Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Thailand seizes server linked to North Korean attack gang

McAfee spotted malware-machine on IP address used for the Sony Pictures hack

A server hidden in a Thai university and allegedly used as part of a North Korean hacking operation has been seized by ThaiCERT.

Thailand's infosec organisation announced last Wednesday that the box was operated by the Norks-linked Hidden Cobra APT group, and was part of the command-and-control rig for a campaign called GhostSecret.

ThaiCERT said (you'll probably need a translation service Translate) GhostSecret kicked off in February this year.

Last Tuesday, McAfee reported the IP addresses it associated with Ghost Secret, as part of a report on malware attacks targeting infrastructure.

The McAfee report warned that GhostSecret was part of a “global reconnaissance campaign” scanning servers in various industries to find targets for an attack.

As well as identifying C&C servers, McAfee said it discovered a new Destover malware implant variant, and another which it's called Proxysvc that has “operated undetected since mid-2017”.

The new variant “resembles parts of the Destover malware, which was used in the 2014 Sony Pictures attack”, the McAfee research noted.

The IP addresses associated with Thai activity, McAfee said, were 203.131.222.95, 203.131.222.109, and 203.131.222.83, belonging to Thammasat University.

The last address, 203.131.222.83, “hosted the control server for the Sony Pictures implants,” McAfee said. It was also linked to an SSL certificate “used in Hidden Cobra operations since the Sony Pictures attack.”

Now the server is in its hands, ThaiCERT said it is working with authorities and with McAfee to analyse its contents and see what remediation it can offer to Thai victims of the campaign. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like