Intel Reports

Activity Summary - Week Ending on 15 June 2023:

• Red Sky Alliance identified 7,796 connections from new IP’s checking in with our Sinkholes
• SmartMediaNetwork in Ukrain attacked again and hit 334x
• 2,321 ‘new’ Botnets hits
• Kimusky Strikes Again
• Kenya, Nigeria, and South Africa
• Ireland Health System HSE
• Switzerland and NoName
• German Higher .edu
• Cyber Attacks = War Crimes, Estonia

Red Sky Alliance Compromised (C2) IP’s 

On 15 June 2023, Red Sky Alliance identified 7,796 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 15 June 2023, analysts identified 2,321 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

MALICIOUS CYBER TRENDS:

Kimusky Strikes Again - In collaboration with NK News, a leading subscription-based service that provides news and analyses about North Korea, Sentinel Labs has been tracking a targeted social engineering campaign against experts in North Korean affairs from the non-government sector.  The campaign focuses on theft of email credentials, delivery of reconnaissance malware, and theft of NK News subscription credentials.  Based on the used malware, infrastructure, and tactics, researchers assess with high confidence that the campaign has been orchestrated by the Kimsuky threat actor.[1]

The social engineering tactics and some infrastructure characteristics closely relate to a Kimsuky activity privately reported by PwC and discussed in an NSA advisory published during the writing of this article.  The focus was on the specific targeting of expert analysts of North Korean affairs by impersonating NK News and stealing NK News credentials, and provide details on used TTPs to support collaborative hunting and detection efforts.

Kimsuky, a suspected North Korean advanced persistent threat (APT) group whose activities align with the interests of the North Korean government, is known for its global targeting of organizations and individuals. Operating since at least 2012, the group often employs targeted phishing and social engineering tactics to gather intelligence and access sensitive information.  A hallmark of the activity discussed in this post is Kimsuky’s focus on establishing initial contact and developing a rapport with their targets prior to initiating malicious activities.  As part of their initial contact strategy, the group impersonated Chad O’Carroll, the founder of NK News and the associated holding company Korea Risk Group, using an attacker-created domain, nknews[.]pro, which closely resembles the legitimate NK News domain nknews.org.  The initial email requests the review of a draft article analyzing the nuclear threat posed by North Korea.

If the target engages in the conversation, Kimsuky uses the opportunity to deliver a spoofed URL to a Google document, which redirects to a malicious website specifically crafted to capture Google credentials.  Kimsuky may also deliver a weaponized Office document that executes the ReconShark reconnaissance malware.  Further, Kimsuky’s objective extends to the theft of subscription credentials from NK News.  To achieve this, the group distributes emails that lure targeted individuals to log in on the malicious website nknews[.]pro, which masquerades as the authentic NK News site. The login form that is presented to the target is designed to capture entered credentials.

This current Kimsuky activity indicates the group’s growing efforts to establish early communication and foster trust with their targets prior to initiating malicious operations, including the delivery of malware.  Their approach highlights the group’s commitment to creating a sense of rapport with the individuals they target, potentially increasing the success rate of their subsequent malicious activities.  By actively targeting high-profile experts in North Korean affairs and stealing subscription credentials from prominent news and analysis outlets focusing on North Korea, Kimsuky demonstrates a heightened curiosity in understanding how the international community perceives developments concerning North Korea, such as the country’s military activities.  These actions are probably part of their broader objective to gather strategic intelligence, contributing to North Korea’s decision-making processes.

Google Credential Theft – Sentinel observed Kimsuky distributing an HTML-formatted phishing email to selected individuals, which requests the review of a draft article analyzing the nuclear threat posed by North Korea.  The email primarily aims to initiate a subsequent conversation and is intentionally designed to appear benign: It impersonates NK News leadership and lacks any malicious artifacts.

Initial email

If the target engages in the conversation, Kimsuky eventually follows up with an email that contains an URL to a Google document.

Follow-up email

If the target is not responsive, Kimsuky follows up with a reminder email to engage the target in conversation.

