Threat Landscape Update: North Korean IT Workers, OSINT, and Remote Monitoring and Management Abuse

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage? Cybercrime? Social engineering? Fraud? Well, each week, dive deep with us into the underground. Come hear from Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. [ Music ] But don't worry. I'm your guide to the back alleys of the threat landscape. [ Music ] Welcome to the Microsoft Threat Intelligence Podcast. I am Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, and I have a fantastic trio of guests here today. I've got Caitlin Hopkins, Security Researcher, Diana Duvieilh, Principal Security Researcher, and Anna Seitz, security researcher, all from Microsoft. Thank you for joining me.

Unidentified Person: Thank you so much for having us. Excited to be here.

Sherrod DeGrippo: Thanks for joining me. I know that a lot of research has come out. We've had a lot of reports come out, published by Microsoft. So we've got a lot of stuff that we can talk about on the threat landscape recently. One of the first things I wanted to talk about is some threat actors deploying AsyncRAT and doing that through Screen Connect. So help me understand what this campaign looks like, what they're doing. What is Screen Connect? I know it's remote management software, but what exactly is attractive about it? Anna, I think you had some interesting things about this campaign.

Anna Seitz: Yeah, absolutely. So just to give a general overview, in August, Microsoft detected AsyncRAT being deployed by an auto IT script. This script was part of a malware file that was transferred by the threat actor using Screen Connect. Screen Connect files downloaded to the target device after users visited a tech support scam website, and we can talk about that a little bit later too. Basically, Screen Connect is an RMM software that is abused by threat actors to maintain persistence on a device or also used by an opportunistic attacker to deploy a ransomware payload. It's widely used in threat activity attributed to Iran-linked threat groups, such as Mango Sandstorm, and also used by ransomware attacks deploying Royal and BlackCat in late 2022 and also in early 2023. Screen Connect was acquired by ConnectWise and is officially known as ConnectWise Control, though the Screen Connect name often remains the one that people most prominently use. So AsyncRAT is an open-source remote access tool that allows their user to remotely access a computer and perform various activities like key logging and file stealing and also deploy other malware like ransomware. And it gets its name from its use of asynchronous programming techniques. This allows it to carry out multiple tasks simultaneously without blocking the program's main thread. And AsyncRAT has been active in the wild since at least 2019, and it's also been seen targeting individual users and organizations. And actually, the financial sector is one of the most commonly targeted industries, and this includes banks and financial institutions.

Sherrod DeGrippo: And we're going to talk more. We've got some stuff coming up about a big report that we just released about threats to financial services. So we'll talk about that a little bit later in the show, but AsyncRAT, I know, has been around for a long time because I remember tracking it in a previous role. It's commodity malware. And so Anna, I guess my question is we're seeing threat actors, both nation-sponsored -- so Iran, you mentioned, and it's deploying BlackHat, which is ransomware. So that's criminal-focused crimeware. Is AsyncRAT just an all-purpose thing that threat actors love like a Swiss army knife?

Anna Seitz: Yeah, that's a great point. I do think it's become somewhat of that, but also, RMM tools, in general, seem to be becoming more and more popular as abuse methods by threat actors. So we've published quite a lot of reporting on this. And we also have our OSINT team that's been following this as well, and there's a lot there, but yeah, basically we're seeing it every month, month after month. There's usually something about an RMM tool being abused that we're finding in our reporting.

Sherrod DeGrippo: Let's talk a little bit about those RMM tools and how they're being abused. Diana, this is something that you've been working on as well. RMM tools, for those who are listening, those are the remote management and monitoring software that typically is used by IT departments to manage a large fleet of enterprise devices. Most consumers aren't going to have something like this on their machines. And this also, correct me if I'm wrong, we would also consider this falling into like living off the land capabilities if that's installed there. So what are we seeing in terms of abuse of remote monitoring and management tools, Diana?

