Security news that informs and inspires

CISA Warns of Ongoing Ransomware Attacks by North Korean Actors

Attack groups from North Korea are continuing to exploit known vulnerabilities in software and hardware as part of their ongoing ransomware campaigns, which are used to support the country’s military and research programs, U.S. officials say.

In a new update published Friday, several federal government agencies warned that APT groups from North Korea are targeting known bugs, including the Apache Log4Shell vulnerability, to gain initial access to networks in preparation for deploying ransomware such as Maui or H0lyGh0st. The operations target a wide range of organizations and are opportunistic, with the attackers looking for victims who will pay ransoms in cryptocurrency, which is then used to help fund North Korean government activities. In the new advisory, CISA, the FBI, NSA, and agencies from the Republic of Korea warned that the attackers are also going after U.S. government agencies and partners.

“The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks,” the advisory says.

“Actors use various exploits of common vulnerabilities and exposures (CVE) to gain access and escalate privileges on networks. Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library (known as Log4Shell) and remote code execution in unpatched SonicWall SMA 100 appliances.”

APT groups such as the Lazarus Group and others that are affiliated with the North Korean government have been conducting cryptocurrency thefts and ransomware campaigns for several years and have become increasingly aggressive in recent years. Last month, the FBI said the Lazarus Group was responsible for the $100 million theft of Ethereum from the Horizon Harmony bridge in June.

“On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder over $60 million worth of ethereum (ETH) stolen during the June 2022 heist. A portion of this stolen ethereum was subsequently sent to several virtual asset service providers and converted to bitcoin (BTC),” the FBI said in a statement.

The U.S. government has taken action against alleged members of the Lazarus Group in the past, indicting three North Korean men in 2021 that authorities say were responsible for some of the larger thefts of the last few years.

“The individuals indicted today committed a truly unprecedented range of financial and cyber-crimes: from ransomware attacks and phishing campaigns, to digital bank heists and sophisticated money laundering operations. With victims strewn across the globe, this case shows yet again that the challenge of cybercrime is, and will continue to be, a struggle that can only be won through partnerships, perseverance, and a relentless focus on holding criminals accountable,” said U.S. Secret Service Assistant Director Michael R. D’Ambrosio at the time of the indictments.

The Lazarus Group and other attack teams affiliated with the DPRK government have used a variety of different ransomware variants and malware tools in their operations, including the Apple Jeus malware.