Void Dokkaebi, also tracked as Famous Chollima, is a North Korea-aligned intrusion set that systematically targets software developers who hold cryptocurrency wallet credentials, signing keys, and access to continuous integration/continuous delivery (CI/CD) pipelines and production infrastructure.
As previously documented by TrendAI Research, the group poses as recruiters from cryptocurrency and AI firms, luring developers into cloning and executing code repositories as part of fabricated job interviews. This is a pattern independently tracked across the industryopen on a new tab since 2024, but less attention has been paid to what happens after the initial compromise.
Read more…
Source: Trend Micro
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
April 22, 2024
Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as ...
- Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400
April 22, 2024
This threat brief is frequently updated as new threat intelligence is available for us to share. The full update log is at the end of this post and offers the fullest account of all changes made. Updated April 19 to include information on observed levels of attempted exploitation and relative prevalence of those levels, with unsuccessful ...
- Androxgh0st malware ramps up global attacks
April 22, 2024
More than 600 servers worldwide have been subjected to recent attacks with the Androxgh0st malware, reports Hackread. The U.S., India, and Taiwan accounted for the bulk of the impacted servers, which were compromised by Androxgh0st malware operators through web shells deployed via the exploitation of several security vulnerabilities, including CVE-2019-2725, CVE-2021-3129, and CVE-2024-1709, a report from ...
- ToddyCat is making holes in your infrastructure
April 22, 2024
Kapersky researchers continue covering the activities of the APT group ToddyCat. In their previous article, they described tools for collecting and exfiltrating files (LoFiSe and PcExter). This time, the researchers have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they use to extract ...
- UK government cannot protect businesses and services from cyber attacks
April 22, 2024
UK businesses are rapidly losing confidence in the government’s ability to protect them from cyberattacks. This is according to a new report from cybersecurity researchers Armis, which states that the lack of faith is higher than anywhere else in Europe. To draft the report, Armis surveyed more than 2,600 global security and IT decision-makers, and included ...
- MITRE says it was hit by hackers exploiting Ivanti flaws
April 22, 2024
The not-for-profit research and development organization MITRE suffered a cyberattack early this year, with the attack apparently hindering some operations, but there was no talk of stolen data. In a breach notification published on the MITRE website late last week, CEO and president Jason Providakes explained what happened and what the organization was doing about it. Read ...