Tuesday, November 12, 2024
HomeCyber AttackNorth Korean Hackers Exploit VPN Update Flaw To Breach Networks

North Korean Hackers Exploit VPN Update Flaw To Breach Networks

Published on

Malware protection

North Korean state-sponsored hacking groups, including Kimsuky (APT43) and Andariel (APT45), have significantly increased cyberattacks on South Korean construction and machinery sectors. 

This surge aligns with Kim Jong-un’s “Local Development 20×10 Policy,” aimed at modernizing industrial facilities across North Korea. 

In response, South Korea’s National Cyber Security Center (NCSC) and intelligence agencies have issued a comprehensive joint cybersecurity advisory, in which they urged that North Korean hackers have been exploiting VPN update flaws to breach networks.

- Advertisement - SIEM as a Service

Not only that, but they also detailed several other important things. The advisory aims to help organizations prevent and mitigate potential damage, as stolen data could be used to advance North Korea’s industrial and urban development plans.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Hackers Exploit VPN Update Flaw

There were two cases were highlighted and they are:-

  • CASE 1: Mass distribution of malicious code targeting ‘construction industry professional organizations’
Kim Suki hacking organization’s malware distribution process (Source – NCSC)
  • CASE 2: Attacks in the domestic machinery sector by exploiting the ‘information security product vulnerabilities’
Exploitation of Andariel’s ‘VPN SW’ vulnerability and distribution of malware (Source – NCSC)

In January 2024, the Kimsuky group of North Korea carried out a complex supply chain attack on a South Korean construction industry website.

The hackers attacked the security authentication software and hijacked the NX_PRNMAN system.

This malware, called “TrollAgent,” which was coded in Go, infected the PCs of government employees, public institutions, and construction professionals who accessed the compromised site of security authentication software.

To work without detection, TrollAgent collected information about systems, capturing them via screenshots, and downloading all sorts of sensitive data including passwords from browsers’ memory locations, GPKI certificates, SSH keys, and even FileZilla’s client services.

The cyber attackers used a real digital certificate from “D2Innovation” which allowed them to evade some security checks.

Such occurrences are significant as the complexity and detailed nature of North Korean cyber operations against South Korea’s infrastructure sectors increases.

In April 2024, Andariel, a North Korean hacking group, perpetuated a complex attack against South Korean construction and machinery firms by exploiting the loopholes in local VPNs and server security software.

It took advantage of holes in client-server communication protocols that focused on update activities lacking enough authentication procedures.

Apart from this, Andariel’s method involved:-

  • These requests were sent disguised as HTTP packets to user PCs bypassing the verification process that is carried out by the VPN client.
  • They moved the update request to a malicious C2 server masquerading as a legitimate VPN Server.
  • The distribution of DoraRAT malware posed as an upgrade for software.

These attacks enabled Andariel to gain remote control over infected machines and indicated the changing strategies behind North Korea’s cyber campaigns and how South Korea’s industrial infrastructure must be properly strengthened.

Mitigations

Here below we have mentioned all the mitigations:-

  • Provide continuous security education for all organization members.
  • Customize training for general members and IT staff.
  • Keep OS, applications, and anti-virus software updated with real-time detection.
  • Implement strict approval policies for software deployment.
  • Require administrator authentication in the final deployment stage.
  • Follow government cybersecurity recommendations and contact manufacturers for urgent actions.
  • Refer to the ‘S/W Supply Chain Security Guidelines’ for supply chain security.
  • Use the ‘Software Development Security Guide’ from KISA for secure software development.
  • Apply to KISA for security inspections if needed.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...