Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack

North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack

North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack

https://firewall.firm.in/wp-content/uploads/2024/10/paynow.png

Oct 30, 2024Ravie LakshmananRansomware / Threat Intelligence

Play Ransomware

Threat actors in North Korea have been implicated in a recent incident that deployed a known ransomware family called Play, underscoring their financial motivations.

The activity, observed between May and September 2024, has been attributed to a threat actor tracked as Jumpy Pisces, which is also known as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly.

“We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group,” Palo Alto Networks Unit 42 said in a new report published today.

“This incident is significant because it marks the first recorded collaboration between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware network.”

Cybersecurity

Andariel, active since at least 2009, is affiliated with North Korea’s Reconnaissance General Bureau (RGB). It has been previously observed deploying two other ransomware strains known as SHATTEREDGLASS and Maui.

Earlier this month, Symantec, part of Broadcom, noted that three different organizations in the U.S. were targeted by the state-sponsored hacking crew in August 2024 as part of a likely financially motivated attack, even though no ransomware was deployed on their networks.

Play, on the other hand, is a ransomware operation that’s believed to have impacted approximately 300 organizations as of October 2023. It is also known as Balloonfly, Fiddling Scorpius, and PlayCrypt.

Play Ransomware

While cybersecurity firm Adlumin revealed late last year that the operation may have transitioned to a ransomware-as-a-service (RaaS) model, the threat actors behind Play have since announced on their dark web data leak site that it’s not the case.

In the incident investigated by Unit 42, Andariel is believed to gained initial access via a compromised user account in May 2024, followed by undertaking lateral movement and persistence activities using the Sliver command-and-control (C2) framework and a bespoke backdoor called Dtrack (aka Valefor and Preft).

“These remote tools continued to communicate with their command-and-control (C2) server until early September,” Unit 42 said. “This ultimately led to the deployment of Play ransomware.”

The Play ransomware deployment was preceded by an unidentified threat actor infiltrating the network using the same compromised user account, after which they were observed carrying out credential harvesting, privilege escalation, and uninstallation of endpoint detection and response (EDR) sensors, all hallmarks of pre-ransomware activities.

Cybersecurity

Also utilized as part of the attack was a trojanized binary that’s capable of harvesting web browser history, auto-fill information, and credit card details for Google Chrome, Microsoft Edge, and Brave.

The use of the compromised user account by both Andariel and Play Asia, the connection between the two intrusion sets stems from the fact that communication with the Sliver C2 server (172.96.137[.]224) remained ongoing until the day before ransomware deployment. The C2 IP address has been offline since the day the deployment took place.

“It remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted as an IAB [initial access broker] by selling network access to Play ransomware actors,” Unit 42 concluded. “If Play ransomware does not provide a RaaS ecosystem as it claims, Jumpy Pisces might only have acted as an IAB.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket