Photo credit: www.csoonline.com
The Attackers Developed an Elaborate Infrastructure
An analysis conducted by SecurityScorecard focused on the intricate command-and-control infrastructure utilized by attackers reveals a meticulously planned operation that unfolded in three distinct phases. The campaign initially came to light in November when 181 developers, mainly associated with the European technology landscape, were targeted. Following this, in December, the operation escalated on a global scale, impacting hundreds of developers, with India emerging as a significant hotspot and recording 284 victims. The situation further deteriorated in January, when an additional wave of attacks saw 233 more developers caught in the crossfire, including 110 from India’s tech sector.
According to the findings of the researchers, “The attackers systematically exfiltrated vital information, capturing development credentials, authentication tokens, saved passwords from browsers, and operational system details.” They noted that the compromised data was collected by command-and-control (C2) servers and subsequently transferred to Dropbox, where it was organized and secured. The presence of persistent connections to Dropbox underscores the attackers’ methodical approach, evidenced by some servers maintaining active sessions for periods exceeding five hours.
Even with the implementation of multiple VPN tunnels aimed at obscuring their identities, investigators traced the malicious activity back to various IP addresses located in North Korea. The attackers initially accessed the system via Astrill VPN endpoints, subsequently funneling their connections through IP addresses associated with the Oculus Proxy network in Russia, before finally reaching the C&C servers managed by a firm identified as Stark Industries.
Source
www.csoonline.com