The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Cybersecurity Advisory (CSA) to alert critical infrastructure sector entities about ongoing North Korean state-sponsored ransomware activity. This latest warning is part of the #StopRansomware campaign and is the result of a collaborative effort between CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA).
Building on a previous advisory from July, the new document focuses on analyzing the activities of the Maui and H0lyGh0st groups, known for their ransomware attacks. The advisory outlines the tactics, techniques, and procedures (TTPs) used by these DPRK threat actors, including the acquisition of infrastructure such as domains, personas, and accounts, as well as the obfuscation of their identities.
These cyber actors have been observed using VPNs and VPSs to hide their location, as well as exploiting common vulnerabilities to gain access and escalate network privileges. The advisory highlights specific vulnerabilities, such as CVE-2021-44228, CVE-2021-20038, and CVE-2022-24990, that have been exploited by these groups.
Once inside a network, the DPRK threat actors deploy customized malware to conduct reconnaissance and execute commands. Ransomware is consistently used in these attacks, with ransom demands typically requested in Bitcoin.
To combat these threats, the CISA advisory recommends various mitigations, including limiting data access through authentication and encryption, implementing least privilege principles, and deploying multi-layer defenses for networks and assets. Security experts, like Roman Arutyunov from Xage Security, emphasize the importance of implementing these changes despite the technical challenges they may present.
In a statement to Infosecurity, Arutyunov stressed the need for critical infrastructure providers to enhance their security architecture and operations to protect against evolving threats. He advised that taking proactive measures now will better prepare organizations for future cyber threats.
The issuance of this advisory follows recent findings by Proofpoint researchers, who uncovered a new DPRK cyber actor known as TA444. This further underscores the importance of remaining vigilant and implementing robust cybersecurity measures to safeguard critical infrastructure from malicious actors.