Reminder email

The URL’s destination is manipulated through the spoofing technique of setting the href HTML property to direct to a website created by Kimsuky.  This method, commonly employed in phishing attacks, creates a discrepancy between the perceived legitimacy of the link (a genuine Google document) and the actual website visited upon clicking the URL.  The displayed URL to a Google document points to an actual article hosted on Google Docs, delving into the topic of the North Korean nuclear threat.  The article contains visible edits to give the impression of a genuine draft article, aligning with Kimsuky’s luring tactic.

Google document

The spoofed destination of the URL redirects the target to an attacker-created website that masquerades as a legitimate Google Docs site for requesting document access, such as

https[://]drive-google[.]shanumedia[.]com/pdf/ul/ji78fghJHKtgfLKJIO/s2.php?menu=ZGFu[...]vbQ==

The Base-64 encoded segment, that is, the value of the menu URL query parameter, resolves to the target’s email address.  This serves as a means of transporting the target’s address to the fake Google Docs site, which enables the site to dynamically display the address, creating a personalized and convincing appearance of legitimacy.  The design and functionality of this site suggest its potential for reuse in targeting different individuals.

Malicious Google Docs site

Analysts were unable to analyze the functionality behind the Request access web element as the group has taken down the site. However, given the theme of the site, Sentinel suspected that it has been designed to capture entered Google credentials.  During conversations with targeted individuals, Kimsuky also seizes any available opportunity to distribute password-protected weaponized Office documents that deploy the ReconShark reconnaissance malware.  ReconShark exfiltrates information relevant for conducting subsequent precision attacks, such as deployed detection mechanisms and hardware information.  The implementation of the ReconShark variant we observed in this activity remains the same as the one covered in our previous post on Kimsuky activity, with the main distinction being the use of a different C2 server: staradvertiser[.]store.  This domain resolves to the IP address 162.0.209[.]27, which has hosted domains that have been attributed to Kimsuky in previous research, such as sesorin[.]lol and rfa[.]ink. Kimsuky’s use of ReconShark as part of this activity underscores the malware’s central role within the group’s current operational playbook.

NK News Credential Theft – Sentinel also observed Kimsuky attempting to steal credentials for the subscription service of NK News, which is known for its comprehensive expert analyses and news reports.  Gaining access to such reports would provide Kimsuky with valuable insights into how the international community assesses and interprets developments related to North Korea, contributing to their broader strategic intelligence-gathering initiatives.

To accomplish this, Kimsuky distributes an email that lure targeted individuals to log in to a spoofed NK News subscription service.  The emails prompt the recipients to confirm their NK News accounts under the pretext of recent security updates.

Phishing Email

The fake login site, hosted at https[://]www.nknews[.]pro/ip/register/, features a login form with the standard web elements, such as Sign In, Sign Up, and Forgot Password? buttons.  When clicked, the Sign In button executes the loginAct JavaScript function, whereas the rest of the buttons do not conduct any activities.

Fake NK News login site

The JavaScript code captures entered credentials by issuing an HTTP POST request to https[://]www.nknews[.]pro/ip/register/login[.]php and then redirects the user to the legitimate NK News site.

JavaScript code

The main website hosted at https[://]www.nknews[.]pro redirects to the legitimate NK News site, https://nknews.org, and uses a certificate issued by Sectigo:

Thumbprint: a1597d197e9b084a043ada5c7dac1f9b6d7f7af3

Serial number: 00f342582c9a299acf2452aaf5115c5be0

The domain nknews[.]pro, registered through Namecheap, also resolves to the Kimsuky-linked IP address 162.0.209[.]27. The URL https[://]www.nknews[.]pro/config[.]php hosts a password-protected remote management site, which is likely an implementation of the b374k tool, based on the implementation of the login site and the presence of the config.php file. The Kimsuky group is known to use this tool for remote management of its infrastructure.

b374k login site

Conclusion - SentinelLabs remains actively engaged in monitoring the activities conducted by Kimsuky. The findings presented in this post highlight the group’s persistent commitment to targeted social engineering attacks and underscore the need for increased awareness and understanding of Kimsuky’s tactics among potential targets. Maintaining vigilance and implementing effective security measures are imperative to mitigate the risks posed by this persistent threat actor.

