Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday January 01 2020, @05:42AM   Printer-friendly
from the one-by-one dept.

Microsoft takes court action against fourth nation-state cybercrime group.:

On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to disrupt cyberattacks from a threat group we call Thallium, which is believed to operate from North Korea. Our court case against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations. With this action, the sites can no longer be used to execute attacks.

Microsoft's Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking and gathering information on Thallium, monitoring the group's activities to establish and operate a network of websites, domains and internet-connected computers. This network was used to target victims and then compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information. Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most targets were based in the U.S., as well as Japan and South Korea.

Like many cybercriminals and threat actors, Thallium typically attempts to trick victims through a technique known as spear phishing. By gathering information about the targeted individuals from social media, public personnel directories from organizations the individual is involved with and other public sources, Thallium is able to craft a personalized spear-phishing email in a way that gives the email credibility to the target. As seen in the sample spear-phishing email below, the content is designed to appear legitimate, but closer review shows that Thallium has spoofed the sender by combining the letters "r" and "n" to appear as the first letter "m" in "microsoft.com."

The link in the email redirects the user to a website requesting the user's account credentials. By tricking victims into clicking on the fraudulent links and providing their credentials, Thallium is then able to log into the victim's account. Upon successful compromise of a victim account, Thallium can review emails, contact lists, calendar appointments and anything else of interest in the compromised account. Thallium often also creates a new mail forwarding rule in the victim's account settings. This mail forwarding rule will forward all new emails received by the victim to Thallium-controlled accounts. By using forwarding rules, Thallium can continue to see email received by the victim, even after the victim's account password is updated.

In addition to targeting user credentials, Thallium also utilizes malware to compromise systems and steal data. Once installed on a victim's computer, this malware exfiltrates information from it, maintains a persistent presence and waits for further instructions. The Thallium threat actors have utilized known malware named "BabyShark" and "KimJongRAT."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday January 01 2020, @06:24AM (2 children)

    by Anonymous Coward on Wednesday January 01 2020, @06:24AM (#938142)

    It could be they asserted some trademark thing, like that bad guys are basically trying to deceive people with "rnicrosoft.com" related domains... let us redirect those to our site because that is what people expect... plzz domaib people

    Happy new year!!!!

  • (Score: 0) by Anonymous Coward on Wednesday January 01 2020, @06:29AM (1 child)

    by Anonymous Coward on Wednesday January 01 2020, @06:29AM (#938144)

    Contact exaeta, he is coming up with a whole nother DNS system, which I am sure will solve all problems, and get him laid.

    • (Score: 0) by Anonymous Coward on Wednesday January 01 2020, @10:11AM

      by Anonymous Coward on Wednesday January 01 2020, @10:11AM (#938170)

      How is that excreta you talking about?