Diana Duvieilh: Yes, it's a technique that we've seen surge recently. We just published a report looking at OSINT trends looking back over the past three to six months of what other security researchers are reporting on. And we have about 20 articles a week that we publish. So we're looking across hundreds of articles to see what are the key trends across the security community? And RMM tools, the abuse of that is one of those key trends that has stood out that cyber criminals and nation-state actors are increasingly using RMM tools as part of their cyberattacks.

Sherrod DeGrippo: And what do you think is the appeal? I could guess, but what are threat actors really seeing as the killer app of getting these remote management and monitoring tools under their control?

Diana Duvieilh: I think just give you exactly what you're looking for. If you're a threat actor, you can remote desktop protocol, you can exfiltrate data. Everything is already built in, and because they're legitimate tools, you're flying under the radar, and you're not going to have your endpoint or your antivirus protection alert against it because it's a legitimate tool. I also would think that in part it's because with COVID, and you have more remote workers over the past several years, that this is just like echoing that trend. You know, as these tools have proliferated, so more threat actors are now using it. So I think that probably plays into it, as well.

Sherrod DeGrippo: So can you walk me through a little bit of what that attack chain looks like? How do they typically get access to these remote management tools? Are they scanning for vulnerable ones? Are they scanning for other vulnerabilities? How does that sort of initial access start?

Diana Duvieilh: Yeah, there are two main categories. First would be as part of a phishing campaign. Like for example, there was just a report this morning, the CERT UA reported on that a Russian threat actor was using a phishing campaign to deliver MeshAgent, which is one of these RMM tools to targets in Ukraine. So the target receives it. They click a malicious link, and then it downloads this RMM tool, and the threat actors have access to basically anything they would want. So that's one option, and then another second popular technique would be using valid accounts. So if you already have an RMM tool installed on your system, that they're able to find the credentials and log into it remotely, and then basically own your computer from that perspective. The initial access or the initial infection vector for AsyncRat was actually through a tech support scam website. The users are prompted to interact with scammers, and the scammers can use scare tactics to trick the users into unnecessary technical support, supposedly helping them -- and in air quotes here -- "fix their device" or software problems that don't exist. And so at the best, these scammers are trying to get users to pay them to, air quote, "fix a non-existent problem" with the device or software. And at worst, they're trying to steal personal or financial information. So if a user allows them to remote into their computer to perform this, air quote, "fix," they will often install the malware/ransomware, and also, other unwanted programs I love your AsyncRat example because it really exemplifies three of the key trends that we saw looking across all the RMM abuse reporting. First was the use of social engineering with RMM deployments. Second was its prevalence in ransomware operations, which you mentioned. We've also seen it involved with Play Ransomware, Inc Ransomware, Mad Liberator, Akira, a whole host of ransomwares, and then the third is that nation-state actors are using it. So you mentioned Iran. We've seen North Korea and Russia. So that's just like a perfect example. It exemplifies this trend that we're seeing across RMM abuse.

Sherrod DeGrippo: I was so excited to get this group together because everybody has such a great piece of this pie to talk about today.

Diana Duvieilh: I just want to mention our fourth and final trend was the use of RMM tools in C2 frameworks including popular C2 tools like PoshC2 and Sliver. So they're integrating RMM tools in that. And that's sort of a novel trend that I wanted to highlight as well.

Sherrod DeGrippo: And how long has that been going on, do you think?

Diana Duvieilh: That's -- we looked back over the past three to six months, and that's where we detected that. But to be honest, I don't know where the state of that was before that.

Sherrod DeGrippo: So something else that came out recently is Microsoft released a report that was pretty in depth that goes over things happening in the financial sector, which from what I heard in the report accounts for a fifth of all cybersecurity incidents over the past 20 years, over $2.5 billion lost since 2020. So I wanted to kind of talk to all three of you about this big report that Microsoft put out, said there was like a 64% increase in attacks just last year and lots of interesting information about how the financial sector is in the crosshairs 100% being targeted by threat actors. I know Diana and Caitlin, you worked on this and Anna, you've read it as well. What are the things we need to know here? Caitlin, I'll start with you. What did you find when you were putting this report together?

