The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a new Cybersecurity Advisory (CSA) Thursday against entities in the critical infrastructure sector against ongoing North Korean government-backed ransomware. Warned against activity.
part of #StopRansomware Campaign, the new recommendations are the result of collaboration between CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Republic of Korea (ROK) National Intelligence Service. service (NIS) and the Korean Defense Security Agency (DSA).
Technical articles are July recommendationWe outlined a ransomware group backed by the Democratic People’s Republic of Korea (DPRK).
The latest version of the document analyzes activity by the Maui and H0lyGh0st groups. The Observable Tactics, Techniques, and Procedures (TTPs) mentioned in the CISA Advisory include acquiring infrastructure such as domains, personas, accounts, and obfuscating identities.
These North Korean threat actors have reportedly purchased virtual private networks (VPNs) and virtual private servers (VPS) or third country IP addresses to hide their location. They used various exploits of common vulnerabilities to gain access and escalate network privileges.These include CVE 2021-44228CVE-2021-20038 and CVE-2022-24990.
After gaining initial access, these North Korean cyber actors used staged payloads containing customized malware to perform reconnaissance activities, execute shell commands, and other techniques. It was observed that Privately-developed ransomware has been consistently deployed during these campaigns, with ransom demands set in Bitcoin.
To protect against these threats, CISA recommendations It advocates several mitigations, including limiting access to data by authenticating and encrypting connections, using the concept of least privilege in accounts, and creating defense-in-depth for networks and assets.
According to Roman Arutyunov, co-founder and SVP of product at Xage Security, critical infrastructure providers will have to embrace these changes despite the technical challenges associated with such implementations. .
“While we recognize the concerns regarding the difficulty of changing our security architecture, there are tools available to smooth the transition and strengthen security and operations at the same time,” Archunov said. Information security on mail.
“Eventually, more threats will come your way, so it would be wise to start the process now.”
CISA advisory comes weeks after Proofpoint researchers shed light A new North Korean cyber actor called TA444.
