North Korean Hackers Focusing on Healthcare with Ransomware to Fund its Operations
State-backed hackers from North Korea are conducting ransomware assaults in opposition to healthcare and important infrastructure services to fund illicit actions, U.S. and South Korean cybersecurity and intelligence companies warned in a joint advisory.
The assaults, which demand cryptocurrency ransoms in trade for recovering entry to encrypted recordsdata, are designed to assist North Korea’s national-level priorities and goals.
This contains “cyber operations focusing on the US and South Korea governments — particular targets embrace Division of Protection Data Networks and Protection Industrial Base member networks,” the authorities said.
Risk actors with North Korea have been linked to espionage, monetary theft, and cryptojacking operations for years, together with the notorious WannaCry ransomware assaults of 2017 that contaminated lots of of 1000’s of machines situated in over 150 international locations.
Since then, North Korean nation-state crews have dabbled in a number of ransomware strains reminiscent of VHD, Maui, and H0lyGh0st to generate a gentle stream of unlawful revenues for the sanctions-hit regime.
Moreover procuring its infrastructure by cryptocurrency obtained by way of its felony actions, the adversary is understood to create faux personas, operate beneath third-party international affiliate identities, make use of intermediaries, and make the most of VPNs to hide its origins.
Assault chains mounted by the hacking crew entail the exploitation of recognized safety flaws in Apache Log4j, SonicWall, and TerraMaster NAS home equipment (e.g., CVE 2021-44228, CVE-2021-20038, and CVE-2022-24990) to realize preliminary entry, following it up by reconnaissance, lateral motion, and ransomware deployment.
Along with utilizing privately developed ransomware, the actors have been noticed leveraging off-the-shelf instruments like BitLocker, DeadBolt, ech0raix, Jigsaw, and YourRansom for encrypting recordsdata, to not point out even impersonating different ransomware teams reminiscent of REvil.
The inclusion of DeadBolt and ech0raix is notable because it marks the primary time authorities companies have formally tied the ransomware strains, that are notable for repeatedly focusing on QNAP NAS gadgets, to a selected adversarial group.
Alternatively, malware is distributed by way of trojanized recordsdata of a messenger app referred to as X-Popup in assaults focusing on small and medium-size hospitals in South Korea.
As mitigations, the companies advocate organizations to implement the precept of least privilege, disable pointless community system administration interfaces, implement multi-layer community segmentation, require phishing-resistant authentication controls, and keep periodic knowledge backups.
The alert comes as a brand new report from the United Nations discovered that North Korean hackers stole record-breaking digital belongings estimated to be price between $630 million and greater than $1 billion in 2022.
The report, seen by the Associated Press, stated the menace actors used more and more refined methods to realize entry to digital networks concerned in cyberfinance, and to steal data from governments, corporations, and people that could possibly be helpful in North Korea’s nuclear and ballistic missile applications.
It additional referred to as out Kimsuky, Lazarus Group, and Andariel, that are all a part of the Reconnaissance Basic Bureau (RGB), for persevering with to focus on victims with the objective of making income and soliciting information of worth to the hermit kingdom.
