CISA and other US federal agencies, alongside South Korean agencies, yesterday issued an advisory on the DPRK’s use of ransomware attacks to bankroll more cybercrime.
North Korea funds its cyber ops with ransomware.
DPRK state-affiliated actors have been observed targeting the healthcare and critical infrastructure sectors with Maui and H0lyGh0st ransomware as a means to extort money to further fund North Korea’s “national priorities,” including cyberespionage, SC Magazine wrote yesterday.
An update to a joint alert, from US and South Korean federal government agencies.
The US Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, National Security Agency, Department of Health and Human Services, the Republic of Korea (ROK) National Intelligence Service, and the ROK Defense Security Agency released a joint advisory yesterday discussing tactics, techniques, and procedures (TTPs) of DPRK threat actors using ransomware attacks to target both nations’ healthcare and critical infrastructure industrie. They also suggest mitigations for victim organizations, as NSA wrote yesterday. (The advisory is an update to a July 2020 advisory, writes SC Magazine.)
Leveraging ransomware, and concealing nation-state connections.
BankInfoSecurity reported on the alert yesterday, noting that the ransomware attacks the agencies describe are par for the course, using traditional ransomware techniques with some additional steps taken to conceal the connection to the DPRK. Pyongyang-affiliated actors “generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations. Actors procure infrastructure, IP addresses, and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft." Third-party intermediaries, identities, and the use of services like Virtual Private Networks (VPNs) to obfuscate the hacker’s connection to the nation they serve have been seen in number.
Common vulnerabilities exploited by the DPRK actors.
NSA disclosed that once the identity and location of the scammers are sufficiently hidden, the hackers will move to common vulnerabilities and exposures (CVEs) to overtake a victim network and release ransomware. The vulnerabilities most exploited by these malicious actors are the “Apache Log4j software library (also known as "Log4Shell") and remote code execution in various SonicWall appliances.”