Jumpy

Vulnerability updated 14 days ago (2024-11-08T13:28:07.439Z)

Download STIX

Preview STIX

Jumpy Pisces, a North Korean state-sponsored group, has been linked to a significant cybersecurity incident involving the Play ransomware group, also known as Fiddling Scorpius. This marks the first recorded collaboration between these two entities, raising concerns about an evolving threat landscape. The assessment of this collaboration was based on several key factors, including the use of the same compromised account for initial access and subsequent spreading of Jumpy Pisces-linked toolset (such as Sliver and DTrack) prior to the ransomware deployment. The files used in this attack impersonated ones created by legitimate entities, enabled by certificates previously linked to Jumpy Pisces. The intrusion led to the deployment of Play ransomware, but it remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted independently by selling network access to Play ransomware actors. If Play ransomware does not provide a Ransomware-as-a-Service (RaaS) ecosystem as it claims, Jumpy Pisces might only have acted as an independent access broker (IAB). Despite these uncertainties, there is moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group. In early September, an unidentified threat actor entered the network through the same compromised user account used by Jumpy Pisces. The group carried out lateral movement and maintained persistence by spreading the open-source tool Sliver and their unique custom malware, DTrack, to other hosts via Server Message Block (SMB) protocol. Both the IP address and the corresponding domain involved in the attack have been linked to Jumpy Pisces, further solidifying the connection between the group and this incident.

Description last updated: 2024-10-30T16:02:40.165Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Jumpy Pisces Malware is associated with Jumpy. Jumpy Pisces, a North Korean state-sponsored malware group, has been identified as a key player in an unprecedented collaboration with an underground ransomware network. This marks a significant development in the cybersecurity landscape, as it's the first recorded instance of such cooperation betwe	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Reconnaissance General Bureau Threat Actor is associated with Jumpy. The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency known for its clandestine operations abroad. Its cyber activities, believed to be coordinated by the secretive organization, have been linked to various threat actors since at least 2014. Notable entities include the Beagl	Unspecified	2

Source Document References

Information about the Jumpy Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Preview	Source Link	CreatedAt	Title
	InfoSecurity-magazine	22 days ago	North Korean Hackers Collaborate with Play Ransomware
	Unit42	23 days ago	Jumpy Pisces Engages in Play Ransomware