A new cybersecurity advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) describes recently observed tactics, techniques, and procedures (TTPs) observed with North Korean ransomware operations against public health and other critical infrastructure sectors.
The document is a joint report from the NSA, FBI, CISA, U.S. HHS, and the Republic of Korea National Intelligence Service and Defense Security Agency, and notes that the funds extorted this way went to support North Korean government's national-level priorities and objectives.
Apart from privately-developed lockers, CISA says that the hackers also used about a dozen other strains of file-encrypting malware to attack South Korean and U.S. healthcare systems.
Setting up the stage
According to CISA's advisory, North Korean threat actors acquire the infrastructure needed for an attack using fake personas and accounts and illegally obtained cryptocurrency. To obscure the money trail, they often look for suitable foreign intermediaries.
The hackers conceal their origin through VPN services and virtual private servers (VPS) or third-country IP addresses.
Breaching the target is done by exploiting various vulnerabilities that allow access and privilege escalation on the target networks.
Among the security issues they exploited are Log4Shell (CVE-2021-44228), remote code execution flaws in unpatched SonicWall appliances (CVE-2021-20038), and admin password disclosure flaws in TerraMaster NAS products (CVE-2022-24990)
“[The] actors also likely spread malicious code through Trojanized files for 'X-Popup,' an open source messenger commonly used by employees of small and medium hospitals in South Korea,” CISA adds in the report.
After establishing initial access, the North Korean hackers perform network reconnaissance and lateral movement by executing shell commands and deploying additional payloads that help in gathering information.
“The actors spread malware by leveraging two domains: xpopup.pe[.]kr and xpopup.com. xpopup.pe[.]kr is registered to IP address 115.68.95[.]128 and xpopup[.]com is registered to IP address 119.205.197[.]111” - CISA
Ransomware threats
While North Korean hackers have been linked to the Maui and H0lyGh0st ransomware strains [1, 2], the U.S. agency notes that the "have also been observed using or possessing publicly available tools for encryption:"
• BitLocker (abused of a legitimate tool)
• Deadbolt
• ech0raix
• GonnaCry
• Hidden Tear
• Jigsaw
• LockBit 2.0
• My Little Ransomware
• NxRansomware
• Ryuk
• YourRansom
To note, BleepingComputer is aware that more than half of these lockers are available from public sources but could not confirm this for all of them.
One interesting aspect is the use of Deadbolt and ech0raix ransomware strains, which targeted QNAP network-attached storage (NAS) devices heavily over the past few years.
In the last stage of the attack, the threat actor demands the payment of a ransom in Bitcoin cryptocurrency. They use Proton Mail accounts to communicate with the victims. In many cases, the demands are accompanied by threats to leak stolen data, especially when the victim is a private company in the healthcare sector.
"The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks."
CISA recommends that healthcare organizations implement security measures like multi-factor authentication (MFA) for account protection, encrypted connectivity, turn off unused interfaces, use network traffic monitoring tools, follow least privilege principles, and apply the available security updates on all software products they use.
Check CISA's alert for the complete list of recommendations and mitigations, indicators of compromise (IoCs), and links to information resources and consultation contact points.