Threat Signal ReportAlert (AA23-040A) #StopRansomware: Ransomware Activities Related to DPRK
Description
UPDATE 02/27/2023: Added protection for CVE-2022-24990.
FortiGuard Labs is aware of a joint advisory on ransomware activities against organizations in healthcare and critical infrastructure performed by threat actors related to the Democratic People's Republic of Korea (DPRK). The advisory was issued by multiple agencies in the United States and the Republic of Korea (ROK) and contains information that helps organizations fortify their cyber defense for known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs).
Why is this Significant?
This is significant because the advisory is part of the #StopRansomware effort and provides tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) that belong to ransomware activities related to threat actors associated with DPRK. The information in the advisory helps organizations review and strengthen cyber defenses.
The advisory was issued by the United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA).
What are the TTPs Covered in the Advisory?
Threat actors were observed to have leveraged the following vulnerabilities to gain access to the victims' network:
- CVE 2021-44228 (Apache log4j remote code execution vulnerability)
- CVE-2021-20038 (SonicWall SMA100 buffer overflow vulnerability)
- CVE-2022-24990 (TerraMaster OS unauthenticated remote command execution vulnerability)
Threat actors also hide malware in the X-Popup instant messenger app as initial infection vector.
Ransomware used by DPRK threat actors include Maui, H0lyGh0st, BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.
What is Mitigation?
The advisory provides mitigation methods. For details, see the Appendix for a link to "Alert (AA23-040A): #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities".
What is the Status of Protection?
FortiGuard Labs has the following AV signatures in place for the available samples referenced in the IOC section in the advisory:
- Java/Webshell.V!tr
- PHP/Webshell.NIJ!tr
- PHP/Webshell.NOK!tr
- VBA/Agent.BSL!tr
- W32/Agent.C5C2!tr
- W32/Agent.FD!tr
- W32/Agent.GT!tr
- W32/Agent.QCD!tr.spy
- W32/Agent.SRR!tr
- W32/DTrack!tr.bdr
- W32/Filecoder.AX!tr
- W32/Filecoder.OLY!tr
- W32/KeyLogger.RKT!tr
- W32/MagicRAT.B!tr
- W32/MagicRAT.C!tr
- W32/MagicRAT.D!tr
- W32/MagicRAT.E!tr
- W32/MAUICRYPT.YACC5!tr.ransom
- W32/MulDrop19.28718!tr
- W32/NukeSped.HD!tr
- W32/NukeSped.JF!tr
- W32/PossibleThreat
- W32/Scar.JEV!tr
- W64/Agent.ACBX!tr
- W64/Filecoder.788A!tr.ransom
- W64/GenKryptik.FTAR!tr
- W64/NukeSped.HA!tr
- W64/NukeSped.HD!tr
- W64/NukeSped.IF!tr
- W64/NukeSped.LC!tr
- W64/NukeSped.LE!tr
- W64/NukeSped.LT!tr
- Riskware/Xpopup
- Malicious_Behavior.SB
- W32/Malicious_Behavior.VEX
- PossibleThreat.PALLASH
FortiGuard Labs has the following IPS signatures in place for the exploited vulnerabilities in the advisory:
- Apache.Log4j.Error.Log.Remote.Code.Execution (CVE-2021-44228)
- SonicWall.SMA100.mod_cgi.Buffer.Overflow (CVE-2021-20038)
- TerraMaster.TOS.Api.PHP.Information.Disclosure (CVE-2022-24990) - default action is set to "pass"
