Saturday, December 21, 2024
HomeCyber AttackNorth Korean Hackers Targeting Healthcare to Fund for Malicious Activities

North Korean Hackers Targeting Healthcare to Fund for Malicious Activities

Published on

SIEM as a Service

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued a new advisory regarding cybersecurity. This advisory details recent observations of TTPs used in North Korean ransomware operations. 

These operations have targeted public health and other critical infrastructure sectors, highlighting the ongoing threat posed by the malicious actors.

Several agencies have compiled this report on the matter, and the agencies involved can be found here:-

- Advertisement - SIEM as a Service
  • NSA
  • FBI
  • CISA
  • U.S
  • HHS
  • The Republic of Korea National Intelligence Service and Defense Security Agency

It is believed that the funds extorted in this manner have been used to support the National Objectives and Priorities of the North Korean Government.

According to the United States Cybersecurity & Infrastructure Security Agency (CISA), North Korean hackers have not only relied on privately-developed ransomware to attack healthcare systems in South Korea and the United States but also utilized about a dozen different strains of file-encrypting malware. 

This information serves as a wake-up call for organizations in the healthcare sector to step up their cybersecurity measures and be aware of the evolving tactics used by these malicious actors.

Hackers Targeting Healthcare

North Korean threat actors have developed a methodology for acquiring the necessary infrastructure for conducting cyber attacks. This is achieved by creating fake personas and accounts, which they then use to obtain cryptocurrency through illegal means.

They often rely on foreign intermediaries who can help them conceal the trail of money they have made.

Cybercriminals have found ways to conceal their true origin and location when carrying out hacking activities. They do this by using virtual private networks (VPNs) and virtual private servers (VPSs) or by routing their activities through third-party IP addresses. 

This makes it difficult for investigators and security personnel to trace the source of the attack and identify the individuals or groups behind it.

The process of compromising a target system or network involves taking advantage of various vulnerabilities in order to gain access and increase the level of privileges. By exploiting these vulnerabilities, attackers can gain entry into a target network and carry out their malicious activities. 

Flaws exploited:-

Once they have successfully gained initial access to a target network, North Korean hackers conduct extensive reconnaissance and lateral movement to gather information and expand their presence within the network. This is accomplished by executing shell commands and deploying additional payloads.

Observable TTPs

Here below we have mentioned all the TTPs that are observed by the security analysts:-

  • Acquire Infrastructure
  • Obfuscate Identity
  • Purchase VPNs
  • Purchase VPSs
  • Gain Access
  • Move Laterally and Discovery
  • Employ Various Ransomware Tools
  • Demand Ransom in Cryptocurrency

Mitigations

Here below we have mentioned all the mitigations recommended by the security experts:-

  • It is important to authenticate and encrypt connections in order to limit access to data.
  • On internal systems, use standard user accounts instead of administrative accounts in accordance with the principle of least privilege.
  • Disable network device management interfaces that are weak or unnecessary.
  • Through the use of cryptography, protect the stored data by masking and rendering unreadable the PAN value when displayed.
  • Personally identifiable information should be collected, stored, and processed in a manner that is secure.
  • A multilayer network segmentation strategy should be implemented and enforced.
  • Monitor IoT devices to determine whether there is a compromise that is causing them to behave erratically as a result.
  • Backups should be maintained on a regular basis, and the ability to restore the data should be tested regularly.
  • An incident response and communications plan for cyber incidents should be developed, maintained, and executed.
  • The first thing you should do is make sure the operating system, software, and firmware are updated as soon as they are available.
  • Secure and monitor RDP, or any other potentially risky service that you use.
  • Educate your users on the risks of phishing and implement phishing exercises for them.
  • Make sure that as many services as possible require phishing-resistant MFA
  • Always use strong and unique passwords.
  • For software to be installed, administrator credentials must be provided.
  • Make sure that any user account with elevated or administrative privileges is being audited.
  • All hosts should be equipped with antivirus and antimalware software that is regularly updated.
  • Ensure that you are using a secure network at all times.
  • If you receive emails from outside the organization, consider adding a banner to the email.
  • Take advantage of CISA’s Automated Indicator Sharing (AIS) program, which is being offered at no cost to all participants.

Network Security Checklist – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit...

Windows 11 Privilege Escalation Vulnerability Lets Attackers Execute Code to Gain Access

Microsoft has swiftly addressed a critical security vulnerability affecting Windows 11 (version 23H2), which...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

Foxit PDF Editor Vulnerabilities Allows Remote Code Execution

Foxit Software has issued critical security updates for its widely used PDF solutions, Foxit...