South Korea says NUCLEAR WORM is nothing to worry about

Malware woes continue for state-run power company


The South Korean Energy Minister has told the National Assembly that a newly discovered malware outbreak at one of the country's nuclear facilities is no big deal, and is not linked to a more serious breach earlier this month.

Yoon Sang-jick said in a committee hearing that investigators had found a malware "worm" in one of the nuclear power facilities run by state-run Korea Hydro and Nuclear Power (KHNP), Reuters reports.

He added that the malware had probably been inadvertently introduced by a worker using an unauthorized USB device. It was not linked to a more serious hacking attack earlier in the month and has now been dealt with, he said.

Earlier in December, someone claiming to be "president of anti-nuclear reactor group" in Hawaii demanded that three of the reactors be shut down and began posting a series of files on social media. These included unclassified building schematics and blueprints, engineering manuals, and personal data on staff.

Neither of these attacks got anywhere near the reactor control systems, the Energy Minister reported, which are kept entirely separate from the general administrative network that had been successfully penetrated. But not everyone agreed.

"I doubt control systems are perfectly safe as said," Lee Jung-hyun, a Conservative politician from the majority Saenuri party, told the committee hearing.

After the first data breach, KHNP ran cyberwar drills on all of its facilities. It has also promised to add another 20 security staff and get a committee of experts from outside the company (leavened with some KHNP staff) to review its IT operations.

"We will prepare fundamental improvement measures by enhancing nuclear power's safe operation and hiking information security systems to the highest level following this cyber attack case," KHNP said in a statement.

Politicians have refused to rule out that North Korea was behind the attacks, which are ongoing. Meanwhile, in February, it was reported that the South Korean government approved the development of attack code that could be used by security services against North Korea's nuclear weapons and power facilities. ®

Broader topics


Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Liftoff at last for South Korean space program
    Satellite-deploying rocket finally launches – after a few setbacks

    South Korea's Aerospace Research Institute (KARI) yesterday succeeded in its endeavor to send the home-grown Nuri launcher into space, then place a working satellite in orbit.

    The launch was scheduled for earlier in June but was delayed by weather and then again by an anomaly in a first-stage oxidizer tank. Its October 2021 launch failed to deploy a dummy satellite, thanks to similar oxidizer tank problems that caused internal damage.

    South Korea was late to enter the space race due to a Cold War-era agreement with the US, which prohibited it developing a space program. That agreement was set aside and yesterday's launch is the culmination of more than a decade of development. The flight puts South Korea in a select group of nations that have demonstrated the capability to build and launch domestically designed and built orbital-class rockets.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading
  • Chinese-sponsored gang Gallium upgrades to sneaky PingPull RAT
    Broadens targets from telecoms to finance and government orgs

    The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan (RAT) that threat hunters say is difficult to detect.

    The deployment of this "PingPull" RAT comes as the gang is broadening the types of organizations in its sights from telecommunications companies to financial services firms and government entities across Asia, Southeast Asia, Europe and Africa, according to researchers with Palo Alto Networks' Unit 42 threat intelligence group.

    The backdoor, once in a compromised system, comes in three variants, each of which can communicate with the command-and-control (C2) system in one of three protocols: ICMP, HTTPS and raw TCP. All three PingPull variants have the same functionality, but each creates a custom string of code that it sends to the C2 server, which will use the unique string to identify the compromised system.

    Continue reading

Biting the hand that feeds IT © 1998–2022