North Korean Hackers Cast a Wide Net While Critical Infrastructure Faces New Threats

Page content

North Korean Hackers Cast a Wide Net While Critical Infrastructure Faces New Threats

It’s been quite a week in our corner of the security world. While everyone’s been talking about TikTok’s new joint venture deal, some much more concerning developments have been flying under the radar. Let me walk you through what’s keeping me up at night.

The Contagious Interview Campaign Just Got Scarier

Remember those North Korean social engineering attacks we’ve been tracking? Well, the numbers just came in, and they’re staggering. The PurpleBravo campaign has targeted over 3,136 individual IP addresses across 20 organizations spanning AI, crypto, financial services, and software development.

What makes this particularly nasty is the sophistication of their approach. These aren’t your typical spray-and-pray phishing attempts. The attackers are conducting detailed reconnaissance, crafting personalized job interview scenarios, and targeting specific individuals within organizations. They’re hitting companies across Europe, South Asia, the Middle East, and Central America – basically casting a global net.

The scary part? This is just what we’ve detected. Given how targeted and personalized these attacks are, I suspect we’re only seeing the tip of the iceberg. If you’re in any of these sectors, now’s a good time to remind your teams about those “too good to be true” job opportunities landing in their inboxes.

Energy Sector Under Siege

Meanwhile, Microsoft’s threat intelligence team flagged something that should have every energy company’s CISO paying attention. They’ve identified a multi-stage adversary-in-the-middle phishing campaign specifically targeting energy firms.

Here’s what makes this attack particularly clever: the threat actors are abusing SharePoint file-sharing services to deliver their phishing payloads. Since SharePoint is trusted infrastructure that most organizations use daily, these malicious files are sailing right past traditional email security controls. Once they get initial access, they’re creating inbox rules to maintain persistence and hide their activities from users.

This is exactly the kind of attack that keeps critical infrastructure security teams awake at night. Energy companies are already high-value targets, and combining AitM techniques with business email compromise tactics creates a perfect storm for serious damage.

Fortinet Customers Need to Act Fast

Speaking of critical infrastructure, there’s an active campaign targeting Fortinet FortiGate firewalls. What’s particularly concerning here is that these attacks appear to be hitting fully patched devices through automated infections.

The attackers are making malicious configuration changes and stealing firewall configuration files. Think about what that means – they’re not just compromising individual systems, they’re potentially mapping out entire network architectures and security postures. Those configuration files contain network topology information, access rules, and security policies that could be goldmines for follow-on attacks.

If you’re running FortiGate devices, you need to audit your configurations immediately and look for any unauthorized changes. This isn’t the time to assume your patches are enough.

An 11-Year-Old Vulnerability Finally Surfaces

Here’s one that really caught my attention: researchers just discovered a critical vulnerability in GNU InetUtils telnetd that’s been hiding in plain sight for nearly 11 years. CVE-2026-24061 scores a 9.8 on CVSS and allows complete authentication bypass with root access.

Now, before you think “who still uses telnet anyway?” – remember that telnetd shows up in embedded systems, legacy infrastructure, and industrial control systems more often than we’d like to admit. The fact that this vulnerability affects versions 1.9.3 through 2.7 means there’s a huge installed base of potentially vulnerable systems out there.

What bothers me most about this one is how long it went undetected. It makes you wonder what other critical flaws are lurking in code we consider stable and mature.

The TikTok Sideshow

While all this was happening, TikTok announced their new joint venture to continue U.S. operations under Trump’s 2025 executive order. Honestly, while this gets all the headlines, it’s probably the least concerning item on this list from a pure security perspective. The real threats are the ones actively exploiting vulnerabilities and targeting our critical infrastructure right now.

What This Means for Us

Looking at these incidents together, I see a clear pattern: attackers are getting more sophisticated, more targeted, and more patient. The North Korean campaign shows months of careful reconnaissance and social engineering. The energy sector attacks demonstrate deep understanding of trusted business processes. The Fortinet compromises suggest advanced persistent threat actors with significant resources.

We need to adjust our defensive strategies accordingly. Traditional perimeter security isn’t enough when attackers are using trusted platforms like SharePoint and conducting months-long social engineering campaigns. We need better user education, more robust behavioral analytics, and frankly, we need to assume that some of our users will eventually click on something they shouldn’t.

Sources