U.S., South Korea issue alert on North Korean-based ransomware groups

Spread the love

North Korean state-sponsored ransomware groups are targeting hospitals and other critical infrastructure organizations, US and South Korean law enforcement and intelligence agencies are warning.

“The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK (Democratic People’s Republic of Korea) national-level priorities and objectives, including the United States and South Korea governments’ targeted cyberattacks.” operations are included The alert issued on Thursday said,

“Specific targets include the Department of Defense Information Network and the Defense Industrial Base Member Network. IOC [indicators of compromise] This product should be useful to areas previously targeted by DPRK cyber operations (e.g., the US government, the Department of Defense, and defense industrial bases). Authoring agencies highly discourage paying the ransom as doing so does not guarantee that the files and records will be recovered and may pose a risk of sanctions.

The report includes the latest Tactics, Techniques and Procedures (TTP) and Indicators of Compromise (IoC) used by North Korean-based attackers. More recent weapons are attempts to exploit the Apache Log4J2 vulnerability and unpatched applications with unpatched SonicWall devices.

North Korean attackers have been known to hide where they’re coming from, the report said, which sometimes includes other ransomware groups such as the Revil gang.

The alert is an update to a July 6, 2022 warning given by US intelligence and law enforcement agencies including the Cyber ​​Security and Infrastructure Security Agency (CISA), the FBI and the NSA.

That report noted the use of the Mau strain of ransomware by North Korean groups. The new report states that these groups are also using a strain called H0lyGhost, described by microsoft In a report dated July 14, 2022.

The latest report comes the same week The Associated Press reported A UN panel concluded that North Korean hackers working for the government stole virtual assets, including cryptocurrencies and intellectual property, estimated to be worth between US$630 million and more than US$1 billion.

“2022 was a record-breaking year for DPRK virtual asset thefts,” the AP quoted the report as saying. In April, 2022, america is connected North Korean-backed hackers heist $615 million in crypto on popular online game Axi Infinity.

The AP said the panel identified three groups – kimsuki, Lazarus Group and Andariel – as the main North Korean bombers.

Between February and July 2022, the AP quoted the panel as saying that Lazarus Group “allegedly targeted energy providers in several member states by exploiting the vulnerability” to install malware and gain long-term access. It said it “aligns with historic Lazarus intrusions targeting critical infrastructure and energy companies … to snatch proprietary intellectual property.”

US/South Korea urges alert IT and security departments

  • Limit access to data by authenticating and encrypting connections with network services (for example, using public key infrastructure certificates in Virtual Private Network (VPN) and Transport Layer Security (TLS) connections), Internet of Things (IoT) medical devices and electronic health record systems;
  • Enforce the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts, which grant excessive system administration privileges.
  • Shut down vulnerable or unnecessary network device management interfaces such as Telnet, SSH, Winbox, and HTTP for Wide Area Networks (WANs) and secure them with strong passwords and encryption when enabled;
  • Protect stored data by hiding the Permanent Account Number (PAN) when displayed and making it unreadable when stored – through cryptography, for example;
  • Secure the collection, storage and processing practices for Personally Identifiable Information (PII) and Protected Health Information (PHI) by relaxing and using technologies such as TLS. store personal patient data only on internal systems that are protected by firewalls, and ensure that comprehensive backups are available;
  • Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer;
  • And use monitoring tools to see if IoT devices are misbehaving because of a compromise.

Source link

Spread the love

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.