Caitlin Hopkins: Yeah, so we completed an analysis basically detailing threats to the financial services industry from January to September of this year. We discovered that among targeted regions, the United States has the highest volume of threat activity, and we've determined that this is probably driven by the industry's vast amounts of data and then the high-value transactions that occur in the United States. We identified that there are three trends pretty much shaping the threat landscape for the financial services industry in 2024. Like Anna and Diana were talking about before, social engineering is one of these huge trends. We also identified ransomware and third-party IT risks as big trends that we've seen over the past seven, eight months.

Sherrod DeGrippo: So tell me, it mentions quite a few high-profile incidents like with ransomware and things like that. Can you kind of give us some understanding of what those differences are? Like when they're hitting the financial services industry, why is that the choice? Like why do you think threat actors are choosing that? Obviously there's money there, but is there some other aspect to it?

Caitlin Hopkins: Yeah, definitely. The financial services industry has a huge digital footprint, which basically means that there are a lot of ways that threat actors can get in. And like you said, it represents a huge financial like monetary target. So lots of ways to get in and a lot of potential for profit makes it a prime target.

Sherrod DeGrippo: So what else was interesting, I think, Anna, you had some things that you found in the report that were interesting about the financial services industry as a target. What kinds of things should we know there?

Caitlin Hopkins: Yeah, one of the most interesting things that I learned by reading this report was that older CVEs are continuing to be exploited against the financial services sector. So even though these vulnerabilities are many years old, they continue to remain in use by these threat actors and mostly because of these slow patching cycles in some organizations. So there were two CVEs that were really standing out, which is CVE-2017-0199, which is a Microsoft Office WordPad remote code execution vulnerability. And then also CVE-2017-11882, which is a Microsoft Office memory corruption vulnerability. So there's a lot there to unpack, but I guess the point of the matter is there, old CVEs are still open vulnerabilities. It's the low hanging fruit that adversaries are still actively exploiting.

Sherrod DeGrippo: 2017, I wouldn't say is old. It's really ancient in terms of technical patching and updates. If those two vulnerabilities, one of which is remote code execution, are the darlings right now being leveraged against the financial services industry, am I off base to say, hey, fin bros, let's patch our stuff. Is there a reason that -- I know patching is sometimes controversial because you can't always get every single thing, but if there is such a widespread use of this particular vulnerability, am I missing anything there? Can we just update the financial services companies?

Caitlin Hopkins: Yeah, I was hoping they could just prioritize patch management.

Sherrod DeGrippo: Let's just patch that.

Caitlin Hopkins: Just patch that, seriously. I'm sure there's more there that maybe we're missing. But yeah, the slow patching cycles needs to definitely speed up, for sure.

Sherrod DeGrippo: One of the interesting things is when we're looking at CVEs across industries, we see the same pattern. We see there is going to be different CVEs based on the tech stack, whatever industry it is, but we see consistently these old CVEs that are being exploited, whether you're in healthcare or in the IT sector. So yeah, I think this points to something underlying about patch management across organizations.

Caitlin Hopkins: It's also important, how you guys were talking about before, that AsyncRat uses screen hacks. Some of these exploits are targeted by commodity malware, specifically CVE-2017-1882 is targeted by Remcos RAT, which is a commodity malware.

Sherrod DeGrippo: Remcos RAT has been around forever too, years and years and years. I think Remcos has been around for at least six years, maybe more.

Caitlin Hopkins: Yeah.

Sherrod DeGrippo: So we're talking about things that people in security say over and over again, which is talking about really old malware that's been around for a really long time. We're talking about really old vulnerabilities that have been around for seven, eight -- going on eight years. At this point, these are very old vulnerabilities, and we're in a situation where we're seeing them continually leveraged against, particularly the financial services industry. I also saw in the report that there's a lot about third-party IT risks, and is that around like using third-party vendors? What do people need to know about these third parties that are doing IT in their organizations?

