FortiGuard Labs is aware of a joint advisory on ransomware activities against organizations in healthcare and critical infrastructure performed by threat actors related to the Democratic People’s Republic of Korea (DPRK). The advisory was issued by multiple agencies in the United States and the Republic of Korea (ROK) and contains information that helps organizations fortify their cyber defense for known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs).Why is this Significant?This is significant because the advisory is part of the #StopRansomware effort and provides tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) that belong to ransomware activities related to threat actors associated with DPRK. The information in the advisory helps organizations review and strengthen cyber defenses.The advisory was issued by the United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA).What are the TTPs Covered in the Advisory?Threat actors were observed to have leveraged the following vulnerabilities to gain access to the victims’ network:CVE 2021-44228 (Apache log4j remote code execution vulnerability)CVE-2021-20038 (SonicWall SMA100 buffer overflow vulnerability)CVE-2022-24990 (TerraMaster OS unauthenticated remote command execution vulnerability)Threat actors also hide malware in the X-Popup instant messenger app as initial infection vector.Ransomware used by DPRK threat actors include Maui, H0lyGh0st, BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.What is Mitigation?The advisory provides mitigation methods. For details, see the Appendix for a link to “Alert (AA23-040A): #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities”.What is the Status of Protection?FortiGuard Labs has the following AV signatures in place for the available samples referenced in the IOC section in the advisory:Java/Webshell.V!trPHP/Webshell.NIJ!trPHP/Webshell.NOK!trVBA/Agent.BSL!trW32/Agent.C5C2!trW32/Agent.FD!trW32/Agent.GT!trW32/Agent.QCD!tr.spyW32/Agent.SRR!trW32/DTrack!tr.bdrW32/Filecoder.AX!trW32/Filecoder.OLY!trW32/KeyLogger.RKT!trW32/MagicRAT.B!trW32/MagicRAT.C!trW32/MagicRAT.D!trW32/MagicRAT.E!trW32/MAUICRYPT.YACC5!tr.ransomW32/MulDrop19.28718!trW32/NukeSped.HD!trW32/NukeSped.JF!trW32/PossibleThreatW32/Scar.JEV!trW64/Agent.ACBX!trW64/Filecoder.788A!tr.ransomW64/GenKryptik.FTAR!trW64/NukeSped.HA!trW64/NukeSped.HD!trW64/NukeSped.IF!trW64/NukeSped.LC!trW64/NukeSped.LE!trW64/NukeSped.LT!trRiskware/XpopupMalicious_Behavior.SBW32/Malicious_Behavior.VEXPossibleThreat.PALLASHFortiGuard Labs has the following IPS signatures in place for the exploited vulnerabilities in the advisory:Apache.Log4j.Error.Log.Remote.Code.Execution (CVE-2021-44228)SonicWall.SMA100.mod_cgi.Buffer.Overflow (CVE-2021-20038)FortiGuard Labs is currently investigating IPS protection for CVE-2022-24990. The Threat Signal will be updated when new information becomes available.
More Stories
thunderbird-flatpak-115.10.1-1
FEDORA-FLATPAK-2024-de95fc1445 Packages in this update: thunderbird-flatpak-115.10.1-1 Update description: Thunderbird 115.10.1 release. Read More
libcoap-4.3.4a-2.fc39
FEDORA-2024-450b75e4a0 Packages in this update: libcoap-4.3.4a-2.fc39 Update description: Patch to fix CVE-2024-31031 Read More
USN-6748-1: Sanitize vulnerabilities
It was discovered that Sanitize incorrectly handled noscript elements under certain circumstances. An attacker could possibly use this issue to...
USN-6747-1: Firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker...
matrix-synapse-1.105.1-1.fc38 rust-pythonize-0.21.1-1.fc38
FEDORA-2024-7be0693731 Packages in this update: matrix-synapse-1.105.1-1.fc38 rust-pythonize-0.21.1-1.fc38 Update description: Update matrix-synapse to v1.105.1 (CVE-2024-31208) Update to v1.105.0 Read More
matrix-synapse-1.105.1-1.fc39 rust-pythonize-0.21.1-1.fc39
FEDORA-2024-d408b654d6 Packages in this update: matrix-synapse-1.105.1-1.fc39 rust-pythonize-0.21.1-1.fc39 Update description: Update matrix-synapse to v1.105.1 (CVE-2024-31208) Update to v1.105.0 Read More