FortiGuard Labs is aware of a joint advisory on ransomware activities against organizations in healthcare and critical infrastructure performed by threat actors related to the Democratic People’s Republic of Korea (DPRK). The advisory was issued by multiple agencies in the United States and the Republic of Korea (ROK) and contains information that helps organizations fortify their cyber defense for known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs).Why is this Significant?This is significant because the advisory is part of the #StopRansomware effort and provides tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) that belong to ransomware activities related to threat actors associated with DPRK. The information in the advisory helps organizations review and strengthen cyber defenses.The advisory was issued by the United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA).What are the TTPs Covered in the Advisory?Threat actors were observed to have leveraged the following vulnerabilities to gain access to the victims’ network:CVE 2021-44228 (Apache log4j remote code execution vulnerability)CVE-2021-20038 (SonicWall SMA100 buffer overflow vulnerability)CVE-2022-24990 (TerraMaster OS unauthenticated remote command execution vulnerability)Threat actors also hide malware in the X-Popup instant messenger app as initial infection vector.Ransomware used by DPRK threat actors include Maui, H0lyGh0st, BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.What is Mitigation?The advisory provides mitigation methods. For details, see the Appendix for a link to “Alert (AA23-040A): #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities”.What is the Status of Protection?FortiGuard Labs has the following AV signatures in place for the available samples referenced in the IOC section in the advisory:Java/Webshell.V!trPHP/Webshell.NIJ!trPHP/Webshell.NOK!trVBA/Agent.BSL!trW32/Agent.C5C2!trW32/Agent.FD!trW32/Agent.GT!trW32/Agent.QCD!tr.spyW32/Agent.SRR!trW32/DTrack!tr.bdrW32/Filecoder.AX!trW32/Filecoder.OLY!trW32/KeyLogger.RKT!trW32/MagicRAT.B!trW32/MagicRAT.C!trW32/MagicRAT.D!trW32/MagicRAT.E!trW32/MAUICRYPT.YACC5!tr.ransomW32/MulDrop19.28718!trW32/NukeSped.HD!trW32/NukeSped.JF!trW32/PossibleThreatW32/Scar.JEV!trW64/Agent.ACBX!trW64/Filecoder.788A!tr.ransomW64/GenKryptik.FTAR!trW64/NukeSped.HA!trW64/NukeSped.HD!trW64/NukeSped.IF!trW64/NukeSped.LC!trW64/NukeSped.LE!trW64/NukeSped.LT!trRiskware/XpopupMalicious_Behavior.SBW32/Malicious_Behavior.VEXPossibleThreat.PALLASHFortiGuard Labs has the following IPS signatures in place for the exploited vulnerabilities in the advisory:Apache.Log4j.Error.Log.Remote.Code.Execution (CVE-2021-44228)SonicWall.SMA100.mod_cgi.Buffer.Overflow (CVE-2021-20038)FortiGuard Labs is currently investigating IPS protection for CVE-2022-24990. The Threat Signal will be updated when new information becomes available.
More Stories
icecat-flatpak-115.18.0-2
FEDORA-FLATPAK-2024-5ad8ccec67 Packages in this update: icecat-flatpak-115.18.0-2 Update description: Updated patchset for CVE-2024-11693 CVE-2024-11697 CVE-2024-11692 Read More
mupdf-1.24.6-2.fc40
FEDORA-2024-bfc5e25437 Packages in this update: mupdf-1.24.6-2.fc40 Update description: fix CVE-2024-46657 (rhbz#2331626) Read More
mupdf-1.21.1-6.el9
FEDORA-EPEL-2024-94a20f339a Packages in this update: mupdf-1.21.1-6.el9 Update description: fix CVE-2024-46657 (rhbz#2331625) Read More
DSA-5837-1 fastnetmon – security update
Two security issues have been discovered in FastNetMon, a fast DDoS analyzer: Malformed Netflow/sFlow traffic could result in denial of...
DSA-5836-1 xen – security update
Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in privilege escalation, denial of service or information...
DSA-5835-1 webkit2gtk – security update
The following vulnerabilities have been discovered in the WebKitGTK web engine: CVE-2024-54479 Seunghyun Lee discovered that processing maliciously crafted web...