Indicators of Compromise:

GLOBAL TRENDS:   

Kenya, Nigeria, and South Africa - A report has revealed that Nigeria, South Africa and Kenya are facing the highest online threats in the African continent, according to a Russian multinational cybersecurity and anti-virus provider company, Kaspersky.  The three countries featured prominently in the global top 100 for online threats, adding that Nigeria currently ranks 50th worldwide for online threats, South Africa ranks 82nd, and Kenya is 35th on the global list.

Kaspersky presented the reality of online threats in the continent at the recent inaugural GITEX Africa conference that took place in Morocco.  The Head of the Global Research and Analysis Team (GReAT) expanded on several cyber threat trends, warning business and technology leaders about two primary forms of cyber attacks,  criminal and advanced, according recent reports.  “Criminal attacks are mainly driven by the pursuit of financial profit, whereas advanced attacks indicate how cyber threat actors continually adapt their tactics and tools to breach security measures.   A significant portion of the attacks witnessed across Africa are shaped by the rapidly changing geopolitical landscape.  However, a growing concern is that cybercriminals are learning from successful advanced attacks to refine their craft,” GReAT said.[2]

In the first quarter of 2023, Kaspersky revealed that backdoor and spyware attacks were the most common threat types in South Africa, accumulating 106,000 attack attempts.  Similar attack attempts were observed in Nigeria, amassing 46,000, while the same type of attack increased to 143,000 in Kenya.  However, in Kenya, exploits emerged as the most dominant form of attack with 177,000 incidents blocked.  Kaspersky also highlighted the growing surge of zombie machines–connected device that becomes part of a botnet.  Examples include legacy, old and forgotten devices, IoT devices, network equipment, printers, cameras, and even coffee machines. In the year to date, 1.6 million zombie machines have been detected in South Africa and 300,000 in Kenya.

Also flagged in the presentation were several ransomware groups setting their sights on African targets.  “Threats to critical infrastructure, financial institutions, government entities, and service providers have predominated the cyber threat landscape over the past year. We have witnessed different threat actors target various businesses across industries,” GReAT said.  Providing solutions,GReAT informed businesses to offer rapid responses to these increasingly sophisticated cyber threats, as Kaspersky advised businesses to adopt a multi-layered defensive strategy.  “This is where extended detection and response (XDR) solutions become essential, as they analyze data from endpoints and other sources.  XDR introduces another layer of protection as attacks on infrastructure can occur through any entry point.  XDR also adds analytical and automation functions to detect and eliminate current and potential threats.  “Furthermore, continuous security awareness training for employees and real-time access to intelligence on the latest attack methods should supplement any cybersecurity strategy.  Businesses should consider leveraging advanced technologies such as threat feeds, security information and event management systems, endpoint detection and response solutions, and tools with digital forensics and incident response features.  It is vital to understand that cyber security measures are an ongoing endeavour – and that there is no universal solution to secure a corporate network or data,” GReAT added.

Ireland - The Health Service Executive (HSE) in Ireland has been impacted by a cyber-attack.  Work is ongoing to determine the impact on HSE data following the attack which has been as criminal in nature and international in scale.  Reports indicate no patient data is believed to have been accessed at this stage.[3]

The HSE said an external partner, EY, was working with it on a project to automate part of its recruitment process, when it was alerted to a cyber-attack on the MoveIT product which they were using to support the work.  In a statement, the HSE said it is likely that information relating to no more than 20 individuals involved in recruitment processes was accessed.  The data includes names, addresses, mobile number, place on the panel and more general information on the posts being recruited.  The HSE stressed: “Importantly no other personal identification data or financial data is included.”  The HSE is in contact with relevant authorities and is informing the Data Protection Commission.  Those individuals whose data was accessed will be contacted.  HSE chief executive said no patient data was involved.  “I have reviewed this incident with senior officials this morning,” he said.  Any breach is regrettable but unfortunately a feature of international criminal activity in recent years.  “A number of significant facts are important here including no patient data was involved, the attack was not in the HSE ICT environment, there is no evidence as of yet of this data appearing on the dark web which is being monitored by EY and the exposure for the HSE appears to be quite small.  “We are actively keeping the matter under review.”