Caitlin Hopkins: Yeah. So anytime an organization relies on third-party IT service providers or just a different product, it introduces additional risks. You're not in control over your own digital footprint anymore, and the IT sector is consistently the most targeted industry by supply chain attacks and just by the nature of their technology is spread through all different industries and especially in the financial services industry. So this dependency, specifically that the financial services industry has on third-party vendors, exposes them to supply chain attacks, and basically, where service providers are being infiltrated to get to the financial firm, and these lead to huge operational disruptions and data breaches in the industry.

Sherrod DeGrippo: So something else that we have learned about over some past episodes specifically dealing with North Korea is that North Korea has the IT worker targeting that they do where they masquerade as IT workers, coders, developers for hire. They get hired into organizations. They work at those organizations, and they either do espionage and exfiltration and/or they actually just perform the work and collect the paycheck to finance the regime. I noticed in the report that it mentions North Korean actors targeting financial institutions. What are we seeing there? North Korea loves to go after things like cryptocurrency and cash. What are they doing with financial institutions?

Caitlin Hopkins: Yes, cryptocurrency. And we're also seeing them masquerade as a venture capital firm to be able to compromise banking organizations. So I think this is just reflecting North Korea's targeting priorities as they're trying to get the money to prop up their regime, and so, they're going to go where the dollar signs are.

Unidentified Person: I'm just going to emphasize the fact that the United Nations estimates that North Korean threat actors have stolen over $3 billion in cryptocurrency since 2017. So it's an enormous figure and it's larger than I could have ever thought. It's humongous.

Sherrod DeGrippo: Right.

Unidentified Person: That's a humongous amount of money.

Sherrod DeGrippo: It's enormous, and we have the North Korean researchers. One of the episodes that we did a couple of weeks back was between two Gregs, where we had Greg Lesnewich and Greg Schloemer, top DPRK analysts in the industry, talking about these things, and some of the things I learned were they go after cryptocurrency wallets. They go after the exchanges. They try to get access into the exchange platforms themselves so that they can make exchanges to steal that cryptocurrency from the legitimate owner into the wallets controlled by the regime, and they target things like forums and like discussion post online-type websites where people may be doing password reuse, where they have an account where they chat about cryptocurrency, and they've reused their credentials to also manage their wallet, which of course is terrible, terrible security practice. But a lot of times some of these cryptocurrency traders just don't have a security background. They have more of a traditional tech or development background, and so they're not protecting their personal wallets and things like that. So if you are in the cryptocurrency game, I strongly suggest working on the security of your wallets, your exchange accounts, and anything that has to do with chat or forums or social media where you talk about cryptocurrency, because they see those as targeting -- they see those accounts as something they can target as well.

Caitlin Hopkins: Yeah, and that just ties right back into that social engineering element that we've been discussing. So I mean, for example, Sapphire Sleet is a good example of this. They target cryptocurrency exchanges, and they try to get people to give them their credentials. So they masquerade as venture capital firms to compromise cryptocurrency and banking organizations. So they're good at this.

Sherrod DeGrippo: They're good at it. And I think something that we really all have to admit at this point is that the creativity of these attacks and campaigns is really impressive. They come up with novel new ideas because they want them to work, and those novel new ideas are part of what makes these threat actors successful. Whether we're talking nation-sponsored or financially motivated threat actor groups, it doesn't matter. The creativity from both of those motivations from those threat actor groups has been on the rise, I really think, over the past two to three years. So something else in the report talked about how these breaches threaten the actual solvency and operational stability of the financial institutions. Essentially saying that if one of these large banks or financial services firms is breached, experiences a ransomware event, they could potentially go under as an institution or experience significant, catastrophic operational availability and stability events. What are we seeing here in terms of how they're dealing with it? What does this mean for the banking industry? If threat actors are able to threaten the solvency and availability of our banking system, where do we go from there?

