Security
Headlines
HeadlinesLatestCVEs

Headline

North Korean Hackers Targeting Healthcare with Ransomware to Fund its Operations

State-backed hackers from North Korea are conducting ransomware attacks against healthcare and critical infrastructure facilities to fund illicit activities, U.S. and South Korean cybersecurity and intelligence agencies warned in a joint advisory. The attacks, which demand cryptocurrency ransoms in exchange for recovering access to encrypted files, are designed to support North Korea’s

The Hacker News
#mac#apache#git#intel#log4j#auth#The Hacker News

Threat Intelligence / Ransomware

State-backed hackers from North Korea are conducting ransomware attacks against healthcare and critical infrastructure facilities to fund illicit activities, U.S. and South Korean cybersecurity and intelligence agencies warned in a joint advisory.

The attacks, which demand cryptocurrency ransoms in exchange for recovering access to encrypted files, are designed to support North Korea’s national-level priorities and objectives.

This includes “cyber operations targeting the United States and South Korea governments — specific targets include Department of Defense Information Networks and Defense Industrial Base member networks,” the authorities said.

Threat actors with North Korea have been linked to espionage, financial theft, and cryptojacking operations for years, including the infamous WannaCry ransomware attacks of 2017 that infected hundreds of thousands of machines located in over 150 countries.

Since then, North Korean nation-state crews have dabbled in multiple ransomware strains such as VHD, Maui, and H0lyGh0st to generate a steady stream of illegal revenues for the sanctions-hit regime.

Besides procuring its infrastructure through cryptocurrency generated through its criminal activities, the adversary is known to function under third-party foreign affiliate identities to conceal their involvement.

Attack chains mounted by the hacking crew entail the exploitation of known security flaws in Apache Log4j, SonicWall, and TerraMaster NAS appliances (e.g., CVE 2021-44228, CVE-2021-20038, and CVE-2022-24990) to gain initial access, following it up by reconnaissance, lateral movement, and ransomware deployment.

In addition to using privately developed ransomware, the actors have been observed leveraging off-the-shelf tools like BitLocker, DeadBolt, ech0raix, Jigsaw, and YourRansom for encrypting files, not to mention even impersonating other ransomware groups such as REvil.

As mitigations, the agencies recommend organizations to implement the principle of least privilege, disable unnecessary network device management interfaces, enforce multi-layer network segmentation, require phishing-resistant authentication controls, and maintain periodic data backups.

The alert comes as a new report from the United Nations found that North Korean hackers stole record-breaking virtual assets estimated to be worth between $630 million and more than $1 billion in 2022.

The report, seen by the Associated Press, said the threat actors used increasingly sophisticated techniques to gain access to digital networks involved in cyberfinance, and to steal information from governments, companies, and individuals that could be useful in North Korea’s nuclear and ballistic missile programs.

It further called out Kimsuky, Lazarus Group, and Andariel, which are all part of the Reconnaissance General Bureau (RGB), for continuing to target victims with the goal of creating revenue and soliciting information of value to the hermit kingdom.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

CVE-2022-24989: CVE-2022-24990 | AttackerKB

TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.

TerraMaster TOS 4.2.29 Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS versions 4.2.29 and below by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution". Exploiting vulnerable endpoint api.php?mobile/webNasIPS leaking sensitive information such as admin password hash and mac address, the attacker can achieve unauthenticated access and use another vulnerable endpoint api.php?mobile/createRaid with POST parameters raidtype and diskstring to execute remote code as root on TerraMaster NAS devices.

CISA Warns of Active Attacks Exploiting Fortra MFT, TerraMaster NAS, and Intel Driver Flaws

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active abuse in the wild. Included among the three is CVE-2022-24990, a bug affecting TerraMaster network-attached storage (TNAS) devices that could lead to unauthenticated remote code execution with the highest privileges. Details

CVE-2022-24990: CVE-2022-24990: TerraMaster TOS unauthenticated remote command execution via PHP Object Instantiation – Blog

TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.