Sunday, September 15, 2024
HomeCyber AttackNorth Korean Hackers Exploit VPN Update Flaw To Breach Networks

North Korean Hackers Exploit VPN Update Flaw To Breach Networks

Published on

North Korean state-sponsored hacking groups, including Kimsuky (APT43) and Andariel (APT45), have significantly increased cyberattacks on South Korean construction and machinery sectors. 

This surge aligns with Kim Jong-un’s “Local Development 20×10 Policy,” aimed at modernizing industrial facilities across North Korea. 

In response, South Korea’s National Cyber Security Center (NCSC) and intelligence agencies have issued a comprehensive joint cybersecurity advisory, in which they urged that North Korean hackers have been exploiting VPN update flaws to breach networks.

- Advertisement - EHA

Not only that, but they also detailed several other important things. The advisory aims to help organizations prevent and mitigate potential damage, as stolen data could be used to advance North Korea’s industrial and urban development plans.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Hackers Exploit VPN Update Flaw

There were two cases were highlighted and they are:-

  • CASE 1: Mass distribution of malicious code targeting ‘construction industry professional organizations’
Kim Suki hacking organization’s malware distribution process (Source – NCSC)
  • CASE 2: Attacks in the domestic machinery sector by exploiting the ‘information security product vulnerabilities’
Exploitation of Andariel’s ‘VPN SW’ vulnerability and distribution of malware (Source – NCSC)

In January 2024, the Kimsuky group of North Korea carried out a complex supply chain attack on a South Korean construction industry website.

The hackers attacked the security authentication software and hijacked the NX_PRNMAN system.

This malware, called “TrollAgent,” which was coded in Go, infected the PCs of government employees, public institutions, and construction professionals who accessed the compromised site of security authentication software.

To work without detection, TrollAgent collected information about systems, capturing them via screenshots, and downloading all sorts of sensitive data including passwords from browsers’ memory locations, GPKI certificates, SSH keys, and even FileZilla’s client services.

The cyber attackers used a real digital certificate from “D2Innovation” which allowed them to evade some security checks.

Such occurrences are significant as the complexity and detailed nature of North Korean cyber operations against South Korea’s infrastructure sectors increases.

In April 2024, Andariel, a North Korean hacking group, perpetuated a complex attack against South Korean construction and machinery firms by exploiting the loopholes in local VPNs and server security software.

It took advantage of holes in client-server communication protocols that focused on update activities lacking enough authentication procedures.

Apart from this, Andariel’s method involved:-

  • These requests were sent disguised as HTTP packets to user PCs bypassing the verification process that is carried out by the VPN client.
  • They moved the update request to a malicious C2 server masquerading as a legitimate VPN Server.
  • The distribution of DoraRAT malware posed as an upgrade for software.

These attacks enabled Andariel to gain remote control over infected machines and indicated the changing strategies behind North Korea’s cyber campaigns and how South Korea’s industrial infrastructure must be properly strengthened.

Mitigations

Here below we have mentioned all the mitigations:-

  • Provide continuous security education for all organization members.
  • Customize training for general members and IT staff.
  • Keep OS, applications, and anti-virus software updated with real-time detection.
  • Implement strict approval policies for software deployment.
  • Require administrator authentication in the final deployment stage.
  • Follow government cybersecurity recommendations and contact manufacturers for urgent actions.
  • Refer to the ‘S/W Supply Chain Security Guidelines’ for supply chain security.
  • Use the ‘Software Development Security Guide’ from KISA for secure software development.
  • Apply to KISA for security inspections if needed.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Kali Linux 2024.3 Released With New Hacking Tools

Kali Linux 2024.3, the most recent iteration of Offensive Security's highly regarded Debian-based distribution...

Hacker Tricks ChatGPT to Get Details for Making Homemade Bombs

A hacker known as Amadon has reportedly managed to bypass the safety protocols of...

Citrix Workspace App Vulnerable to Privilege Escalation Attacks

Citrix released a security bulletin (CTX691485) detailing two critical vulnerabilities in the Citrix Workspace...

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Kali Linux 2024.3 Released With New Hacking Tools

Kali Linux 2024.3, the most recent iteration of Offensive Security's highly regarded Debian-based distribution...

Hacker Tricks ChatGPT to Get Details for Making Homemade Bombs

A hacker known as Amadon has reportedly managed to bypass the safety protocols of...

Citrix Workspace App Vulnerable to Privilege Escalation Attacks

Citrix released a security bulletin (CTX691485) detailing two critical vulnerabilities in the Citrix Workspace...