A Microsoft announced that it has successfully taken over the 50 Web domains by the North Korean government-backed hackers previously used. This operating system maker said earlier, this domain is 50 the company has been tracking Thallium (also known as APT37 ) organizations to launch cyber attacks.
Microsoft said digital crimes unit (DCU) and Microsoft's threat intelligence center (MSTIC) Thallium team has monitored several months, tracking the activities of the organization and draw their infrastructure.
December 18, this hotel in Redmond company in Virginia state court against Thallium proceedings. Shortly after Christmas, the US authorities gave Microsoft a court order allowing the technology company to win more than 50 North Korean hackers have been using the domain in the attack.
These fields are used to send phishing e-mail and hosting phishing pages. Thallium hackers to lure victims at these sites to steal their credentials, and then gain access to the internal network, and further escalation of attacks from these internal sites.
Thallium one phishing e-mails sent ( Image: Microsoft )
At the same time, Microsoft said, in addition to tracking Thallium offensive operations, it also track the infected host.
Tom Burt ( Tom Burt), said : "According to the victim's information objectives include government employees, think tanks, university staff, committed to world peace and human rights organizations as well as individual members engaged in nuclear proliferation issues." And he said, "most of the goals are located in the United States and Japan and South Korea."
Microsoft executives said that in many of these attacks, with the ultimate goal is to make victims of malware infections, for example, two remote access Trojan (RAT) KimJongRAT and BabyShark .
Burt said: "Once the malware is installed on a victim's computer, it will steal information from it to keep persistent and wait for further instructions."
Picture: Palo Alto Networks
Microsoft said the group has updated its security products to protect customers from attacks by Thallium, and recommends that users enable two-factor authentication, security alerts and while checking e-mail forwarding rule as soon as possible.
In fact, this is not the operation of Microsoft for the first time a court order to block foreign government-backed hacking organization.
The last time was in August 2018 , Microsoft for a company called Strontium (APT28, Fancy Bear) Russian organizations to take 12 times this method successfully removed the 84 domains. It also means that by order of the court seized of the network associated with the Iranian spy organization Phosphorus (APT35) 99 domain operations .
In addition, Microsoft also made use of court orders undermines the Chinese government-backed hacking Barium operations.
Reference News: https://www.zdnet.com/article/microsoft-takes-down-50-domains-operated-by-north-korean-hackers/