Regomised as "Stephen", who was working in the IT department of a Royal Air Force base. "My duties were many," he told us, "from running daily backups of an ancient engineering system using (I kid you not) reel-to-reel tapes to swapping out misbehaving printers." This being the early 2000s, his boss loaded up our hero with more tasks. He could change printers and tapes, so Visual Basic (and its bedfellow, Access) should present no problem. Continue reading * How to democratize ML? More public data, says MLCommons Foundation makes 30k hours of speech and 340k keywords in 50 languages available online Brandon Vigliarolo Sun 17 Apr 2022 // 09:43 UTC 5 Unless you're an English speaker, and one with as neutral an American accent as possible, you've probably butted heads with a digital assistant that couldn't understand you. With any luck, a couple of open-source datasets from MLCommons could help future systems grok your voice. The two datasets, which were made generally available in December, are the People's Speech Dataset (PSD), a 30,000-hour database of spontaneous English speech; and the Multilingual Spoken Words Corpus (MSWC), a dataset of some 340,000 keywords in 50 languages. By making both datasets publicly available under CC-BY and CC-BY-SA licenses, MLCommons hopes to democratize machine learning – that is to say, make it available to everyone – and help push the industry toward data-centric AI. Continue reading * TACC Frontera's 2022: Academic supercomputer to run intriguing experiments Plus: Director reveals 10 million node hours, 50-70 million core hours went into COVID-19 research Brandon Vigliarolo Sat 16 Apr 2022 // 14:36 UTC The largest academic supercomputer in the world has a busy year ahead of it, with researchers from 45 institutions across 22 states being awarded time for its coming operational run. Frontera, which resides at the University of Texas at Austin's Texas Advanced Computing Center (TACC), said it has allocated time for 58 experiments through its Large Resource Allocation Committee (LRAC), which handles the largest proposals. To qualify for an LRAC grant, proposals must be able to justify effective use of a minimum of 250,000 node hours and show that they wouldn't be able to do the research otherwise. Two additional grant types are available for smaller projects as well, but LRAC projects utilize the majority of Frontera's nodes: An estimated 83% of Frontera's 2022-23 workload will be LRAC projects. Continue reading * When the expert speaker at an NFT tech panel goes rogue Stick to the script, man! It’s confusing enough already Alistair Dabbs Sat 16 Apr 2022 // 10:30 UTC 97 Something for the Weekend How can you save the world's oceans? By investing in NFTs of course! A global network of campaigning filmmakers, Ocean Collective, hopes to drive up awareness about declining marine biodiversity by developing a digital Museum of Extinction. Items of artwork from the museum will then be sold as NFT purchases to raise cash to fund a documentary series on the topic along with other environmental awareness projects. Continue reading * Apple dev logs suggest 'nine new M2-powered Macs' 'Widespread internal testing' of four processor types Katyanna Quach Sat 16 Apr 2022 // 07:53 UTC 26 Apple is seemingly testing four next-generation M2 processors on software developed by third-party app makers in at least nine Mac models that are likely to be upcoming laptops and desktops. Two years ago, the iGiant debuted its homegrown Arm-compatible M1 processor to power computers and iPads; the shift marked a departure from using x86 Intel silicon for its PCs. Instead of purchasing off-the-shelf processors, Apple – which was already designing its own mobile system-on-chips – wanted a custom design for its macOS products. Now it appears the M1's successor, the M2, is edging closer to launch, judging from developer logs leaked to Bloomberg that signal there is "widespread internal testing" of the chip family at Apple. Continue reading * Twitter preps poison pill to preclude Elon Musk's purchase plan Populist provocateur ponders partners to pay for platform prize Thomas Claburn in San Francisco Sat 16 Apr 2022 // 01:14 UTC 91 Comment Twitter on Friday said its board of directors had unanimously approved a plan to prevent a hostile takeover, something that became a distinct possibility after billionaire Elon Musk offered $43 billion to buy the social media network. The poison pill, or "Rights Plan," the biz said, "will reduce the likelihood that any entity, person or group gains control of Twitter through open market accumulation without paying all shareholders an appropriate control premium or without providing the Board sufficient time to make informed judgments and take actions that are in the best interests of shareholders." The "Rights Plan" would require Musk to negotiate directly with the board to increase his share of the company beyond 15 percent. After that every existing shareholder, with the exception of Musk, would be able to buy Twitter stock at a discounted rate. Continue reading * Feds offer $5m reward for info on North Korean cyber crooks Meanwhile: Caltech grad earns five years in prison for heping Kim's coders Jessica Lyons Hardcastle Fri 15 Apr 2022 // 23:24 UTC 13 The US government offered a reward up to $5 million for information that helps disrupt North Korea's cryptocurrency theft, cyber-espionage, and other illicit state-backed activities. The cash will be awarded "for information that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea, including money laundering, exportation of luxury goods to North Korea, specified cyber-activity and actions that support WMD proliferation," according to the Feds. This includes "information on those who seek to undermine cybersecurity, including financial institutions and cryptocurrency exchanges around the world, for the benefit of the Government of North Korea." Continue reading * GitHub's Dependabot learns to report bad news you can use Instead of just raising the alarm, automated code-scold will flag where the fire is Thomas Claburn in San Francisco Fri 15 Apr 2022 // 20:17 UTC GitHub's Dependabot is becoming more dependable thanks to its newfound ability to tell developers whether its security alerts are relevant or not. GitHub acquired Dependabot, a tool for finding vulnerable open source package dependencies in software projects, in 2019. Since then, Dependabot has helped developers address more than three million vulnerabilities by presenting automated notifications when it finds unsafe software packages. Flagging packages with vulnerable code is worthwhile but software developers would prefer a better signal-to-noise ratio. They want to know whether their application code is actually affected by the inclusion of a flawed library. Continue reading * Star loses $500,000 NFT after crooks exploit Rarible market This isn't the moving-fast-and-breaking-things future we wanted Jeff Burt Fri 15 Apr 2022 // 19:50 UTC 31 Miscreants exploited a now-fixed design flaw in the Rarible NFT marketplace to steal a non-fungible token from Taiwanese singer and actor Jay Chou and sell it for about $500,000. That's according to folks at Check Point, who on Thursday said the vulnerability could have been abused by crooks to gain full control of victims' marketplace accounts and the funds in them. Earlier this month, Chou said his NFT was stolen in what looked like a phishing attack. When researchers Roman Zaikin, Dikla Barda and Oded Vanunu investigated the security shortcoming they found that fraudsters could lure users to click on a link to malicious NFT, enabling them to take control of their marks' Rarible accounts using a standard called EIP-721. Continue reading ABOUT US * Who we are * Under the hood * Contact us * Advertise with us MORE CONTENT * Latest News * Popular Stories * Forums * Whitepapers * Webinars SITUATION PUBLISHING * The Next Platform * DevClass * Blocks and Files * Continuous Lifecycle London * M-cubed The Register - Independent news and views for the tech community. Part of Situation Publishing SIGN UP TO OUR DAILY NEWSLETTER Subscribe Biting the hand that feeds IT © 1998–2022 Your Consent Options Cookies Privacy Ts&Cs