Home Data Breach North Korean Hackers Exploit VPN Update Flaw to Breach Networks

North Korean Hackers Exploit VPN Update Flaw to Breach Networks

0
North Korean Hackers Exploit VPN Update Flaw to Breach Networks

South Korean intelligence agencies have issued a joint cyber security advisory warning of a rise in cyberattacks targeting the construction and machinery sectors. 

North Korean hacking groups, Kimsuky and Andariel, are believed to be behind these attacks, aiming to steal sensitive data for use in their domestic industrialization projects. 

The advisory includes detailed information on the tactics, techniques, and procedures (TTPs) used by these groups, as well as indicators of compromise (IoCs). The heightened threat level is attributed to North Korea’s recent policy of rapid industrialization, which has led to increased cyber espionage activities targeting South Korean industrial sectors.

 North Korean Kim Suki hacking organization’s malware distribution process

North Korea’s Kimsuky hacking group launched a sophisticated cyberattack targeting South Korean construction industry associations in January 2024, where the attackers compromised legitimate security software used for website login authentication. 

By modifying this software, they were able to distribute malware that evaded detection by some antivirus programs. Once installed, the malware silently collected sensitive information such as system details, screenshots, and browser data, including credentials and cookies. 

This attack combined supply chain and watering hole techniques, exploiting vulnerabilities in the target organization’s website to deliver the malicious payload.

The Kimsuky hacking group carried out a sophisticated cyberattack on the construction industry by stealing legitimate digital certificates and using them to sign malicious software, making it appear legitimate, and disseminating it through infected websites that construction-related entities frequently visited. 

By targeting government officials in the construction sector, the attackers aimed to gain access to confidential information about major construction projects and sensitive technical data from involved companies. 

The inclusion of a GPKI certificate theft function in the malware indicates a deliberate effort to escalate their attack and maintain persistent access to compromised systems.

Exploitation of North Korean Andariel’s ‘VPN SW’ vulnerability and distribution of malware

Andariel, a North Korean hacking group, exploited vulnerabilities in domestic information security software (VPN and server security) to conduct targeted attacks against the construction and machinery industries in April 2024. 

The group replaced legitimate update files with malware, allowing them to distribute the DoraRAT remote access trojan. The attack chain leveraged a vulnerability in the client-server communication protocol of the VPN software, bypassing multiple security checks to deliver the malicious payload. 

The DoraRAT malware, while basic, enabled file transfer and command execution and was likely used to steal large-scale design documents related to machinery and equipment. 

According to KCIC, the attackers also exploited vulnerabilities in server security products, highlighting the risk of targeting IT management software due to their privileged access levels.

North Korean hacking groups target vulnerabilities in websites and information security software. To mitigate risks, organizations should provide tailored security training to all employees, enforce strict software distribution controls, and stay updated on government cyber security advisories. 

Organizations can strengthen software development practices and seek security assessments from KISA. By proactively addressing these areas, organizations can better protect themselves from cyberattacks.

Also Read:

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here