The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has released new cybersecurity advice that details recent tactics, methods, and procedures (TTPs) associated with North Korean ransomware attacks against public health and other critical infrastructure sectors. The report was produced jointly by the NSA, FBI, CISA, U.S. HHS, and the National Intelligence Service and Defense Security Agency of the Republic of Korea.
It notes that the money extorted in this way was used to support the priorities and goals of the North Korean government at the national level. Apart from lockers made by private companies, CISA claims that the hackers also attacked the healthcare systems in South Korea and the United States using around a dozen different types of file-encrypting malware.
The CISA advice claims that North Korean threat actors use phony identities, accounts, and cryptocurrency that have been gained illegally to gather the infrastructure necessary for an attack. They frequently search for suitable overseas intermediates in order to hide the money trail.
The hackers use virtual private servers (VPS), VPN services, or IP addresses from other countries to mask their location. Breaches are carried out by exploiting numerous flaws that enable access and privilege escalation on the target networks.
They took advantage of vulnerabilities in Log4Shell (CVE-2021-44228), SonicWall devices (CVE-2021-20038), and TerraMaster NAS products (CVE-2021-20038) to execute code remotely (CVE-2022-24990)
In the study, CISA notes that “[the] perpetrators are also likely spreading malicious malware through Trojanized files for ‘X-Popup,’ an open source messenger widely used by staff members of small and medium hospitals in South Korea.
The domains xpopup.pe.kr and xpopup.com, which are both registered to IP addresses 115.68.95[.]128 and 119.205.197[.]111, respectively, were used by the actors to propagate malware. – CISA
By executing shell commands and distributing additional payloads that aid in intelligence collection, the North Korean hackers execute network reconnaissance and lateral movement after gaining initial access.
Hackers Request Payment Of Ransom In Bitcoin
Although the Maui and H0lyGh0st ransomware strains have been attributed to North Korean hackers [1, 2], the U.S. agency reports that they “have also been discovered using or having publicly available tools for encryption:”
- BitLocker (abused of a legitimate tool)
- Deadbolt
- GonnaCry Hidden Tear Jigsaw LockBit 2.0 by ech0raix
- Little Ransomware by Me
- NxRansomware
- Ryuk
- YourRansom
The usage of the ransomware strains Deadbolt and ech0raix, which have heavily attacked QNAP network-attached storage (NAS) devices over the previous few years, is an intriguing feature.
The threat actor requests payment of a ransom in Bitcoin at the last phase of the attack. They use Proton Mail accounts to interact with the victims. Threats to release stolen data are frequently used in conjunction with demands, especially when the victim is a private healthcare organization.
“The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korean government—specific targets include Defense Industrial Base member networks and Department of Defense Information Networks.”
CISA advises healthcare organizations to put robust security procedures in place, such as multi-factor authentication (MFA) for account protection, encrypted connectivity, turning off unused interfaces, using network traffic monitoring tools, adhering to the least privilege principle, and installing all security updates on all software they use.
For a complete list of suggestions, mitigations, indications of compromise (IoCs), links to information sources, and contact information for consultation, see the CISA alert.
Conclusion
According to a U.S. government cybersecurity advice published on February 9, North Korean state-sponsored ransomware gangs are targeting South Korean and American healthcare companies with the Maui and H0lyGh0st malware in order to generate income for the North Korean government. The organizations demand cryptocurrency ransoms and then utilize the money for cyberespionage operations against South Korea and the United States. The U.S. government was able to recoup $500,000 that two hospitals had given North Korean hackers as a ransom in July. The advisory notice from February 9 is an update to one that was issued in July. By using a foreign third-party affiliate, the Democratic People’s Republic of Korea frequently conceals its involvement in ransomware attacks.
