Cybersecurity researchers have recently claimed that they observed malicious code on a South Korean newspaper website named Daily NK. Shockingly, a piece of code continued to stay on the site from March 2021 until June 2021. It naturally entailed suspicion among cyber researchers that a cyberattack was ongoing between the given periods. Against this backdrop, researchers indicated that a North Korean hacking group called InkySquid exploited known Internet Explorer bugs or vulnerabilities. The aim was to infect some visitors to the website with malware.
The Exploitation of Two Known Internet Explorer Bugs
The InkySquid advanced persistent threat (APT) group, allegedly linked to North Korea, launched watering hole attacks against the Daily NK website. It is a news outlet focused on North Korea. InkySquid carried out the cyberattack using known Internet Explorer bugs or vulnerabilities.
One vulnerability labeled as CVE-2020-1380 resided in the old IE. Likewise, a second vulnerability exploited by the InkySquid group was CVE-2021-26411. Cyber threat actors used it to attack Internet Explorer and legacy versions of Microsoft Edge.
Meanwhile, the group conducted the illegal activity with the attack kit comprised of two browser exploits. The group loaded the kit on the NK website using a JavaScript file. They did it in the hunt to infect users surfing the website through old IT and legacy Edge browser. Though the links prompted actual files, malicious code was embedded for short-lived periods and hard to recognize. The experts claimed the code was legitimate and would evade manual and automated detection.
Furthermore, the group leveraged public proof-of-concept code for both Internet Explorer bugs. The final payload of these cyberattacks incorporated a Cobalt Strike backdoor beacon. However, the attacks differed over time. Also, Bluelight seems to have delivered as a secondary payload.
Remember, Bluelight is a new information-stealing as well as reconnaissance malware family. The group had put it in place to use different cloud providers for command and control.
Exploiting known Internet Explorer bugs would not chip away on a wide swath of targets. Nevertheless, once a system gets tainted, detection is troublesome because of using legit code as cover. Apart from that, we are oblivious of the breadth of the attack. It is also not known how many users ended up infected with the whole evil scheme.
Daily NK Is Under Attack since Its Founding
Suspected North Korean cyber attackers continue to target Daily NK since its founding. For this reason, the news outlet strictly monitors the cyber threat extending towards it with different cybersecurity-focused organizations. Whenever any issue related to cybersecurity erupts, it takes immediate measures with the help of these organizations.
Moreover, the Tranco unified traffic ranking considers the Daily NK among the top 50,000 most popular sites on the Internet. While it operates outside of South Korea, it is known for its coverage heavily focused on North Korean topics. So, people interested in consuming information about North Korean issues turn up on the website.
Final Words
The outbreak of the COVID-19 pandemic has accelerated cyberattacks to a new record. With the cybersecurity threat on the horizon, it is essential to conduct cyber threat hunting. It detects advanced threats, investigates potential compromises, and improves cyber defenses.
References
The North Korea-linked group exploiting known IE bugs
North Korean hackers exploiting IE bugs to infect visitors of South Korean news website
The hacking group leveraging browser exploits to drop malware
Researchers discovered malicious code on one of the news websites
Watering hole attack against a popular news website