Caitlin Hopkins: So vigilantly monitoring for patches and also mitigations for known vulnerabilities is really the most crucial thing we can do to minimize that attack surface. Financial institutions should invest in advanced threat detection and response capabilities. They can enhance employee awareness training, and they can enforce third-party risk management best practices. So all of these things are just going to have to become a pillar in the corporate bureaucratic system of the financial services industry, and emphasizing cybersecurity has to be the most core priority that they can have.

Sherrod DeGrippo: Absolutely. I think, too, talking about vulnerabilities from 2017, talking about AsyncRAT, Remcos RAT, these are things from a bygone era, almost. I mean, where were you in 2017?

Caitlin Hopkins: I don't remember.

Sherrod DeGrippo: Right? It's like thinking back that far. And Remcos RAT is older than that, even, and AsyncRAT, I think, is, too. So it's like looking at the threat landscape today, we're seeing old vulnerabilities, ancient vulnerabilities being leveraged, and we're seeing malware that is commodity, off-the-shelf, available malware that is being leveraged by crime actors and nation-sponsored actors alike and has been for years and years and years, these same pieces of malware over and over again, these same RATs. I think, really, organizations have to get their patching under control. They have to get their detection under control. And one final thing I think we should kind of go around and talk about a little bit is the social engineering aspect. That seems to be heavily leveraged by these threat actors. Anything we should mention about the social engineering aspect that people maybe should look out for? Any interesting trends there?

Unidentified Person: I mean, I can just jump in and jump to a bit of a conclusion with all of the AI instances that are coming out and large language models. Like, that will obviously continue to make social engineering harder and harder to suss out by security researchers and also victims. So that's definitely something that will be coming up on the threat landscape, and it's just going to have to be all circling back to employee education, going back to those pillars that we discussed, but it's definitely not going to get any easier, I don't think, to be able to suss out that.

Sherrod DeGrippo: I agree. It is very difficult to tell. I think a lot of the tells that we've had in the past, like bad grammar or punctuation mistakes and things, those just don't work anymore. My suggestion is if you want to identify if something is social engineering, look for three things: urgency, emotion, and habit. Is there an urgency to it where it says things like do this now? There's a deadline. Hurry. Claim your prize now. Anything that's pushing you to do something immediately, that's a red flag. Emotion, anything that causes you to have any emotion. It doesn't necessarily need to be a negative emotion. It can be excitement, interest, fear, concern, anxiety. Anything that you read that email, and you all of a sudden have a strong emotion, big red flag for social engineering, and habit. Social engineering is almost like a holy grail because the threat actor depends on you always clicking or doing business with that brand, or always online shopping in this way, or always putting your username and password in, or always using the same password or a variation of it. Those habits can be the difference between being a victim of social engineering or discovering and detecting social engineering. So urgency, emotion, and habit. If you have all three of those red flags in a message, whether it's an email or a text message or an instant message on a social media platform, pump the brakes because that is a huge indicator that particular message is trying to do what social engineering's goal is, and that is to get you to take an action that you would not normally take. It's really that simple and it's as old as time. Social engineering didn't start with email. It started thousands and thousands of years ago when human civilization began. This has been around for a long time. It's just now the medium is email, text messages, social media, and messaging platforms. So watch out for that, everyone. I think that's a good place to wrap up. I want to thank my guests, Caitlin Hopkins, Diana Duvieilh, Anna Seitz, security researchers at Microsoft. Thank you so much for joining us. It was great to have you.

Unidentified Person: Thanks, Sherrod.

Sherrod DeGrippo: Thank you.

Unidentified Person: Thank you, Sherrod. [ Music ]

Sherrod DeGrippo: Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out msthreatintelpodcast.com for more, and subscribe on your favorite podcast app. [ Music ]