At a glance.
- ReconShark, a new reconnaissance tool deployed in DPRK spearphishing attacks.
- White House releases National Standards Strategy for Critical and Emerging Technology.
- US Ransomware Task Force releases a two-year retrospective.
- KillNet's reorganization continues.
ReconShark, a new reconnaissance tool deployed in DPRK spearphishing attacks.
SentinelLabs reports that Kimsuky, a North Korean state-sponsored cyber espionage activity, has incorporated a new reconnaissance tool into its repertoire. ReconShark accompanies specially crafted emails in spearphishing attacks. The group crafts spearphishing emails tailored to the individual target by using real names and–especially–information directly pertinent to the target's work to lure the prospect into downloading a malicious file. Recently the group has been favoring password protected Microsoft OneDrive documents.
ReconShark, a new version of the similar malware BabyShark, then gathers system information to allow for precision crafted exploitation of the target’s computer. “The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses.” SentinelLabs concludes that this campaign is probably part of a larger campaign and underscores the need for industry collaboration and communication to thwart further malicious activity.
(Added 11:15 AM ET, May 7th, 2023. Dror Liwer, co-founder of Coro, sees the addition of universities to the DPRK's target list as particularly disturbing. “The expansion to universities is worrying, Liwer writes. "Unlike government institutions, our data shows that most universities do not have adequate cybersecurity defenses and awareness programs. We have seen a triple digit increase in attacks on educational institutions in the US in the last year, which is driven by a perfect storm from an attackers perspective: Extremely valuable data, and lacking defenses.”
We also heard from James McQuiggan, Security Awareness Advocate at KnowBe4, who notes that social engineering remains an important tool for threat actors. "The group’s adoption of advanced spear phishing tactics demonstrates that social engineering is still the standard tool for gaining access to organizations through users and relying on old fashioned human psychology, misdirection and manipulation to access sensitive information," McQuiggan says. "While technology helps protect networks, servers, endpoints and data, the human remains a fundamental vulnerability that cybercriminals will consistently exploit. Organizations should continue to educate their users as a priority. Monthly security awareness sessions and frequent simulated phishing exercises can help users identify and respond to potential spear phishing attacks more effectively. In the unfortunate event of a successful phishing attack, organizations should also establish robust incident response plans to ensure they can promptly detect, contain and remediate threats when they occur.")