DOJ announces new actions targeting illicit DPRK-linked schemes, including identity fraud enabling remote IT work at 136+ U.S. companies and APT38 crypto heists exceeding $15M.

Key elements:
• Multiple guilty pleas (U.S. & international)
• Unauthorized remote access + identity misuse
• Cryptocurrency laundering + ongoing seizure efforts
• DOJ, FBI & NSD coordination under DPRK RevGen initiative
Thoughts on improving remote-work identity vetting?
👍 Follow for more verified, unbiased cyber reporting.

#infosec #APT38 #Cybercrime #ThreatIntel #DOJ #NorthKorea #SecurityOps #CyberPolicy #DigitalForensics

USA zerschlagen nordkoreanisches IT-Betrugsnetzwerk – landesweite Maßnahmen gegen Regime-Finanzierung

Laut Gerichtsunterlagen unterstützten US- und ukrainische Mittelsmänner nordkoreanische IT-Fachkräfte dabei, sich mithilfe gestohlener oder gefälschter Identitäten bei US-Unternehmen als Remote-Worker auszugeben.

https://www.all-about-security.de/usa-zerschlagen-nordkoreanisches-it-betrugsnetzwerk-landesweite-massnahmen-gegen-regime-finanzierung/

#USJustizministerium #Nordkorea #RemoteITFraud #apt38 #remotearbeit

Morning, cyber pros! It's been a bit light on news over the last 24 hours, but we've still got some critical updates to chew on. We're looking at a major data breach, an actively exploited RCE vulnerability, an old protocol making a malicious comeback, and a significant legal crackdown on North Korean illicit activities. Let's dive in:

Logitech Hit by Clop Extortion ⚠️
- Hardware giant Logitech has confirmed a data breach following an extortion claim by the Clop gang, who leaked 1.8 TB of data.
- The breach stemmed from a third-party zero-day vulnerability, likely CVE-2025-61882 in Oracle E-Business Suite, which Clop actively exploited in July 2025.
- While Logitech states no sensitive national ID or credit card data was compromised, the incident highlights Clop's consistent use of zero-days in mass data theft campaigns, previously seen with Accellion, GoAnywhere, and MOVEit.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/logitech-confirms-data-breach-after-clop-extortion-attack/

RondoDox Botnet Exploiting XWiki RCE 🛡️
- The RondoDox botnet is actively exploiting CVE-2025-24893, a critical eval injection vulnerability (CVSS 9.8) in unpatched XWiki instances, to achieve arbitrary code execution.
- This flaw allows any guest user to execute remote code via a request to the "/bin/get/Main/SolrSearch" endpoint, and has been in the wild since at least March 2025.
- CISA added this to its KEV catalog, urging federal agencies to patch by November 20th. Exploitation attempts have surged, with RondoDox adding these devices to its botnet for DDoS attacks, alongside other actors deploying crypto miners and reverse shells.

📰 The Hacker News | https://thehackernews.com/2025/11/rondodox-exploits-unpatched-xwiki.html

'Finger' Protocol Abused for Malware Delivery 🕵️
- Threat actors are leveraging the decades-old 'finger' protocol (TCP port 79) to retrieve and execute remote commands on Windows devices in recent ClickFix malware attacks.
- The technique involves piping the output of a 'finger' command (e.g., `finger vke@finger.cloudmega[.]org`) directly into `cmd.exe`, causing the retrieved commands to run locally.
- Observed campaigns deliver Python-based infostealers or NetSupport Manager RAT, with some variants including anti-analysis checks for tools like Wireshark and Process Hacker. Defenders should block outgoing traffic to TCP port 79.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/

US Cracks Down on North Korean IT Worker Fraud ⚖️
- Five U.S. citizens have pleaded guilty to assisting North Korea's illicit revenue generation by enabling IT worker fraud, impacting over 136 U.S. companies and generating $2.2 million for the DPRK regime.
- The schemes involved using stolen U.S. identities, hosting company laptops in "laptop farms," and facilitating remote access to make it appear workers were in the U.S.
- This legal action, alongside the forfeiture of over $15 million in cryptocurrency stolen by APT38 (BlueNoroff), underscores ongoing efforts to disrupt North Korea's funding for its weapons programmes.

📰 The Hacker News | https://thehackernews.com/2025/11/five-us-citizens-plead-guilty-to.html

#CyberSecurity #ThreatIntelligence #DataBreach #Clop #Ransomware #ZeroDay #Vulnerability #RCE #XWiki #Botnet #DDoS #Malware #FingerProtocol #ClickFix #NorthKorea #DPRK #APT38 #BlueNoroff #Cybercrime #InfoSec #IncidentResponse #PatchManagement

DOJ: 5 guilty pleas tied to North Korea’s IT worker scheme. 136 U.S. companies hit, $2.2M earned, and $15M in stolen crypto seized from APT38/Lazarus operations.

#CyberSecurity #NorthKorea #APT38 #DOJ #ThreatIntel #CryptoCrime