The US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory where they detailed the recently observed tactics, techniques, and procedures (TTPs) observed from North Korean ransomware operations that were used to fund their government’s priorities and objectives. The attacks primarily targeted South Korean and United States healthcare systems, but other critical industries were also targeted. CISA says that the attackers used privately developed lockers as well as a dozen other strains of file-encrypting malware.
The ransomware operators acquired the infrastructure needed for their attack through fake personas/accounts and illegally obtained cryptocurrency, using foreign intermediaries to obscure the money trail. The operators concealed their IPs by using VPNs and VPSs. They used numerous vulnerabilities in their operations:
- Log4Shell (CVE-2021-44228)
- SonicWall Appliances RCE (CVE-2021-20038)
- TerraMaster NAS products admin disclosure (CVE-2022-24990)
Initial access in this operation is believed to have been established through trojanized files for “X-Popup”, an open-source messenger commonly used in hospitals. Following initial access, the North Korean hackers performed network reconnaissance and lateral movement by executing shell commands and deploying additional payloads that to aid in gathering information. While the ransomware operators have been linked to the Maui and HolyGh0st ransomware strains, they also leveraged several publicly available tools in their attacks:
- BitLocker (abused of a legitimate tool)
- Hidden Tear
- LockBit 2.0
- My Little Ransomware
The ultimate goal of this campaign was to demand a Bitcoin ransom, which they did through Proton Mail accounts rather than a TOR site.
In this campaign, the North Korean ransomware operators made use of numerous vulnerabilities, tools, and TTPs to accomplish their goals. To protect best against a campaign such as this, it is recommended to provide user education into common phishing tactics, such as trojanized software on typo-squatted domains. Additionally, it is recommended to ensure that all software/hardware is up to date, as the operators made use of numerous vulnerabilities that relied on outdated applications. Further, it is recommended to employ a defense-in-depth strategy to detect this activity at a different portion of the attack chain, such as detecting lateral movement or reconnaissance activity. Binary Defense’s MDR and Threat Hunting services are an excellent solution to assist with such a program.