Ubuntu Security Notice 7076-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7076-1October 17, 2024linux-azure, linux-azure-5.15 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - Microsoft Azure Network Adapter (MANA) driver;  - Watchdog drivers;  - Netfilter;  - Network traffic control;(CVE-2024-27397, CVE-2024-45016, CVE-2024-45001, CVE-2024-38630)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1074-azure   5.15.0-1074.83  linux-image-azure-lts-22.04     5.15.0.1074.72Ubuntu 20.04 LTS  linux-image-5.15.0-1074-azure   5.15.0-1074.83~20.04.1  linux-image-azure               5.15.0.1074.83~20.04.1  linux-image-azure-cvm           5.15.0.1074.83~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7076-1  CVE-2024-27397, CVE-2024-38630, CVE-2024-45001, CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1074.83  https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1074.83~20.04.1

Ubuntu Security Notice USN-7076-1

Ubuntu Security Notice 7074-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7074-1October 17, 2024linux-azure vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - Microsoft Azure Network Adapter (MANA) driver;  - Network traffic control;(CVE-2024-45016, CVE-2024-45001)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1016-azure    6.8.0-1016.18  linux-image-6.8.0-1016-azure-fde  6.8.0-1016.18  linux-image-azure               6.8.0-1016.18  linux-image-azure-fde           6.8.0-1016.18After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7074-1  CVE-2024-45001, CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux-azure/6.8.0-1016.18

Ubuntu Security Notice USN-7074-1

Ubuntu Security Notice 7073-2 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7073-2October 17, 2024linux-azure, linux-azure-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - Watchdog drivers;  - Netfilter;  - Memory management;  - Network traffic control;(CVE-2024-27397, CVE-2024-38630, CVE-2024-45016, CVE-2024-26960)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1139-azure    5.4.0-1139.146  linux-image-azure-lts-20.04     5.4.0.1139.133Ubuntu 18.04 LTS  linux-image-5.4.0-1139-azure    5.4.0-1139.146~18.04.1                                  Available with Ubuntu Pro  linux-image-azure               5.4.0.1139.146~18.04.1                                  Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7073-2  https://ubuntu.com/security/notices/USN-7073-1  CVE-2024-26960, CVE-2024-27397, CVE-2024-38630, CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1139.146

Ubuntu Security Notice USN-7073-2

Ubuntu Security Notice 7069-2 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7069-2October 17, 2024linux-azure vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 LTS- Ubuntu 14.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - x86 architecture;  - Cryptographic API;  - CPU frequency scaling framework;  - HW tracing;  - ISDN/mISDN subsystem;  - Media drivers;  - Network drivers;  - NVME drivers;  - S/390 drivers;  - SCSI drivers;  - USB subsystem;  - VFIO drivers;  - Watchdog drivers;  - JFS file system;  - IRQ subsystem;  - Core kernel;  - Memory management;  - Amateur Radio drivers;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - Network traffic control;  - TIPC protocol;  - XFRM subsystem;  - Integrity Measurement Architecture(IMA) framework;  - SoC Audio for Freescale CPUs drivers;  - USB sound devices;(CVE-2024-36971, CVE-2024-42271, CVE-2024-38630, CVE-2024-38602,CVE-2024-42223, CVE-2024-44940, CVE-2023-52528, CVE-2024-41097,CVE-2024-27051, CVE-2024-42157, CVE-2024-46673, CVE-2024-39494,CVE-2024-42089, CVE-2024-41073, CVE-2024-26810, CVE-2024-26960,CVE-2024-38611, CVE-2024-31076, CVE-2024-26754, CVE-2023-52510,CVE-2024-40941, CVE-2024-45016, CVE-2024-38627, CVE-2024-38621,CVE-2024-39487, CVE-2024-27436, CVE-2024-40901, CVE-2024-26812,CVE-2024-42244, CVE-2024-42229, CVE-2024-43858, CVE-2024-42280,CVE-2024-26641, CVE-2024-42284, CVE-2024-26602)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 LTS  linux-image-4.15.0-1182-azure   4.15.0-1182.197~16.04.1                                  Available with Ubuntu Pro  linux-image-azure               4.15.0.1182.197~16.04.1                                  Available with Ubuntu ProUbuntu 14.04 LTS  linux-image-4.15.0-1182-azure   4.15.0-1182.197~14.04.1                                  Available with Ubuntu Pro  linux-image-azure               4.15.0.1182.197~14.04.1                                  Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7069-2  https://ubuntu.com/security/notices/USN-7069-1  CVE-2023-52510, CVE-2023-52528, CVE-2024-26602, CVE-2024-26641,  CVE-2024-26754, CVE-2024-26810, CVE-2024-26812, CVE-2024-26960,  CVE-2024-27051, CVE-2024-27436, CVE-2024-31076, CVE-2024-36971,  CVE-2024-38602, CVE-2024-38611, CVE-2024-38621, CVE-2024-38627,  CVE-2024-38630, CVE-2024-39487, CVE-2024-39494, CVE-2024-40901,  CVE-2024-40941, CVE-2024-41073, CVE-2024-41097, CVE-2024-42089,  CVE-2024-42157, CVE-2024-42223, CVE-2024-42229, CVE-2024-42244,  CVE-2024-42271, CVE-2024-42280, CVE-2024-42284, CVE-2024-43858,  CVE-2024-44940, CVE-2024-45016, CVE-2024-46673

