Jumpy

Vulnerability updated 23 days ago (2024-11-29T13:57:46.998Z)
Download STIX
Preview STIX
Jumpy Pisces, a North Korean state-sponsored group, has been linked to a significant cybersecurity incident involving the Play ransomware group, also known as Fiddling Scorpius. This marks the first recorded collaboration between these two entities, raising concerns about an evolving threat landscape. The assessment of this collaboration was based on several key factors, including the use of the same compromised account for initial access and subsequent spreading of Jumpy Pisces-linked toolset (such as Sliver and DTrack) prior to the ransomware deployment. The files used in this attack impersonated ones created by legitimate entities, enabled by certificates previously linked to Jumpy Pisces. The intrusion led to the deployment of Play ransomware, but it remains unclear whether Jumpy Pisces has officially become an affiliate for Play ransomware or if they acted independently by selling network access to Play ransomware actors. If Play ransomware does not provide a Ransomware-as-a-Service (RaaS) ecosystem as it claims, Jumpy Pisces might only have acted as an independent access broker (IAB). Despite these uncertainties, there is moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group. In early September, an unidentified threat actor entered the network through the same compromised user account used by Jumpy Pisces. The group carried out lateral movement and maintained persistence by spreading the open-source tool Sliver and their unique custom malware, DTrack, to other hosts via Server Message Block (SMB) protocol. Both the IP address and the corresponding domain involved in the attack have been linked to Jumpy Pisces, further solidifying the connection between the group and this incident.
Description last updated: 2024-10-30T16:02:40.165Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Jumpy Pisces Malware is associated with Jumpy. Jumpy Pisces, a North Korean state-sponsored malware group, has been identified as a key player in an unprecedented collaboration with an underground ransomware network. This marks a significant development in the cybersecurity landscape, as it's the first recorded instance of such cooperation betweUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Reconnaissance General Bureau Threat Actor is associated with Jumpy. The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency known for its clandestine operations abroad. Its cyber activities, believed to be coordinated by the secretive organization, have been linked to various threat actors since at least 2014. Notable entities include the BeaglUnspecified
2
Source Document References
Information about the Jumpy Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
2 months ago
Unit42
2 months ago