Microsoft takes court action against fourth nation-state cybercrime group.:
On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to disrupt cyberattacks from a threat group we call Thallium, which is believed to operate from North Korea. Our court case against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations. With this action, the sites can no longer be used to execute attacks.
Microsoft's Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking and gathering information on Thallium, monitoring the group's activities to establish and operate a network of websites, domains and internet-connected computers. This network was used to target victims and then compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information. Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most targets were based in the U.S., as well as Japan and South Korea.
Like many cybercriminals and threat actors, Thallium typically attempts to trick victims through a technique known as spear phishing. By gathering information about the targeted individuals from social media, public personnel directories from organizations the individual is involved with and other public sources, Thallium is able to craft a personalized spear-phishing email in a way that gives the email credibility to the target. As seen in the sample spear-phishing email below, the content is designed to appear legitimate, but closer review shows that Thallium has spoofed the sender by combining the letters "r" and "n" to appear as the first letter "m" in "microsoft.com."
The link in the email redirects the user to a website requesting the user's account credentials. By tricking victims into clicking on the fraudulent links and providing their credentials, Thallium is then able to log into the victim's account. Upon successful compromise of a victim account, Thallium can review emails, contact lists, calendar appointments and anything else of interest in the compromised account. Thallium often also creates a new mail forwarding rule in the victim's account settings. This mail forwarding rule will forward all new emails received by the victim to Thallium-controlled accounts. By using forwarding rules, Thallium can continue to see email received by the victim, even after the victim's account password is updated.
In addition to targeting user credentials, Thallium also utilizes malware to compromise systems and steal data. Once installed on a victim's computer, this malware exfiltrates information from it, maintains a persistent presence and waits for further instructions. The Thallium threat actors have utilized known malware named "BabyShark" and "KimJongRAT."
Related Stories
The US Justice Department said Wednesday that the FBI surreptitiously sent commands to hundreds of infected small office and home office routers to remove malware China state-sponsored hackers were using to wage attacks on critical infrastructure.
The routers—mainly Cisco and Netgear devices that had reached their end of life—were infected with what's known as KV Botnet malware, Justice Department officials said.
[...] "To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process," an agency special agent wrote in an affidavit dated January 9. "This command will also stop the Target Device from operating as a VPN node, thereby preventing the hackers from further accessing Target Devices through any established VPN tunnel.
[...] The takedown disclosed Wednesday isn't the first time the FBI has issued commands to infected devices without the owners' knowledge ahead of time. In 2021, authorities executed a similar action to disinfect Microsoft Exchange servers that had been compromised by a different China-state group tracked as Hafnium.
[...] In 2018, researchers reported that more than 500,000 SOHO routers had been compromised by sophisticated malware dubbed VPNFilter. The mass hack was later revealed to be an operation by a Russian-state group tracked as Sofacy. In that event, the FBI issued an advisory urging people to restart their routers to remove any possible infections. The agency also seized a domain used to control VPNFilter.
[...] This month's takedown comes as the Chinese government has stepped up attacks in recent years to compromise routers, cameras, and other network-connected devices to target critical infrastructure. warned of the trend in May last year. Researchers in the private sector have issued similar warnings.
Previously on SoylentNews:
Backdoored Firmware Lets China State Hackers Control Routers With "Magic Packets" - 20230930
Microsoft Comes Under Blistering Criticism for "Grossly Irresponsible" Security - 20230805
Malware Turns Home Routers Into Proxies for Chinese State-Sponsored Hackers - 20230518
US Warns of Govt Hackers Targeting Industrial Control Systems - 20220415
State Hackers Breach Defense, Energy, Healthcare Orgs Worldwide - 20211111
Microsoft Exchange Server Zero Day Hack Roundup - 20210316
Breached Water Plant Employees Shared Same Password, No Firewall - 20210211
Iranian Spies Accidentally Leaked Videos of Themselves Hacking - 20200716
Hackers Can Seize Control of Ballots Cast Using the Voatz Voting App, Researchers Say - 20200215
Microsoft Takes Court Action Against Fourth Nation-State Cybercrime Group - 20191231
"state actors" search on SoylentNews for even more: https://soylentnews.org/search.pl?threshold=0&query=state+actors
(Score: 0) by Anonymous Coward on Wednesday January 01 2020, @05:48AM (3 children)
I'm not familiar enough with the domain name system--can someone explain how MS could take control of 50 domains? And, is there anything that would keep the purported bad actors from just registering another 50?
(Score: 0) by Anonymous Coward on Wednesday January 01 2020, @06:24AM (2 children)
It could be they asserted some trademark thing, like that bad guys are basically trying to deceive people with "rnicrosoft.com" related domains... let us redirect those to our site because that is what people expect... plzz domaib people
Happy new year!!!!
(Score: 0) by Anonymous Coward on Wednesday January 01 2020, @06:29AM (1 child)
Contact exaeta, he is coming up with a whole nother DNS system, which I am sure will solve all problems, and get him laid.
(Score: 0) by Anonymous Coward on Wednesday January 01 2020, @10:11AM
How is that excreta you talking about?
(Score: 0) by Anonymous Coward on Wednesday January 01 2020, @07:59AM (1 child)
IMpeach Micro$oft Now! They are a illegal operation! An illicit corporation! A vary bad actor!
(Score: 0) by Anonymous Coward on Wednesday January 01 2020, @02:33PM
Now that is just silly.
Is it a false-false-flag post, or a false-false-false-flag post?
(Score: 0) by Anonymous Coward on Wednesday January 01 2020, @04:54PM
probably a case of patent infringement where the patent tried to save energy and keyboard space by removing the letter "m" and forming it by using "r" and "n" and only patented rnicrosoft keyboards have that extra key "m" and the "driver" costs extra ...
(Score: 1, Funny) by Anonymous Coward on Wednesday January 01 2020, @05:15PM
Obviously this is a case of Microsoft fighting against competition...