Ubuntu Security Notice USN-7069-2

Ubuntu Security Notice 7028-2 - It was discovered that the JFS file system contained an out-of-bounds read vulnerability when printing xattr debug information. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7028-2October 17, 2024linux-azure vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 14.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systemsDetails:It was discovered that the JFS file system contained an out-of-bounds readvulnerability when printing xattr debug information. A local attacker coulduse this to cause a denial of service (system crash).Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - GPU drivers;  - Greybus drivers;  - Modular ISDN driver;  - Multiple devices driver;  - Network drivers;  - SCSI drivers;  - VFIO drivers;  - F2FS file system;  - GFS2 file system;  - JFS file system;  - NILFS2 file system;  - Kernel debugger infrastructure;  - Bluetooth subsystem;  - IPv4 networking;  - L2TP protocol;  - Netfilter;  - RxRPC session sockets;(CVE-2024-42154, CVE-2023-52527, CVE-2024-26733, CVE-2024-42160,CVE-2021-47188, CVE-2024-38570, CVE-2024-26851, CVE-2024-26984,CVE-2024-26677, CVE-2024-39480, CVE-2024-27398, CVE-2022-48791,CVE-2024-42224, CVE-2024-38583, CVE-2024-40902, CVE-2023-52809,CVE-2024-39495, CVE-2024-26651, CVE-2024-26880, CVE-2024-42228,CVE-2024-27437, CVE-2022-48863)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 14.04 LTS  linux-image-4.15.0-1181-azure   4.15.0-1181.196~14.04.1                                  Available with Ubuntu Pro  linux-image-azure               4.15.0-1181.196~14.04.1                                  Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7028-2  https://ubuntu.com/security/notices/USN-7028-1  CVE-2021-47188, CVE-2022-48791, CVE-2022-48863, CVE-2023-52527,  CVE-2023-52809, CVE-2024-26651, CVE-2024-26677, CVE-2024-26733,  CVE-2024-26851, CVE-2024-26880, CVE-2024-26984, CVE-2024-27398,  CVE-2024-27437, CVE-2024-38570, CVE-2024-38583, CVE-2024-39480,  CVE-2024-39495, CVE-2024-40902, CVE-2024-42154, CVE-2024-42160,  CVE-2024-42224, CVE-2024-42228

Ubuntu Security Notice USN-7028-2

Ubuntu Security Notice 7059-2 - USN-7059-1 fixed a vulnerability in OATH Toolkit library. This update provides the corresponding update for Ubuntu 24.10. Fabian Vogt discovered that OATH Toolkit incorrectly handled file permissions. A remote attacker could possibly use this issue to overwrite root owned files, leading to a privilege escalation attack.

