North Korean state-backed threat operation UNC4899, also known as TraderTraitor, Slow Pisces, Jade Sleet, and PUKCHONG, has targeted Google Cloud and Amazon Web Services environments in separate attacks that enabled the theft of millions worth of cryptocurrency, The Hacker News reports.
After achieving initial access via stolen credentials and long-term access keys in Google Cloud and AWS instances, respectively, UNC4899 proceeded to launch the GLASSCANNON downloader that distributes the PLOTTWIST and MAZEWIRE backdoors, according to an analysis from Google Cloud. TraderTraitor was recently reported by Wiz researchers to have been targeting cloud environments to compromise users rather than the platforms. Such findings come as North Korean hacking collective Lazarus Group was noted by Sonatype to have been increasingly leveraging open-source packages for malware delivery. "These packages mimic popular developer tools but function as espionage implants, designed to steal secrets, profile hosts, and open persistent backdoors into critical infrastructure," said Sonatype researchers.
After achieving initial access via stolen credentials and long-term access keys in Google Cloud and AWS instances, respectively, UNC4899 proceeded to launch the GLASSCANNON downloader that distributes the PLOTTWIST and MAZEWIRE backdoors, according to an analysis from Google Cloud. TraderTraitor was recently reported by Wiz researchers to have been targeting cloud environments to compromise users rather than the platforms. Such findings come as North Korean hacking collective Lazarus Group was noted by Sonatype to have been increasingly leveraging open-source packages for malware delivery. "These packages mimic popular developer tools but function as espionage implants, designed to steal secrets, profile hosts, and open persistent backdoors into critical infrastructure," said Sonatype researchers.




