A brand new cybersecurity advisory from the U.S. Cybersecurity & Infrastructure Safety Company (CISA) describes not too long ago noticed techniques, strategies, and procedures (TTPs) noticed with North Korean ransomware operations towards public well being and different important infrastructure sectors.

The doc is a joint report from the NSA, FBI, CISA, U.S. HHS, and the Republic of Korea Nationwide Intelligence Service and Protection Safety Company, and notes that the funds extorted this manner went to help North Korean authorities’s national-level priorities and targets.

Other than privately-developed lockers, CISA says that the hackers additionally used a few dozen different strains of file-encrypting malware to assault South Korean and U.S. healthcare programs.

Organising the stage

In line with CISA’s advisory, North Korean risk actors purchase the infrastructure wanted for an assault utilizing faux personas and accounts and illegally obtained cryptocurrency. To obscure the cash path, they usually search for appropriate overseas intermediaries.

The hackers conceal their origin by way of VPN companies and digital non-public servers (VPS) or third-country IP addresses.

Breaching the goal is finished by exploiting numerous vulnerabilities that enable entry and privilege escalation on the goal networks.

Among the many safety points they exploited are Log4Shell (CVE-2021-44228), distant code execution flaws in unpatched SonicWall home equipment (CVE-2021-20038), and admin password disclosure flaws in TerraMaster NAS merchandise (CVE-2022-24990)

“[The] actors additionally possible unfold malicious code by way of Trojanized information for ‘X-Popup,’ an open supply messenger generally utilized by workers of small and medium hospitals in South Korea,” CISA provides within the report.

After establishing preliminary entry, the North Korean hackers carry out community reconnaissance and lateral motion by executing shell instructions and deploying further payloads that assist in gathering info.

Ransomware threats

Whereas North Korean hackers have been linked to the Maui and H0lyGh0st ransomware strains [1, 2], the U.S. company notes that the “have additionally been noticed utilizing or possessing publicly obtainable instruments for encryption:”

• BitLocker (abused of a professional software)
• Deadbolt
• ech0raix
• GonnaCry
• Hidden Tear
• Jigsaw
• LockBit 2.0
• My Little Ransomware
• NxRansomware
• Ryuk
• YourRansom

To notice, BleepingComputer is conscious that greater than half of those lockers can be found from public sources however couldn’t verify this for all of them.

One attention-grabbing side is the usage of Deadbolt and ech0raix ransomware strains, which focused QNAP network-attached storage (NAS) gadgets closely over the previous few years.

Within the final stage of the assault, the risk actor calls for the fee of a ransom in Bitcoin cryptocurrency. They use Proton Mail accounts to speak with the victims. In lots of circumstances, the calls for are accompanied by threats to leak stolen knowledge, particularly when the sufferer is a non-public firm within the healthcare sector.

CISA recommends that healthcare organizations implement safety measures like multi-factor authentication (MFA) for account safety, encrypted connectivity, flip off unused interfaces, use community visitors monitoring instruments, comply with least privilege rules, and apply the obtainable safety updates on all software program merchandise they use.

Verify CISA’s alert for the entire record of suggestions and mitigations, indicators of compromise (IoCs), and hyperlinks to info sources and session contact factors.