==========================================================================

Ubuntu Security Notice USN-7059-2  
October 17, 2024

oath-toolkit vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10

Summary:

OATH Toolkit could be made to overwrite files as the administrator.

Software Description:  
- oath-toolkit: Development files for the OATH Toolkit Liboath library

Details:

USN-7059-1 fixed a vulnerability in OATH Toolkit library. This  
update provides the corresponding update for Ubuntu 24.10.

Original advisory details:

 Fabian Vogt discovered that OATH Toolkit incorrectly handled file  
 permissions. A remote attacker could possibly use this issue to  
 overwrite root owned files, leading to a privilege escalation attack.  
 (CVE-2024-47191)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.10  
  liboath-dev                     2.6.11-3ubuntu1

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-7059-2   
<https://ubuntu.com/security/notices/USN-7059-2>  
https://ubuntu.com/security/notices/USN-7059-1   
<https://ubuntu.com/security/notices/USN-7059-1>  
  CVE-2024-47191

Package Information:  
https://launchpad.net/ubuntu/+source/oath-toolkit/2.6.11-3ubuntu1   
<https://launchpad.net/ubuntu/+source/oath-toolkit/2.6.11-3ubuntu1>

Ubuntu Security Notice USN-7059-2

Red Hat Security Advisory 2024-8116-03 - An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Issues addressed include buffer overflow and integer overflow vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8116.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: java-1.8.0-openjdk security update  
Advisory ID:        RHSA-2024:8116-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8116  
Issue date:         2024-10-17  
Revision:           03  
CVE Names:          CVE-2023-48161  
====================================================================

Summary: 

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function (CVE-2023-48161)

* JDK: Array indexing integer overflow (8328544) (CVE-2024-21210)

* JDK: HTTP client improper handling of maxHeaderSize (8328286) (CVE-2024-21208)

* JDK: Unbounded allocation leads to out-of-memory error (8331446) (CVE-2024-21217)

* JDK: Integer conversion error leads to incorrect range check (8332644) (CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-48161

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2251025  
https://bugzilla.redhat.com/show_bug.cgi?id=2318524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318526  
https://bugzilla.redhat.com/show_bug.cgi?id=2318530  
https://bugzilla.redhat.com/show_bug.cgi?id=2318534  
https://issues.redhat.com/browse/RHEL-62293

Red Hat Security Advisory 2024-8116-03

Traditional practices are no longer sufficient in today's threat landscape. It's time for cybersecurity professionals to rethink their approach.

Malleswar Reddy Yerabolu, Senior Security Engineer, North Carolina Department of Health and Human Services

October 18, 2024

5 Min Read

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY  
In today's interconnected digital landscape, supply chain attacks are no longer an anomaly — they're a persistent, growing threat. From SolarWinds to Kaseya, high-profile breaches have demonstrated that attackers are increasingly exploiting vulnerabilities in the supply chain to infiltrate targets at scale. For cybersecurity professionals, the days of relying on traditional vendor risk management are over. A broader, more proactive approach to securing the supply chain is required — one that goes beyond checklists and questionnaires. 

**The Shortcomings of Traditional Vendor Risk Management**

Historically, organizations have relied on static risk assessments and due diligence processes to evaluate their suppliers. This involves vetting vendors using questionnaires, compliance audits, and sometimes even on-site assessments. While these methods help ensure compliance with industry regulations and basic cybersecurity hygiene, they are no longer enough to combat today's sophisticated supply chain attacks. 

The major flaw of traditional vendor risk management is that it assumes security is a one-time evaluation rather than an ongoing process. A vendor might pass an initial audit, but what happens when it updates its software or onboards a third-party subcontractor? Additionally, static assessments rarely account for zero-day vulnerabilities or the rapid evolution of threat landscapes. In short, by the time an assessment is complete, the information is often outdated. 

