The US Cybersecurity and Infrastructure Security Agency (CISA) issued a new Cybersecurity Advisory (CSA) on Thursday warning critical infrastructure sector entities against ongoing North Korean state-sponsored ransomware activity.
Part of the #StopRansomware campaign, the new advisory is a result of a collaboration between CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS) and the ROK Defense Security Agency (DSA).
The technical write-up builds on a July advisory, which provided an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware groups.
The latest iteration of the document is now analyzing activity by the Maui and H0lyGh0st groups. Observable tactics, techniques and procedures (TTPs) mentioned in the CISA advisory include the acquisition of infrastructure, such as domains, personas and accounts, as well as the obfuscation of identities.
These DPRK threat actors reportedly purchased virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to hide their location. They used various exploits of common vulnerabilities to gain access and escalate network privileges. These include CVE 2021-44228, CVE-2021-20038 and CVE-2022-24990.
After obtaining initial access, these DPRK cyber actors were observed using staged payloads with customized malware to perform reconnaissance activities and execute shell commands, among other techniques. Privately developed ransomware has been deployed consistently during these campaigns, with ransom demands set in Bitcoin.
To protect against these threats, the CISA advisory advocates several mitigations, such as limiting access to data by authenticating and encrypting connections, utilizing concepts of least privilege in accounts and creating multi-layer defenses for networks and assets.
According to Roman Arutyunov, co-founder and SVP of products at Xage Security, critical infrastructure providers should embrace these changes despite the technical difficulties associated with such implementations.
“I do recognize that fears exist when it comes to the difficulty of making security architecture changes, but there are tools available to smooth the transition and enhance security and operations simultaneously,” Arutyunov told Infosecurity in an email.
“Ultimately, more threats will come, so it’s wise to start the process now.”
The CISA advisory comes weeks after Proofpoint researchers shed light on a new DPRK cyber actor called TA444.