TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), the U.S. Department of Health and Human Services (HHS), and the Republic of Korea’s National Intelligence Service (NIS) and Defense Security Agency (DSA) joined the NSA in releasing this new advisory.
Summary: The National Security Agency (NSA) partnered with U.S. and South Korean government agencies to release a joint Cybersecurity Advisory today about the Democratic People’s Republic of Korea (DPRK) ransomware threat. The “#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities” (link below) advisory shares recently observed tactics, techniques, and procedures (TTPs) used by DPRK cyber actors in ransomware attacks against the U.S. and South Korean healthcare systems, as well as other critical infrastructure. The report also includes mitigations to help organizations protect against the ransomware threat.
#StopRansomware link: https://media.defense[.]gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF
This report is part of the #StopRansomware effort to counter this ongoing threat and updates the joint CISA, FBI, and U.S. Department of Treasury Cybersecurity Advisory released in July 2022, “North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector” (link below).
July 2022 Advisory: https://www.cisa[.]gov/uscert/sites/default/files/publications/aa22-187a-north-korean%20state-sponsored-cyber-actors-use-maui-ransomware-to-target-the-hph-sector.pdf
DPRK cyber actors have been using cryptocurrency generated through illicit cybercrime activities to procure infrastructure such as IP addresses and domains. The actors intend to conceal their affiliation and then exploit common vulnerabilities and exposures (CVE) in order to gain access and escalate privileges on targeted networks to perform ransomware activities.
Recently observed CVEs (CVE-2021-44228, CVE-2021-20038 and CVE-2022-24990) include remote code execution in the Apache Log4j software library (also known as “Log4Shell”) and remote code execution in various SonicWall appliances.
NYSIC CAU Analyst Note: North Korean hackers have used both internally developed ransomware like Maui and H0lyGh0st, as well as other extortion malware attained by other means, such as Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom. It marks the first time agencies have tied a specific actor to the use of Deadbolt and ech0raix, two ransomware strains used to target customers of data-storage hardware vendor QNAP. The agencies also said North Korean hackers have attempted to portray themselves as members of other ransomware groups like the now-shuttered REvil.
For more information on state-sponsored North Korean malicious cyber activity, use the following link to CISA’s North Korea Cyber Threat Overview and Advisories webpage.
CISA DPRK Webpage: https://www.cisa[.]gov/uscert/northkorea
Author: CISA, FBI, HHS, ROK NIS, DSA, and NSA
This information has been forwarded by NYSIC to:
NYSIC CAU Contacts – CPWG
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – DHSES CIRT
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – County Information Contacts
NYSIC CAU Contacts – Critical Infrastructure Partners: All
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain highly sensitive and confidential information. It is intended only for the individual(s) named. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.