**Proactive Supply Chain Monitoring: A New Paradigm**

A more effective approach to supply chain security involves continuous, real-time monitoring of vendors. Rather than waiting for the next audit or questionnaire cycle, organizations should be leveraging tools that provide up-to-date visibility into their vendors' cybersecurity postures. 

There are several ways this can be accomplished: 

*   Third-party risk management platforms: Platforms like BitSight and Security Scorecard allow organizations to monitor the external security posture of their vendors continuously. These platforms aggregate data from public sources, including open vulnerabilities, SSL configurations, and even mentions of potential breaches, to give security teams real-time insights into potential risks. 
    
*   Threat intelligence integration: By integrating threat intelligence feeds into the vendor risk management process, organizations can identify whether any vendors are being actively targeted by attackers, or if their infrastructure is compromised. This dynamic approach goes beyond static questionnaires, allowing organizations to act quickly in response to emerging threats. 
    
*   Continuous penetration testing: Routine penetration testing is no longer a luxury; it's a necessity. Regular testing of vendors' systems ensures that vulnerabilities are identified and mitigated before attackers can exploit them. With the increasing automation of penetration testing tools, this process can be made continuous rather than sporadic.
    

**Blockchain for Enhanced Supply Chain Transparency**

Another innovative solution to supply chain security challenges is the use of blockchain for transparency and traceability. Blockchain technology allows for the creation of immutable audit trails, making it possible to trace the origin of every component in the supply chain. This can be especially valuable in industries like pharmaceuticals or critical infrastructure, where counterfeit products or compromised components can have catastrophic consequences. 

By using blockchain, organizations can verify that every link in the supply chain adheres to security standards and hasn't been tampered with. In addition, smart contracts on blockchain can enforce compliance, triggering alerts or even actions (such as revoking access) when deviations from agreed-upon standards occur. 

**Managing Access: A Dynamic Approach to Vendor Permissions**

One critical element of supply chain cybersecurity that is often overlooked is how vendors access internal systems. Traditional models grant vendors broad access to systems and data, often far beyond what is necessary. This presents a significant risk, as compromising a single vendor's account could grant an attacker the keys to an organization's entire network. 

A more dynamic approach involves implementing zero-trust principles, where vendors are granted the minimum necessary permissions, and access is constantly reevaluated. This can be done through: 

*   Granular access control: Leveraging role-based access controls (RBAC) or even attribute-based access controls (ABAC) ensures that vendors have access only to the resources they need at any given time. 
    
*   Behavioral monitoring: Continuous monitoring of vendor behavior within your systems can help detect abnormal activity that might indicate a compromise. AI-driven anomaly detection tools can provide early warning signs that a vendor's account has been hijacked. 
    
*   Just-in-time access: Some organizations are adopting just-in-time (JIT) access, where vendors are granted temporary access to systems only when required, and access automatically expires after a predefined period. This minimizes the risk of persistent backdoors being left open. 
    

**Collaboration Across the Supply Chain**

Lastly, improving supply chain security requires collaboration between all stakeholders. Organizations must foster a culture of shared responsibility, where security is not viewed as the sole responsibility of individual vendors but as a collective effort. This can be achieved through: 

*   Security scorecards for vendors: Regularly sharing security posture reports with vendors encourages transparency and accountability. These reports can highlight areas where vendors need to improve and set clear expectations for remediation. 
    
*   Vendor security workshops: Hosting workshops or training sessions for vendors can help elevate their understanding of modern security practices and ensure that their teams are equipped to mitigate risks. 
    

**A Call to Action**

The time has come for cybersecurity professionals to rethink their approach to supply chain security. Traditional vendor risk management practices are no longer sufficient in today's threat landscape. By adopting continuous monitoring, leveraging blockchain for transparency, and implementing dynamic access control, organizations can build more resilient supply chains that are harder for attackers to compromise. 

