A new cybersecurity advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) describes recently observed tactics, techniques, and procedures (TTPs) observed with North Korean ransomware operations against public health and other critical infrastructure sectors.
The document is a joint report from the NSA, FBI, CISA, U.S. HHS, and the Republic of Korea National Intelligence Service and Defense Security Agency, and notes that the funds extorted this way went to support North Korean government’s national-level priorities and objectives.
Apart from privately-developed lockers, CISA says that the hackers also used about a dozen other strains of file-encrypting malware to attack South Korean and U.S. healthcare systems.
Setting up the stage
According to CISA’s advisory, North Korean threat actors acquire the infrastructure needed for an attack using fake personas and accounts and illegally obtained cryptocurrency. To obscure the money trail, they often look for suitable foreign intermediaries.
The hackers conceal their origin through VPN services and virtual private servers (VPS) or third-country IP addresses.
Breaching the target is done by exploiting various vulnerabilities that allow access and privilege escalation on the target networks.
Among the security issues they exploited are Log4Shell (CVE-2021-44228), remote code execution flaws in SonicWall appliances (CVE-2021-20038), and admin password disclosure flaws in TerraMaster NAS products (CVE-2022-24990)
“[The] actors also likely spread malicious code through Trojanized files for ‘X-Popup,’ an open source messenger commonly used by employees of small and medium hospitals in South Korea,” CISA adds in the report.
After establishing initial access, the North Korean hackers perform network reconnaissance and lateral movement by executing shell commands and deploying additional payloads that help in gathering information.
While North Korean hackers have been linked to the Maui and H0lyGh0st ransomware strains [1, 2], the U.S. agency notes that the “have also been observed using or possessing publicly available tools for encryption:”
- BitLocker (abused of a legitimate tool)
- Hidden Tear
- LockBit 2.0
- My Little Ransomware
To note, BleepingComputer is aware that more than half of these lockers are available from public sources but could not confirm this for all of them.
In the last stage of the attack, the threat actor demands the payment of a ransom in Bitcoin cryptocurrency. They use Proton Mail accounts to communicate with the victims. In many cases, the demands are accompanied by threats to leak stolen data, especially when the victim is a private company in the healthcare sector.
CISA recommends that healthcare organizations implement security measures like multi-factor authentication (MFA) for account protection, encrypted connectivity, turn off unused interfaces, use network traffic monitoring tools, follow least privilege principles, and apply the available security updates on all software products they use.
Check CISA’s alert for the complete list of recommendations and mitigations, indicators of compromise (IoCs), and links to information resources and consultation contact points.