In 2022 thousands of patients and staff were told their personal information had been stolen and copied during a ransomware attack which resulted in the HSE having to close down its IT services, causing widespread delays and the cancellation of appointments at hospitals across the country.

Switzerland - Swiss authorities said that several government websites were targeted in a distributed denial-of-service (DDoS) attack on Monday that was claimed by pro-Russian hackers.  The attack comes as the Swiss parliament prepares for a video address by Ukrainian President Volodymyr Zelenskiy scheduled for Thursday and coincides with a national holiday in Russia.[4]

Switzerland's National Cyber Security Centre (NCSC) said that "various websites of the Federal Administration and enterprises affiliated with the Confederation were unavailable" in the wake of the attack, claimed by the NoName hacking group.  "The NCSC is analyzing the attack together with the administrative units concerned and defining appropriate measures," it said in a statement.  The NCSC, which did not link Zelenskiy's upcoming address to the attack, said the NoName group had also been behind a separate attack against the Swiss parliament's website last week.

In a post on the Telegram messenger service, the group said the attack against the parliament's website last week had been carried out to "thank Swiss Russophobes" for adopting another EU sanctions package against Moscow.  The group, which pledged to continue defending Russian interests "on the information front," added it had taken down the websites of Switzerland's justice ministry and police.

Germany - The Kaiserslautern University of Applied Sciences (HS Kaiserslautern) has become the latest German-speaking university to be hit by a ransomware attack, following incidents affecting at least half a dozen similar institutions in recent months.  The incident was confirmed late last wekk with the university using an emergency website to announce its “entire IT infrastructure” had been taken offline, including university email accounts and the telephone system.  Almost every facility and service available to the institution’s more than 6,200 students has been affected. Computer pools and even the library will “remain closed until further notice,” the university stated.[5]

Students and staff have also been warned not to switch on any of their work computers: “As this is an encryption attack, the workstations at the employees' workplaces may also be affected,” warned the HS Kaiserslautern website.  It is not clear who the perpetrators are, nor whether information was stolen from the university’s systems as part of a multifaceted extortion attempt before the hackers attempted to encrypt them.

HS Kaiserslautern is one of the largest applied science universities in the state of Rhineland-Palatinate in the west of Germany, and the latest German-speaking university with a focus on applied sciences to be targeted by cybercriminals in recent months.  In March, the Vice Society ransomware group added the Hamburg University of Applied Sciences (HAW Hamburg) to its leak site following an attack that the institution said took place late last year.  In February the University of Zurich, Switzerland’s largest university, announced it was the target of a “serious cyberattack,” which a spokesperson described to The Record as “part of a current accumulation of attacks on educational and health institutions.”  The week before, the Harz University of Applied Sciences in Saxony-Anhalt, Ruhr West University, and the EU/FH European University of Applied Sciences all announced being impacted by cyberattacks.  Back in January the Vice Society ransomware group claimed responsibility for a November attack against the University of Duisburg-Essen in Germany.

Elsewhere in Germany, ransomware attacks have impacted private industry, with the arms company Rheinmetall blaming the Black Basta ransomware group for an attack in May.  Bitmarck, one of the largest IT service providers within Germany’s statutory health insurance system, was also hit by an attack in the spring, as was the drug development giant Evotec.

[1] https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/

[2] https://www.vanguardngr.com/2023/06/nigeria-south-africa-kenya-top-african-countries-with-highest-cyber-threats-report/

[3] https://www.irishexaminer.com/news/arid-41158834.html

[4] https://www.aol.com/news/swiss-websites-hit-ddos-attack-095955022.html

[5] https://therecord.media/ransomware-attack-kaiserslautern-university-applied-sciences-germany/