Ultimately, securing the supply chain is not just about protecting your vendors — it's about safeguarding your entire business ecosystem. 

**About the Author**

Senior Security Engineer, North Carolina Department of Health and Human Services

Malleswar Reddy Yerabolu is a senior security engineer with more than seven years of experience in vulnerability management, threat analysis, and security architecture across financial, hospitality, government, and communication sectors. He specializes in leveraging AI, machine learning (ML), and natural language processing (NLP) to enhance threat detection and automate security processes. His research focuses on integrating AI and NLP to optimize cybersecurity solutions. Malleswar’s innovative approach helps organizations reduce risks and strengthen their defenses against evolving cyber threats. He holds a master’s degree in computer engineering from California State University.

Supply Chain Cybersecurity Beyond Traditional Vendor Risk Management

North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks.
"In some instances, fraudulent workers demanded ransom payments from their former employers after gaining

Insider Threat / Cyber Espionage

North Korean information technology (IT) workers who obtain employment under false identities in Western companies are not only stealing intellectual property, but are also stepping up by demanding ransoms in order to not leak it, marking a new twist to their financially motivated attacks.

"In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes," Secureworks Counter Threat Unit (CTU) said in an analysis published this week. "In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024."

The activity, the cybersecurity company added, shares similarities with a threat group it tracks as Nickel Tapestry, which is also known as Famous Chollima and UNC5267.

The fraudulent IT worker scheme, orchestrated with the intent to advance North Korea's strategic and financial interests, refers to an insider threat operation that entails infiltrating companies in the West for illicit revenue generation for the sanctions-hit nation.

These North Korean workers are typically sent to countries like China and Russia, from where they pose as freelancers looking for potential job opportunities. As another option, they have also been found to steal the identities of legitimate individuals residing in the U.S. to achieve the same goals.

They are also known to request for changes to delivery addresses for company-issued laptops, often rerouting them to intermediaries at laptop farms, who are compensated for their efforts by foreign-based facilitators and are responsible for installing remote desktop software that allow the North Korean actors to connect to the computers.

What's more, multiple contractors could end up getting hired by the same company, or, alternatively, one individual could assume several personas.

Secureworks said it has also observed cases where the fake contractors sought permission to use their own personal laptops and even caused organizations to cancel the laptop shipment entirely because they changed the delivery address while it was in transit.

"This behavior aligns with Nickel Tapestry tradecraft of attempting to avoid corporate laptops, potentially eliminating the need for an in-country facilitator and limiting access to forensic evidence," it said. "This tactic allows the contractors to use their personal laptops to remotely access the organization's network."

In a sign that the threat actors are evolving and taking their activities to the next level, evidence has come to light demonstrating how a contractor whose employment was terminated by an unnamed company for poor performance resorted to sending extortion emails including ZIP attachments containing proof of stolen data.

"This shift significantly changes the risk profile associated with inadvertently hiring North Korean IT workers," Rafe Pilling, Director of Threat Intelligence at Secureworks CTU, said in a statement. "No longer are they just after a steady paycheck, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defenses."

To tackle the threat, organizations have been urged to be vigilant during the recruitment process, including conducting thorough identity checks, performing in-person or video interviews, and be on the lookout for attempts to re-route corporate IT equipment sent to the contractors declared home address, routing paychecks to money transfer services, and accessing the corporate network with unauthorized remote access tools.

"This escalation and the behaviors listed in the FBI alert demonstrate the calculated nature of these schemes," Secureworks CTU said, pointing out the workers' suspicious financial behavior and their attempts to avoid enabling video during calls.

"The emergence of ransom demands marks a notable departure from prior Nickel Tapestry schemes. However, the activity observed prior to the extortion aligns with previous schemes involving North Korean workers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data

Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being "USDoD," a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBI's InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led to the leak of Social Security numbers and other personal information for a significant portion of the U.S. population.

Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being “**USDoD**,” a prolific cybercriminal who rose to infamy in 2022 after infiltrating the **FBI’s InfraGard** program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker **National Public Data** that led to the leak of Social Security numbers and other personal information for a significant portion of the U.S. population.

USDoD’s InfraGard sales thread on Breached.

The Brazilian news outlet **TV Globo** first reported the news of USDoD’s arrest, saying the Federal Police arrested a 33-year-old man from Belo Horizonte. According to TV Globo, USDoD is wanted domestically in connection with the theft of data on Brazilian Federal Police officers.

USDoD was known to use the hacker handles “**Equation Corp**” and “**NetSec**,” and according to the cyber intelligence platform **Intel 471** NetSec posted a thread on the now-defunct cybercrime community **RaidForums** on Feb. 22, 2022, in which they offered the email address and password for 659 members of the Brazilian Federal Police.

TV Globo didn’t name the man arrested, but the Portuguese tech news outlet **Tecmundo** published a report in August 2024 that named USDoD as 33-year-old **Luan BG** from Minas Gerais, Brazil. Techmundo said it learned the hacker’s real identity after being given a draft of a detailed, non-public report produced by the security firm **CrowdStrike**.

CrowdStrike did not respond to a request for comment. But a week after Techmundo’s piece, the tech news publication **hackread.com** published a story in which USDoD reportedly admitted that CrowdStrike was accurate in identifying him. Hackread said USDoD shared a statement, which was partially addressed to CrowdStrike:

A recent statement by USDoD, after he was successfully doxed by CrowdStrike and other security firms. Image: Hackread.com.

In August 2024, a cybercriminal began selling Social Security numbers and other personal information stolen from National Public Data, a private data broker in Florida that collected and sold SSNs and contact data for a significant slice of the American population.

Additional reporting revealed National Public Data had inadvertently published its own passwords on the Internet. The company is now the target of multiple class-action lawsuits, and recently declared bankruptcy. In an interview with KrebsOnSecurity, USDoD acknowledged stealing the NPD data earlier this year, but claimed he was not involved in leaking or selling it.

In December 2022, KrebsOnSecurity broke the news that USDoD had social-engineered his way into the FBI’s InfraGard program, an FBI initiative designed to build informal information sharing partnerships with vetted professionals in the private sector concerning cyber and physical threats to critical U.S. national infrastructure.

USDoD applied for InfraGard membership using the identity of the CEO of a major U.S. financial company. Even though USDoD listed the real mobile phone number of the CEO, the FBI apparently never reached the CEO to validate his application, because the request was granted just a few weeks later. After that, USDoD said he used a simple program to collect all of the contact information shared by more than 80,000 InfraGard members.

The FBI declined to comment on reports about USDoD’s arrest.

In a lengthy September 2023 interview with **databreaches.net**, USDoD told the publication he was a man in his mid-30s who was born in South America and who holds dual citizenship in Brazil and Portugal. Toward the end of that interview, USDoD said they were planning to launch a platform for acquiring military intelligence from the United States.

Databreaches.net told KrebsOnSecurity USDoD has been a regular correspondent since that 2023 interview, and that after being doxed USDoD made inquiries with a local attorney to learn if there were any open investigations or charges against him.

“From what the lawyer found out from the federal police, they had no open cases or charges against him at that time,” Databreaches.net said. “From his writing to me and the conversations we had, my sense is he had absolutely no idea he was in imminent danger of being arrested.”

When KrebsOnSecurity last communicated with USDoD via Telegram on Aug. 15, 2024, they claimed they were “planning to retire and move on from this,” referring to multiple media reports that blamed USDoD for leaking nearly three billion consumer records from National Public Data.

Less than four days later, however, USDoD was back on his normal haunt at **BreachForums**, posting custom exploit code he claimed to have written to attack recently patched vulnerabilities in a popular theme made for WordPress websites.

Latest News