Attackers associated with the North Korean government recently stole over $600 worth of cryptocurrency.

The US government is warning that Lazarus, a North Korean state-sponsored hacker group, is targeting blockchain and cryptocurrency companies.

The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the US Treasury Department issued the notice. Lazarus targets users in the blockchain, cryptocurrency, and NFT space.

Hackers use a variety of communication platforms to trick people into downloading trojanized cryptocurrency apps on Windows or macOS. The cyber actors then use the applications to gain access to the victim’s computer. They spread malware in the victim’s network environment and steal private keys or exploit other security holes.

These activities enable additional tracking activities that initiate fraudulent blockchain transactions.

“North Korean state-sponsored cyber actors use a full range of tactics and techniques to exploit computer networks of interest, acquire sensitive cryptocurrency intellectual property, and obtain financial assets,” it said. -he declares.

The US government recommends implementing mitigation measures to protect critical infrastructure organizations and financial sector organizations in blockchain and cryptocurrency.

Last week, the FBI confirmed that hackers associated with the North Korean government stole more than $600 million in cryptocurrency reported on March 29.

Attackers exploit ‘thirst for information’

Hank Schless is Lookout’s Senior Director of Security Solutions. He said Lazarus has been targeting finance for years with a past focus on institutions and online cryptocurrency exchanges.

Hank Schless of Lookout

“Since cryptocurrency is a rather new technology, it presents an opportunity for threat actors to socially engineer targets,” he said. “Crypto investors are constantly looking for an edge in the market or what is the next big currency that will explode in value. Attackers can use this thirst for information to trick users into downloading malicious apps or sharing login credentials for legitimate trading platforms they use.

The attacker could then use the malicious app to exfiltrate additional data from the device it’s on, Schless said. They could also take the stolen login credentials and try them on any number of cloud apps.

To increase the chances of success, attackers are targeting users on mobile devices and cloud platforms, Schless said.

“For example, at Lookout, we discovered nearly 200 malicious cryptocurrency apps on the Google Play Store,” he said. “Most of these apps posed as mining services to trick users into downloading them.”

Big Money attracts threat actors

Chris Morgan is a Senior Cyber ​​Threat Intelligence Analyst at Digital Shadows. He said crypto investors make a lot of money, but often store it in insecure places. Therefore, threat actors will naturally direct their activities towards targeting these environments.

Chris Morgan of Digital Shadows

Chris Morgan of Digital Shadows

“For consumers, much of the fraudulent activity targeting accounts results from a lack of awareness and ignorance of the risk,” he said. “Many users continue to operate insecurely, which can leave them vulnerable to attacks. For crypto and NFT platforms, it is imperative that the security maturity of the platform can minimize the considerable risks faced by users. This includes robust vulnerability assessments to identify bugs and ensuring regular consumer awareness programs on how to spot suspicious behavior.

Ensuring guidance is provided on safe use will create a safer environment for users, Morgan said.

John Bambenek is Netenrich’s main threat hunter.

Netenrich's John Bambaneck

Netenrich’s John Bambaneck

“Cryptocurrency attacks will rise and fall depending on the number of novice users out there,” he said. “Cryptocurrency is a space for fraud because protecting yourself is complicated and people are still learning how to do it. Your uncle who keeps talking about all the stuff he earned in Doge is also the guy whose DVD player flashes 12:00 ahead because it can’t set the time on it.

North Korea will continue its attacks

North Korea and Lazarus have been focusing on cryptocurrency threats for years, Bambenek said. This is because North Korea is a highly sanctioned country. Therefore, it allows them to acquire assets that they can use to pursue their government goals.

“This will continue until North Korea becomes a respectable member of the international community or the gentle meteor of death finally arrives and ends all life on earth,” he said. “The latter is the most accurate scenario.”

Karl Steinkamp of Coalfire

Karl Steinkamp of Coalfire

Karl Steinkamp is director of Coalfire. He said bad actors would target any technology and/or platform that is successful in gaining wide user adoption.

“App exchanges will continue to embed detective controls on their respective platforms…to help businesses and users mitigate risk,” he said. “As we have seen with other malware variants, users and businesses should be aware that crypto-asset malware will eventually target all platforms and technology in an attempt to trick users into click or download something malicious.”