Friday, June 21, 2024

North Korean Hackers Targeting Healthcare to Fund for Malicious Activities

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued a new advisory regarding cybersecurity. This advisory details recent observations of TTPs used in North Korean ransomware operations. 

These operations have targeted public health and other critical infrastructure sectors, highlighting the ongoing threat posed by the malicious actors.

Several agencies have compiled this report on the matter, and the agencies involved can be found here:-

  • NSA
  • FBI
  • CISA
  • U.S
  • HHS
  • The Republic of Korea National Intelligence Service and Defense Security Agency

It is believed that the funds extorted in this manner have been used to support the National Objectives and Priorities of the North Korean Government.

According to the United States Cybersecurity & Infrastructure Security Agency (CISA), North Korean hackers have not only relied on privately-developed ransomware to attack healthcare systems in South Korea and the United States but also utilized about a dozen different strains of file-encrypting malware. 

This information serves as a wake-up call for organizations in the healthcare sector to step up their cybersecurity measures and be aware of the evolving tactics used by these malicious actors.

Hackers Targeting Healthcare

North Korean threat actors have developed a methodology for acquiring the necessary infrastructure for conducting cyber attacks. This is achieved by creating fake personas and accounts, which they then use to obtain cryptocurrency through illegal means.

They often rely on foreign intermediaries who can help them conceal the trail of money they have made.

Cybercriminals have found ways to conceal their true origin and location when carrying out hacking activities. They do this by using virtual private networks (VPNs) and virtual private servers (VPSs) or by routing their activities through third-party IP addresses. 

This makes it difficult for investigators and security personnel to trace the source of the attack and identify the individuals or groups behind it.

The process of compromising a target system or network involves taking advantage of various vulnerabilities in order to gain access and increase the level of privileges. By exploiting these vulnerabilities, attackers can gain entry into a target network and carry out their malicious activities. 

Flaws exploited:-

Once they have successfully gained initial access to a target network, North Korean hackers conduct extensive reconnaissance and lateral movement to gather information and expand their presence within the network. This is accomplished by executing shell commands and deploying additional payloads.

Observable TTPs

Here below we have mentioned all the TTPs that are observed by the security analysts:-

  • Acquire Infrastructure
  • Obfuscate Identity
  • Purchase VPNs
  • Purchase VPSs
  • Gain Access
  • Move Laterally and Discovery
  • Employ Various Ransomware Tools
  • Demand Ransom in Cryptocurrency


Here below we have mentioned all the mitigations recommended by the security experts:-

  • It is important to authenticate and encrypt connections in order to limit access to data.
  • On internal systems, use standard user accounts instead of administrative accounts in accordance with the principle of least privilege.
  • Disable network device management interfaces that are weak or unnecessary.
  • Through the use of cryptography, protect the stored data by masking and rendering unreadable the PAN value when displayed.
  • Personally identifiable information should be collected, stored, and processed in a manner that is secure.
  • A multilayer network segmentation strategy should be implemented and enforced.
  • Monitor IoT devices to determine whether there is a compromise that is causing them to behave erratically as a result.
  • Backups should be maintained on a regular basis, and the ability to restore the data should be tested regularly.
  • An incident response and communications plan for cyber incidents should be developed, maintained, and executed.
  • The first thing you should do is make sure the operating system, software, and firmware are updated as soon as they are available.
  • Secure and monitor RDP, or any other potentially risky service that you use.
  • Educate your users on the risks of phishing and implement phishing exercises for them.
  • Make sure that as many services as possible require phishing-resistant MFA
  • Always use strong and unique passwords.
  • For software to be installed, administrator credentials must be provided.
  • Make sure that any user account with elevated or administrative privileges is being audited.
  • All hosts should be equipped with antivirus and antimalware software that is regularly updated.
  • Ensure that you are using a secure network at all times.
  • If you receive emails from outside the organization, consider adding a banner to the email.
  • Take advantage of CISA’s Automated Indicator Sharing (AIS) program, which is being offered at no cost to all participants.

Network Security Checklist – Download Free E-Book


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles