AdvisoriesCISAAA23-040AFebruary 9, 2023
February 9, 2023
This joint Cybersecurity Advisory (CSA) by multiple U.S. and South Korean agencies aims to raise awareness about ongoing ransomware attacks against Healthcare and Public Health Sector organizations and critical infrastructure entities. It provides an overview of the state-sponsored ransomware activities carried out by the Democratic People's Republic of Korea (DPRK). The CSA highlights the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) used by DPRK cyber actors to infiltrate and target these organizations, along with their use of cryptocurrency for ransom demands. The advisory cautions against paying the attackers, instead providing a recovery script to reverse the effects of the malware.
February 9, 2023
There are three CVE’s noted in the advisory: CVE-2021-44228, CVE-2021-20038 and CVE-2022-24990. For the most part, these are standard vulnerability reports that should prompt you to perform the recommended upgrades. Exploiting these vulnerabilities allowed the ransomware to enter the environment. When it did, it was often embedded in a South Korean instant messenger application, called X-Popup. This should be where your ears perk up: endpoint defenses should be context aware and understand what software is normal versus not on your devices. Unusual software, even if benign by signature, should be analyzed more deeply than the programs you expect to see.
Be immediately notified of new advisories and associated security tests
AdvisoryCISAAA24-207AJuly 25, 2024
