North Korea’s Kimsuky APT Continues to Evolve Attack Methods
Introduction
North Korea’s Kimsuky advanced persistent threat (APT) group, known to operate at the behest of North Korean Supreme Leader Kim Jong-Un, has recently been observed using new techniques to gain control over victims’ systems. The group is evolving its attack methods and growing in sophistication, utilizing legitimate system remote-desktop tools and developing custom malware for its operations. These findings were revealed by researchers from South Korea’s AhnLab.
Sophisticated Use of Remote Desktop Protocol
According to the researchers at AhnLab, Kimsuky has been exploiting Remote Desktop Protocol (RDP) and other tools to remotely take control of targeted systems. In some instances, the group has even been observed using open-source tools like TightVNC and Chrome Remote Desktop. These methods allow attackers to gain remote control of compromised desktop systems, giving them the ability to exfiltrate information and carry out lateral movement.
Malware Mix and Post-Compromise Activity
Kimsuky continues to use spear phishing as its initial method of access, using its custom malware called BabyShark to compromise systems and gather information. After gaining control, the group installs other custom-built and open-source malware. Recent additions to their arsenal include RevClient, a malware used to send commands from the command-and-control server, and TinyNuke, a banking Trojan. The group’s ultimate goal is to steal internal information and technology, primarily from sectors such as research, defense, diplomacy, and academia in South Korea, as well as other countries of political or strategic interest to the regime.
Multiple-Session RDP and Evasion Techniques
Kimsuky has recently been employing novel techniques to bypass the single-session limit of RDP on Windows systems. This allows the threat actors to maintain multiple RDP sessions, even though this functionality is not natively supported in Windows desktop OS. The group has been using malware named “multiple.exe” for this purpose, as well as to add user accounts for further control. Additionally, Kimsuky is using RevClient, another malware deployed in recent attacks, to receive commands from the command-and-control server and perform user account-related tasks.
Defending Against RDP Abuse
The Importance of Protection
As Kimsuky and other North Korea-sponsored groups like Lazarus share tools and tactics, organizations must take steps to protect themselves against these evolving threats. RDP is an especially sensitive attack surface since it comes pre-installed on Windows systems and requires proper management to detect and prevent compromise.
Best Practices for Protection
To defend against RDP abuse and other cyberattacks, organizations should follow these best practices:
1. Exercise Caution with Attachments and Downloads
Users should refrain from opening attachments from suspicious emails or installing external software from untrusted sources. Instead, it is advised to only purchase or download software from official websites.
2. Use Strong Passwords and Regularly Update Them
Desktop users should create complex passwords for their accounts and update them periodically. This practice reduces the likelihood of brute-force attacks.
3. Keep Systems Up to Date
Updating to the latest and most secure versions of the Windows operating system is crucial to safeguard against known vulnerabilities.
4. Implement Endpoint Security Solutions
Using endpoint security products and sandbox-based APT (Advanced Persistent Threat) solutions can help protect systems against cyberattacks by detecting and mitigating malicious activity.
Conclusion: Heightened Security Measures Needed
In light of Kimsuky‘s evolving attack methods, it is clear that organizations need to bolster their cybersecurity measures to defend against APT groups. As such groups continue to share tools and tactics, it becomes increasingly important to remain vigilant and adopt robust security practices. By staying up to date with the latest security updates, employing endpoint security solutions, and following best practices for safe browsing and system management, organizations can strengthen their defenses against the growing threats of cyber espionage.
<< photo by Pixabay >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- North Korean Hackers Exploit LinkedIn as Fake Meta Recruiters
- Exploring the Financial Frontlines: North Korea’s Lazarus Group and the $900 Million Cryptocurrency Laundering Scheme
- “The Increasing Threat of North Korea’s Sophisticated Cyber Espionage: Unveiling the Complex Backdoor Attack on an Aerospace Organization”
- The Rise of TetrisPhantom: Unveiling a Stealthy Cyber Espionage Operation Targeting APAC Governments
- China Overtakes Russia as the Leading Cyber Threat
- “Targeted Cyber Campaigns: The Disturbing Trend Hindering Women Political Leaders”
- The Weight of North Korea’s State-Sponsored APTs: Organizing and Aligning for Cyber Espionage
- North Korea’s State-Sponsored APTs: Orchestrating Cyber Warfare
- Exclusive: Cyberwarfare Escalates as Suspected N. Korean Hackers Launch Cyberattacks on S. Korea-US Drills
- Are Your Pictures Being Used for Catfishing? Understanding Your Rights in Dealing with Fake Profiles and Social Media Stalking
- How Can We Strengthen Cybersecurity Measures to Prevent Insider Threats?
- The Surge of Lazarus Group: Exploiting Defense Experts Through Trojanized VNC Apps
