Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

// // //
4/27/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now

North Korea-Linked 'Operation GhostSecret' Found in 17 Countries

A new report out this week from McAfee has identified a new North Korea-linked cyber operation called 'GhostSecret,' which appears to be active in 17 different countries and targeting a number of different industries.

North Korea is continuing to expand its cyberattack capabilities with a new campaign called "GhostSecret," which is targeting several critical industries in as many as 17 different countries, according to research published by McAfee Labs this week.

This campaign appears related to Hidden Cobra, a state-sponsored group, and both appear to use the same tools and malware variants as part of their cyberattacks.

What makes GhostSecret a particular concern to security experts is that the group is targeting some industries within these countries, including critical infrastructure, finance, entertainment, healthcare and telecommunications.

McAfee researchers first noticed Hidden Cobra targeting the Turkish financial sector in early March, and this appears to have been the initial stages of what would become GhostSecret. Since that time, the attacks have spread beyond Turkey and its banking sector.

(Source: Flickr)
(Source: Flickr)

The Wall Street Journal first reported on McAfee's findings on April 25, and the company later publish its own blog, written by Raj Samani, McAfee's chief scientist, on GhostSecret.

In an email to Security Now, Ryan Sherstobitoff, senior analyst with McAfee, noted that Hidden Cobra appears to have been operating since at least 2007, and that the US government has identified the group as associated with North Korea, making GhostSecret part of that nation's cyber arsenal as well.

"Operation Ghost Secret targets multiple industry segments for both financial gain and IP [intellectual property] theft," Sherstobitoff wrote. "We also observed organizations targeted to be turned into command and control servers for Hidden Cobra."

As part of its research into GhostSecret, McAfee researchers uncovered a previously unknown malware implant called Proxysvc.

As the research team dug deeper into this new piece of malware, they noticed that it shared similar characteristics to another implant called Bankshot, which was used in the attack against the Turkish banks in early March and deployed by Hidden Cobra.

In addition, the investigation found that Bankshot and Proxysvc also shared some similarities to the Destover malware, which was used in the 2014 Sony Pictures attack. North Korea has been linked to the Sony attack, as well as several other cyber attacks, including the WannaCry ransomware outbreak that happened last year. (See Cybercrime Is North Korea's Biggest Threat.)

For its part, North Korea has denied involvement.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

In its detailed research note, McAfee noted that the new Proxysvc was first collected on March 22 of this year, and appears to have found a home in higher education organizations, including schools and universities. Overall, it's been running in 11 different countries, with most found implants in the US.

It's structure also makes it hard to detect, according to McAfee:

Given the limited capabilities of Proxysvc, it appears to be part of a covert network of SSL listeners that allow the attackers to gather data and install more complex implants or additional infrastructure. The SSL listener supports multiple control server connections, rather than a list of hardcoded addresses. By removing the dependency on hardcoded IP addresses and accepting only inbound connections, the control service can remain unknown.

McAfee researchers noted that what the Proxysvc does is listen in to what's happening on the network and allows whoever is behind the command and control server to know what is happening without leaving easily traceable record of what's being done.

(Source: McAfee Labs)
(Source: McAfee Labs)

It's where the GhostSecret name comes from.

"Proxysvc means Proxy Service and it is a component that accepts inbound SSL connections from the attacker's command and control. This is a silent listener," Sherstobitoff wrote. "This is a new type of attack given that it uses previously unknown implants such as Proxysvc that is part of a network of covert listeners, hence GhostSecret."

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-25136
PUBLISHED: 2023-02-03
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration; however, the vulnerability discoverer reports that "exploiting thi...
CVE-2023-25139
PUBLISHED: 2023-02-03
sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of ...
CVE-2022-48074
PUBLISHED: 2023-02-03
An issue in NoMachine before v8.2.3 allows attackers to execute arbitrary commands via a crafted .nxs file.
CVE-2023-25135
PUBLISHED: 2023-02-03
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are...
CVE-2022-4634
PUBLISHED: 2023-02-03
All versions prior to Delta Electronic’s CNCSoft version 1.01.34 (running ScreenEditor versions 1.01.5 and prior) are vulnerable to a stack-based buffer overflow, which could allow an attacker to remotely execute arbitrary code.