A year later, another well-known security company, McAfee, also issued a report in late April, again digging up many black materials for North Korean hackers. The McAfee Advanced Threat Research Team pointed out that after a long-term follow-up study, a large-scale hacking activity named Operation GhostSecret was suspected to be related to the North Korean government-sponsored hacking organization Lazarus, which used various tools and malicious programs related to the organization. .
Lazarus Are you familiar with listening? Yes, that is the hacking gang Lazarus who once had a destructive attack on Sony Pictures and stole an 81 million U.S. dollar from the Central Bank of Bangladesh and was considered an important behindhand of WannaCry.
The researchers initially believed that Operation GhostSecret was only a large-scale cyber attack in several Turkish financial institutions and government organizations in early March, but McAfee's report showed that the attack actually affected 17 countries. Behind the attackers targeting key industries such as infrastructure, entertainment, finance, healthcare, and telecommunications, stealing sensitive data in the industry is still active.
This judgment is not a groundless speculation but a real hammer. This real hammer is used by hackers.serverThe hiding place!
According to news from Foreign Media SecurityAffairs, Thai authorities, with help from ThaiCERT (equivalent to Thailand's National Internet Emergency Response Center) and McAfee, found servers used by North Korean APT organization Hidden Cobra.
Thai authorities discovered that the server was hidden in a Thai university. In 2014, North Korean hackers used the server to expose Sony Pictures to a large number of mail and movie copies.
From March 15 to March 19 this year, servers in the United States, Australia, Japan, and China were repeatedly infected. Nearly 50 servers in Thailand were severely hit by malicious software. They were the most severely attacked in all countries and came from this server.
It is reported that this server was the command and control center of Hidden Cobra's GhostSecret attack. Without the unremitting analysis and investigation of McAfee experts in the world, this server may still lie quietly in the Thai university.
Our investigation of the GhostSecret attack revealed that hackers used multiple malware programs at the time, including software with similar Bankshot performance. In the March 18-26 survey, we discovered that malware is actually distributed in many parts of the world. This new variant is similar to malicious software Destover in many places. The latter was a big injury to Sony's business in 2014. The culprit.
After further investigation of the control server facilities, McAfee found that the SSL certificate d0cb9b2d4809575e1bc1f4657e0eb56f307c7a76 bundled with the control server 203[.]131[.]222[.]83 was also used in an implant in February 2018. The server belongs to Thailand Hosei University. Hidden Cobra has been using this SSL certificate since Sony Pictures was attacked.
Thailand is the hardest-hit area for Destover variant infection
A security announcement issued by ThaiCERT stated that the GhostSecret attack returned in February this year. McAfee also discovered three IP addresses belonging to Hosei University (188.8.131.52, 184.108.40.206, and 220.127.116.11) that could not be separated from the attacks.
Awful, the attack is still in progress.
McAfee said that GhostSecret is a global data reconnaissance project that targets key infrastructure, entertainment, finance, healthcare, and communications. The hackers behind the attack used a variety of implants, tools, and variants of malicious software. Their approach was similar to that of Hidden Cobra.
At the same time, the McAfee Advanced Threat Research team also discovered an unregistered implant, Proxysvc, which began stealthily injuring others in mid-2017.
Right now, ThaiCERT is working with the local government and McAfee to analyze the content of this server and wonder if they can still unearth big secrets.