A new cybersecurity advisory from the US Cybersecurity & Infrastructure Security Agency (CISA) outlines tactics, techniques, and procedures (TTPs) recently observed in North Korean ransomware operations against public health and other critical infrastructure sectors.
The document is a joint report by the NSA, FBI, CISA, US HHS and the Republic of Korea’s National Intelligence Service and Defense Security Agency, and notes that funds extorted from this manner have served to support the priorities and objectives of the North Korean government at the national level. .
Besides the privately developed lockers, CISA says hackers have also used a dozen other strains of file-encrypting malware to attack South Korean and US healthcare systems.
According to the CISA notice, North Korean threat actors acquire the infrastructure necessary for an attack by using fake personas and accounts and illegally obtained cryptocurrency. To hide the money trail, they often look for suitable foreign intermediaries.
Hackers disguise their origin via VPN services and Virtual Private Servers (VPS) or third-party IP addresses.
The target breach is done by exploiting various vulnerabilities that allow access and elevation of privileges on the target networks.
Among the security issues they exploited are Log4Shell (CVE-2021-44228), remote code execution flaws in SonicWall appliances (CVE-2021-20038), and administrator password disclosure flaws in TerraMaster NAS products (CVE-2022-24990)
“[The] The actors also likely spread malicious code via Trojan files for ‘X-Popup’, an open-source messenger commonly used by employees of small and medium-sized hospitals in South Korea,” CISA adds in the report.
“The actors spread malware by exploiting two domains: xpopup.pe[.]kr and xpopup.com. xpopup.pe[.]kr is registered at IP address 115.68.95[.]128 and xpopup[.]com is registered at IP address 119.205.197[.]111″ – CISA
After establishing initial access, North Korean hackers perform network reconnaissance and lateral movement by executing shell commands and deploying additional payloads that help gather information.
While North Korean hackers have been linked to Maui and H0lyGh0st ransomware strains [1, 2]the US agency notes that they “have also been observed using or possessing publicly available encryption tools:”
- BitLocker (abused a legitimate tool)
- I’m going to cry
- hidden tear
- LockBit 2.0
- My little ransomware
Of note, BleepingComputer is aware that more than half of these lockers are available from public sources but could not confirm this for all.
An interesting aspect is the use of Deadbolt And ech0raix ransomware strains, which have been massively targeting QNAP network-attached storage (NAS) devices over the past few years.
In the final stage of the attack, the threat actor demands a ransom payment in Bitcoin cryptocurrency. They use Proton Mail accounts to communicate with victims. In many cases, the requests come with threats of leaking stolen data, especially when the victim is a private healthcare company.
“The authoring agencies assess that an undetermined amount of revenue from these cryptocurrency operations supports DPRK domestic priorities and objectives, including cyber operations targeting the governments of the United States and South Korea. – specific targets include the networks of members of the Department of Defense and the Defense Industrial Base.
CISA recommends that healthcare institutions implement security measures such as multi-factor authentication (MFA) for account protection, encrypted connectivity, disabling unused interfaces, using network traffic monitoring tools , adhering to the principles of least privilege, and applying available security updates to all software products they use.
Check The CISA alert for the full list of recommendations and mitigation measures, Indicators of Compromise (IoCs), and links to information resources and points of contact for consultation.