Efforts by the Democratic People’s Republic of Korea (DPRK) continue to produce state-sponsored ransomware and have successfully attacked healthcare and public health sector organizations and other critical infrastructure, according to a new advisory.
This Cybersecurity Advisory (CSA) was the joint work of the U.S. National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS) and the ROK Defense Security Agency (DSA). Together, they detailed that an unspecified amount of revenue made from these attacks – which use ransomware to extort organizations for cryptocurrency demands – is, in turn, being used to support DPRK nation-level priorities and objectives, including cyber operations targeting the U.S. and South Korean governments.
Two of the highest-profile DPRK ransomware campaigns have been dubbed Maui and H0lyGh0st, respectively. The tactics, techniques, and procedures used by these groups include acquiring infrastructure, IP addresses, and domains with cryptocurrency gained from cybercrimes. They actively work to obscure their identities and involvement through third parties and the use of VPN and VPS. Then they exploit common vulnerabilities and exposures to gain access and privileges within networks, such as remote code execution in the Apache Log4j software library and remote code execution in unpatched SonicWall SMA 100 appliances.
The United States and its South Korean allies have, however, compiled a list of the domains, file names, and hashes often used by these malicious actors. In particular, they noted that DPRK groups tend to spread malicious code through Trojanized files for X-Popup, an open-source messenger frequently used by employees of small and medium hospitals in South Korea.
Currently, the reporting government agencies urge companies and their networks to review their cybersecurity efforts and work to train users to recognize and report phishing attempts, utilize multi-factor authentication programs to promote phishing resistance, and install and regularly update antivirus and antimalware software on all their hosts. In their report, they pushed for limiting access to data by encrypting connections, turning off weak or unnecessary network device management interfaces, protecting stored data with masked permanent account numbers, and much more.
They also continued governmental policy of discouraging paying ransoms, arguing that doing so does nothing to guarantee files and records will be recovered – and may also result in sanctions from the United States or ROK.