North Korean Hackers Exploit VPN Update Flaw To Breach Networks

North Korean state-sponsored hacking groups, including Kimsuky (APT43) and Andariel (APT45), have significantly increased cyberattacks on South Korean construction and machinery sectors. 

This surge aligns with Kim Jong-un’s “Local Development 20×10 Policy,” aimed at modernizing industrial facilities across North Korea. 

In response, South Korea’s National Cyber Security Center (NCSC) and intelligence agencies have issued a comprehensive joint cybersecurity advisory, in which they urged that North Korean hackers have been exploiting VPN update flaws to breach networks.

Not only that, but they also detailed several other important things. The advisory aims to help organizations prevent and mitigate potential damage, as stolen data could be used to advance North Korea’s industrial and urban development plans.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Hackers Exploit VPN Update Flaw

There were two cases were highlighted and they are:-

• CASE 1: Mass distribution of malicious code targeting ‘construction industry professional organizations’

• CASE 2: Attacks in the domestic machinery sector by exploiting the ‘information security product vulnerabilities’

In January 2024, the Kimsuky group of North Korea carried out a complex supply chain attack on a South Korean construction industry website.

The hackers attacked the security authentication software and hijacked the NX_PRNMAN system.

This malware, called “TrollAgent,” which was coded in Go, infected the PCs of government employees, public institutions, and construction professionals who accessed the compromised site of security authentication software.

To work without detection, TrollAgent collected information about systems, capturing them via screenshots, and downloading all sorts of sensitive data including passwords from browsers’ memory locations, GPKI certificates, SSH keys, and even FileZilla’s client services.

The cyber attackers used a real digital certificate from “D2Innovation” which allowed them to evade some security checks.

Such occurrences are significant as the complexity and detailed nature of North Korean cyber operations against South Korea’s infrastructure sectors increases.

In April 2024, Andariel, a North Korean hacking group, perpetuated a complex attack against South Korean construction and machinery firms by exploiting the loopholes in local VPNs and server security software.

It took advantage of holes in client-server communication protocols that focused on update activities lacking enough authentication procedures.

Apart from this, Andariel’s method involved:-

• These requests were sent disguised as HTTP packets to user PCs bypassing the verification process that is carried out by the VPN client.
• They moved the update request to a malicious C2 server masquerading as a legitimate VPN Server.
• The distribution of DoraRAT malware posed as an upgrade for software.

These attacks enabled Andariel to gain remote control over infected machines and indicated the changing strategies behind North Korea’s cyber campaigns and how South Korea’s industrial infrastructure must be properly strengthened.

Mitigations

Here below we have mentioned all the mitigations:-

• Provide continuous security education for all organization members.
• Customize training for general members and IT staff.
• Keep OS, applications, and anti-virus software updated with real-time detection.
• Implement strict approval policies for software deployment.
• Require administrator authentication in the final deployment stage.
• Follow government cybersecurity recommendations and contact manufacturers for urgent actions.
• Refer to the ‘S/W Supply Chain Security Guidelines’ for supply chain security.
• Use the ‘Software Development Security Guide’ from KISA for secure software development.
• Apply to KISA for security inspections if needed.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide