US, South Korea Warn of North Korean Ransomware ThreatsJoint Alert Issued for Critical Infrastructure Sectors, Especially Healthcare
Multiple government agencies in the U.S. and South Korea issued a joint alert warning critical infrastructure sectors - and especially the healthcare sector - of ongoing ransomware threats involving North Korean state-sponsored cybercriminals.
Pyongyang's ransom demands for cryptocurrency have generated an unspecified amount of revenue that goes to funding North Korea's national-level priorities and objectives, including cyber operations targeting the U.S. and South Korean governments.
The joint alert issued Thursday comes from the U.S. National Security Agency, the Cybersecurity and Infrastructure Security Agency, the Department of Health and Human Services, and the FBI along with the Republic of Korea's National Intelligence Service and Defense Security Agency.
The tactics, techniques and procedures associated with North Korean ransomware attacks "include those traditionally observed in ransomware operations," as well as some additional measures taken to disguise the Pyongyang connection to extortion demands, the alert says.
North Korean hackers "generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations. Actors procure infrastructure, IP addresses, and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft," it says.
They also purposely obfuscate their involvement by operating with third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments. They also hide their identity by using virtual private networks, virtual private servers or third-country IP addresses.
"DPRK cyber actors have been observed setting ransoms in bitcoin. Actors are known to communicate with victims via Proton Mail email accounts. For private companies in the healthcare sector, actors may threaten to expose a company's proprietary data to competitors if ransoms are not paid," the alert says.
Attackers use various exploits of common vulnerabilities and exposures to gain access and escalate privileges on networks, it says.
"Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library known as Log4Shell and remote code execution in various SonicWall appliances."
A SonicWall spokeswoman tells Information Security Media Group that the security issues exploited are Log4Shell, remote code execution flaws "in unpatched SonicWall SMA 100 appliances."
The Thursday alert updates a joint government bulletin issued on July 6, 2022, pertaining to North Korean state-sponsored Maui ransomware threats targeting the healthcare and public health sector, as well as a July 15 advisory from Microsoft about H0lyGh0st ransomware threats targeting small and midsized businesses (see: Feds Warn Healthcare Sector of 'Maui' Ransomware Threats).
The new alert reiterates the governments' position that hacked entities should not pay extortion demands. Paying a ransom is no guarantee of recovery and risks running afoul of sanctions, the alert warns.