The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Cybersecurity Advisory (CSA) warning critical infrastructure sector entities about ongoing North Korean state-sponsored ransomware activity. This latest advisory is part of the #StopRansomware campaign and is the result of collaboration between CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA).
The advisory builds on a previous one from July that provided an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware groups. The new document specifically analyzes the activities of the Maui and H0lyGh0st groups. The tactics, techniques, and procedures (TTPs) outlined in the advisory include the acquisition of infrastructure like domains, personas, and accounts, as well as the obfuscation of identities.
DPRK threat actors have been observed purchasing virtual private networks (VPNs) and virtual private servers (VPSs) or using third-country IP addresses to conceal their location. They have also exploited vulnerabilities like CVE-2021-44228, CVE-2021-20038, and CVE-2022-24990 to gain access and escalate network privileges. Once inside a network, these cyber actors use staged payloads with customized malware for reconnaissance and execute shell commands. They consistently deploy privately developed ransomware and demand ransom payments in Bitcoin.
To mitigate these threats, the CISA advisory recommends limiting access to data through authentication and encryption, implementing least privilege concepts in accounts, and establishing multi-layer defenses for networks and assets. Roman Arutyunov, co-founder and SVP of products at Xage Security, emphasizes the importance of embracing these changes despite the technical challenges they may present. He notes that security architecture changes can be made easier with the right tools, and it is crucial to enhance security and operations in preparation for future threats.
The CISA advisory follows recent research by Proofpoint researchers on a new DPRK cyber actor called TA444. This highlights the evolving nature of cyber threats and the need for constant vigilance and proactive security measures in the face of increasing cyber threats.