DPRK hackers target critical infrastructure, exploit Log4Shell, SonicWall vulnerabilities

U.S. security agencies, the Department of Health and Human Services (HHS), and Republic of Korea’s Defense Security Agency and National Intelligence Service published Thursday a joint Cybersecurity Advisory (CSA) that highlighted that the ransomware attacks on critical infrastructure fund malicious cyber activities executed by the DPRK (Democratic People’s Republic of Korea). The agencies also revealed that DPRK cyber hackers have been using cryptocurrency generated through illicit cybercrime activities to procure infrastructure such as IP addresses and domains. 

In the joint guidance titled, ‘Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities,’ the U.S. Cybersecurity and Security Infrastructure Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI) joined with the other agencies to share recently observed tactics, techniques, and procedures (TTPs) used by DPRK hackers in ransomware attacks against the U.S. and South Korean healthcare and public health (HPH) sector, and other critical infrastructure.  

“The actors intend to conceal their affiliation and then exploit common vulnerabilities and exposures (CVE) in order to gain access and escalate privileges on targeted networks to perform ransomware activities,” the NSA said in a Thursday media statement. “Recently observed CVEs include remote code execution in the Apache Log4j software library (also known as ‘Log4Shell’) and remote code execution in various SonicWall appliances.”

The guidance also includes mitigations to help organizations protect against the ransomware threat. Additionally, it also supplements previous reports on malicious cyber actor activities involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware. The authoring agencies are issuing this advisory to highlight additional observed TTPs DPRK cyber criminals are using to conduct ransomware attacks targeting South Korean and U.S. healthcare systems.

The latest guidance follows a July 2022 cybersecurity advisory issued by the U.S. security agencies warning of North Korean state-sponsored cyber hackers using Maui ransomware to target the healthcare and public health sector, since at least May 2021.

The authoring agencies called upon network defenders to examine their current cybersecurity posture and apply recommended mitigations in this joint CSA. These include training users to recognize and report phishing attempts, enabling and enforcing phishing-resistant multi-factor authentication, while also installing and regularly updating antivirus and antimalware software on all hosts.

The authoring agencies also assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the U.S. and South Korean governments—specific targets include Department of Defense Information Networks and Defense Industrial Base (DIB) member networks. “The IOCs in this product should be useful to sectors previously targeted by DPRK cyber operations (e.g., U.S. government, Department of Defense, and Defense Industrial Base). The authoring agencies highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks,” the guidance added.

The TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations, the advisory said. Additionally, these TTPs span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation to acquire infrastructure, obfuscate identity, purchase virtual private networks (VPNs) and virtual private servers (VPSs); and lastly gain access. The hackers are also likely to spread malicious code through Trojanized files for ‘X-Popup, an open-source messenger commonly used by employees of small and medium hospitals in South Korea, it added. 

After initial access, DPRK cyber hackers use staged payloads with customized malware to perform reconnaissance activities, upload and download additional files and executables, and execute shell commands, according to the advisory. “The staged malware is also responsible for collecting victim information and sending it to the remote host controlled by the actors.”

The hackers have used privately developed ransomware, such as Maui and H0lyGh0st, the guidance revealed. “Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom. In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group,” the advisory added.

The authoring agencies also said that DPRK cyber hackers have been observed setting ransoms in bitcoin. “Actors are known to communicate with victims via Proton Mail email accounts. For private companies in the healthcare sector, actors may threaten to expose a company’s proprietary data to competitors if ransoms are not paid,” the advisory added.

The agencies urged organizations in the HPH sector to limit access to data by authenticating and encrypting connections, and using transport layer security (TLS) connections with network services, Internet of Things (IoT) medical devices, and the electronic health record system. They have also been asked to implement the principle of least privilege by using standard user accounts on internal systems; turn off weak or unnecessary network device management interfaces; protect stored data by masking the permanent account number (PAN); and secure the collection, storage, and processing practices for personally identifiable information (PII)/protected health information (PHI). 

Additionally, these organizations must implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer. They must also use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.

The authoring agencies further urged all organizations, including those in the HPH sector to maintain isolated backups of data, and regularly test backup and restoration; create, maintain, and exercise a basic cyber incident response plan and associated communications plan; and install updates for operating systems, software, and firmware as soon as they are released. 

They must also implement a user training program and phishing exercises; require phishing-resistant MFA for as many services as possible; use strong passwords, require administrator credentials to install software, audit user accounts with administrative or elevated privileges, in addition to installing and regularly updating antivirus and antimalware software on all hosts.

On Wednesday, the CISA and FBI released ESXiArgs ransomware virtual machine recovery guidance, after publishing a recovery script. The agencies warned that hackers could be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.