Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Matt Johansen Profile picture
@mattjay
May 28 12 tweets 4 min read Read on X
Scrolly
The DoJ just busted a massive scam involving North Korean IT workers infiltrating major US companies.

They had some help in the US and were posing as remote freelancers to siphon off money and sensitive info.

Holy crap, here's what we know:
How they operated:

North Korean operatives are stationed in countries like China, Russia, and parts of Eastern Europe and Southeast Asia.

They then use fake documents and buy accounts to get remote jobs in the States. Image
On May 16, the DOJ indicted five people connected to this scheme.

One is an Arizona woman who helped North Korean IT workers by validating stolen identities, making them look like US citizens. Image
This woman also hosted laptops from US companies to spoof locations

This bypassed any geofencing making it seem like the North Korean workers were based in the US. Image
The scheme has raked in millions of dollars in wages from over 300 companies.

This money likely supports North Korea's regime, including its nuclear weapons program, according to the FBI. Image
North Korea's government is highly motivated due to heavy international sanctions.

They've been behind major cyber heists like the $81 million stolen from Bangladesh Bank via the SWIFT system in 2016. Image
Facilitators, or "mules," are key players in this operation.

They manage multiple fake identities and handle risky tasks like job interviews and drug tests, then pass the credentials to the actual North Korean workers. Image
These facilitators make big money.

For example, a Ukrainian facilitator managed about 870 identities and hosted 80 computers, earning over $900,000 over six years. Image
The IT workers, often highly skilled, work under harsh conditions with strict oversight.

Their activities include cryptojacking, targeting security researchers(!!!), and other cyber attacks to fund the regime. Image
How does your company verify remote worker identities? Would your process stand up to this threat?
DoJ Source: justice.gov/opa/pr/charges…
I cover this and dozens more cybersecurity news stories ever week in my free newsletter.

Join over 12,000 other pros here: vulnu.xyz/tw

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matt Johansen

Matt Johansen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattjay

Matt Johansen Profile picture
May 16
Kevin Briggs, a senior advisor at CISA, has publicly revealed ongoing vulnerabilities in U.S. telecom networks.

TL;DR - He has evidence vulns in teleco's are being used to track and spy on U.S. citizens.

Buckle up, here's what we know:
Oversimplified: The attacks involve 2 teleco techs

SS7 - crucial for routing messages when roaming
Diameter - SS7's more efficient successor

They are both being exploited to track phones, intercept calls, and access texts. Image
Despite reassurances from major telecoms like AT&T, Verizon, and T-Mobile about enhanced security post-2018,

Briggs’ revelations suggest otherwise. He asserts that these “are just the tip of the iceberg” of vulnerabilities. Image
Read 8 tweets
Matt Johansen Profile picture
Apr 22
🚨 GitHub and GitLab comments are being abused to push malware via Microsoft repo URLs.

Let's dive in:
GitHub comments can host files uploaded during issue discussions or commit annotations.

Once uploaded, these files are accessible via GitHub's CDN, regardless of the comment's visibility or existence. Image
The crux of the exploit lies in the persistence of files on GitHub’s CDN.

Files remain accessible even after the associated comment is deleted, a perfect setup for distributing malicious content. Image
Read 10 tweets
Matt Johansen Profile picture
Mar 26
I'm hearing reports of a sophisticated 'MFA Bombing' attack that targets Apple users, exploiting a flaw in Apple's password reset feature.

Let's dive in:
What Happened?

Several Apple users, including entrepreneur @parth220_, have reported a deluge of system-level password reset prompts on their devices

An aggressive phishing technique known as 'MFA fatigue' Image
@parth220_ Attackers exploit what seems to be a bug in Apple’s MFA system, bombarding devices with alerts to approve a password change

This is where it gets hairy: it is followed by a spoofed call from 'Apple Support' attempting to phish for a one-time code.
Read 12 tweets
Matt Johansen Profile picture
Mar 15
Are you kidding me?

Who had "actually suffering ransomware attacks is good for business" on your bingo card?

That's what is going on at United Healthcare:
So we all know about this crippling ransomware attack that has most of the country's medical payments at a standstill.

TL;DR—Change Healthcare is down. They process tons of payments, and it has been weeks. ALPHV claimed responsibility. Image
Well, at first glance, you might look at that and go, "boo hoo for the big corp," - but when I posted my thread/vid on this, the outreach I got from small providers was staggering.

(I could take hundreds of screenshots like this) Image
Read 10 tweets
Matt Johansen Profile picture
Feb 28
Holy crap. People are getting an ultimatum at their pharmacies this week - pay full price out of pocket or go without their meds.

All due to a ransomware attack.

Let's dig in:
UnitedHealth's Change Healthcare hit by 'Blackcat' ransomware

This is causing a 6-day outage affecting prescription deliveries across the U.S. Image
The breach began last week, with Blackcat (ALPHV) gaining access to Change Healthcare's IT systems.

One source states the breach was due to the recent ScreenConnect vuln that @_JohnHammond and @HuntressLabs disclosed recently. Image
Read 11 tweets
Matt Johansen Profile picture
Feb 13
Turns out the parent company of Temu has a history of publishing malware into their Android apps

Let's dig in:
It wasn't sitting right with me that a bunch of folks in my comments had mixed feelings about Temu being a shady app.

Many saying no worse than other apps collecting data.

Some even calling it China fearmongering Image
Well after some digging around and help from @daveaitel -

The parent company who owns Temu, PDD Holdings, also has an app named Pinduoduo with an interesting history Image
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(