North Korean Hackers Targeting Healthcare to Fund for Malicious Activities

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued a new advisory regarding cybersecurity. This advisory details recent observations of TTPs used in North Korean ransomware operations. 

These operations have targeted public health and other critical infrastructure sectors, highlighting the ongoing threat posed by the malicious actors.

Several agencies have compiled this report on the matter, and the agencies involved can be found here:-

• NSA
• FBI
• CISA
• U.S
• HHS
• The Republic of Korea National Intelligence Service and Defense Security Agency

It is believed that the funds extorted in this manner have been used to support the National Objectives and Priorities of the North Korean Government.

According to the United States Cybersecurity & Infrastructure Security Agency (CISA), North Korean hackers have not only relied on privately-developed ransomware to attack healthcare systems in South Korea and the United States but also utilized about a dozen different strains of file-encrypting malware. 

This information serves as a wake-up call for organizations in the healthcare sector to step up their cybersecurity measures and be aware of the evolving tactics used by these malicious actors.

Hackers Targeting Healthcare

North Korean threat actors have developed a methodology for acquiring the necessary infrastructure for conducting cyber attacks. This is achieved by creating fake personas and accounts, which they then use to obtain cryptocurrency through illegal means.

They often rely on foreign intermediaries who can help them conceal the trail of money they have made.

Cybercriminals have found ways to conceal their true origin and location when carrying out hacking activities. They do this by using virtual private networks (VPNs) and virtual private servers (VPSs) or by routing their activities through third-party IP addresses. 

This makes it difficult for investigators and security personnel to trace the source of the attack and identify the individuals or groups behind it.

The process of compromising a target system or network involves taking advantage of various vulnerabilities in order to gain access and increase the level of privileges. By exploiting these vulnerabilities, attackers can gain entry into a target network and carry out their malicious activities. 

Flaws exploited:-

• Log4Shell (CVE-2021-44228)
• RCE flaws in unpatched SonicWall appliances (CVE-2021-20038)
• Admin password disclosure flaws in TerraMaster NAS products (CVE-2022-24990)

Once they have successfully gained initial access to a target network, North Korean hackers conduct extensive reconnaissance and lateral movement to gather information and expand their presence within the network. This is accomplished by executing shell commands and deploying additional payloads.

Observable TTPs

Here below we have mentioned all the TTPs that are observed by the security analysts:-

• Acquire Infrastructure
• Obfuscate Identity
• Purchase VPNs
• Purchase VPSs
• Gain Access
• Move Laterally and Discovery
• Employ Various Ransomware Tools
• Demand Ransom in Cryptocurrency

Mitigations

Here below we have mentioned all the mitigations recommended by the security experts:-

• It is important to authenticate and encrypt connections in order to limit access to data.
• On internal systems, use standard user accounts instead of administrative accounts in accordance with the principle of least privilege.
• Disable network device management interfaces that are weak or unnecessary.
• Through the use of cryptography, protect the stored data by masking and rendering unreadable the PAN value when displayed.
• Personally identifiable information should be collected, stored, and processed in a manner that is secure.
• A multilayer network segmentation strategy should be implemented and enforced.
• Monitor IoT devices to determine whether there is a compromise that is causing them to behave erratically as a result.
• Backups should be maintained on a regular basis, and the ability to restore the data should be tested regularly.
• An incident response and communications plan for cyber incidents should be developed, maintained, and executed.
• The first thing you should do is make sure the operating system, software, and firmware are updated as soon as they are available.
• Secure and monitor RDP, or any other potentially risky service that you use.
• Educate your users on the risks of phishing and implement phishing exercises for them.
• Make sure that as many services as possible require phishing-resistant MFA
• Always use strong and unique passwords.
• For software to be installed, administrator credentials must be provided.
• Make sure that any user account with elevated or administrative privileges is being audited.
• All hosts should be equipped with antivirus and antimalware software that is regularly updated.
• Ensure that you are using a secure network at all times.
• If you receive emails from outside the organization, consider adding a banner to the email.
• Take advantage of CISA’s Automated Indicator Sharing (AIS) program, which is being offered at no cost to all participants.

Network Security Checklist – Download Free E-Book