A joint cybersecurity advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Treasury Department warns of North Korea’s Lazarus APT targeting blockchain companies.
The advisory states that the Lazarus Advanced Persistent Threat (APT) group is targeting cryptocurrency companies with Trojan-protected Windows and macOS cryptocurrency apps.
Malicious applications steal private keys and exploit other security vulnerabilities to execute subsequent attacks and fraudulent transactions.
US authorities have linked Lazarus to the theft of Ethereum and USDC worth $625 million by Ronin. North Korean hackers have stolen at least $1.7 billion in cryptocurrency over the past few years.
Lazarus APT targets employees of blockchain companies with lucrative fake job offers
Lazarus APT uses various communication platforms to send a large number of spear-phishing messages to employees of cryptocurrency companies. It usually targets system administrators, software developers or IT operations (DevOps).
“The messages often mimic a recruiting effort and offer high-paying jobs to trick recipients into downloading cryptocurrency apps containing malware, which the US government calls ‘TraderTraitor.’ Dream Job” detailed by an Israeli cybersecurity company.
“In order to increase the chance of success, attackers are targeting users on mobile devices and cloud platforms,” said Hank Schless, senior security solutions manager at Lookout. “For example, at Lookout, we discovered nearly 200 malicious cryptocurrency apps on the Google Play Store. Most of these apps presented themselves as mining services in order to trick users into downloading them. »
CISA discovered that Lazarus APT deploys various variants of TradeTraitor such as Dafom, TokenAIS, CryptAIS, CreAI Deck, AlticGO and Esilet.
They promise various crypto-related services such as real-time price prediction, portfolio creation, AI-based trading, artificial intelligence, and deep learning.
Lazarus APT advertises Trojans via modernly designed websites, possibly to convince victims of their ease of use.
“This campaign combines several popular trends into one attack,” said Tim Erlin, vice president of strategy at Tripwire. “The CISA alert describes a spear-phishing campaign that exploits the boiling job market to trick users into downloading cryptocurrency malware.”
The threat group casts a wide net targeting all types of blockchain companies. According to the joint notice, Lazarus APT targets cryptocurrency trading firms, decentralized finance (DeFi) platforms, cryptocurrency play-to-earn video games, cryptocurrency venture capital firms and owners of large cryptocurrency assets or non-fungible tokens (NFTs).
“Non-Fungible Tokens (NFTs) have been around since 2014; however, perhaps it has entered the cultural mainstream in 2021. However, the hype around NFTs will invariably coincide with interest from cyber threat actors,” noted Chris Morgan, Senior Intelligence Analyst at cyber threats at Digital Shadows.
How to protect blockchain businesses from Lazarus APT
US agencies have released a comprehensive list of Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) associated with Lazarus APT. They advised blockchain companies to apply various mitigation measures to minimize the threat of Lazarus APT to the cryptocurrency industry.
According to CISA, blockchain companies should implement security strategies such as minimum access models and defense in depth.
Schless said blockchain companies should prevent their employees from becoming launch pads for crypto heist attacks.
“Crypto platform providers need to ensure their employees are protected and don’t become conduits for cybercriminals to break into the infrastructure,” Schless continued. “Employees are constantly targeted by mobile phishing and other attacks that would give a cybercriminal behind-the-scenes access to corporate infrastructure.”
According to John Bambenek, Senior Threat Hunter at Netenrich, the North Korean threat will persist for the foreseeable future.
“North Korea has been focusing on cryptocurrency threats for years because it’s a highly sanctioned country, which allows them to acquire assets they can use to further their government goals,” Bambenek said. . “This will continue until North Korea becomes a respectable member of the international community or the gentle meteor of death finally arrives and ends all life on earth. The latter is the most accurate scenario.