Threat Signal ReportAlert (AA23-040A) #StopRansomware: Ransomware Activities Related to DPRK
UPDATE 02/27/2023: Added protection for CVE-2022-24990.
FortiGuard Labs is aware of a joint advisory on ransomware activities against organizations in healthcare and critical infrastructure performed by threat actors related to the Democratic People's Republic of Korea (DPRK). The advisory was issued by multiple agencies in the United States and the Republic of Korea (ROK) and contains information that helps organizations fortify their cyber defense for known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs).
Why is this Significant?
This is significant because the advisory is part of the #StopRansomware effort and provides tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) that belong to ransomware activities related to threat actors associated with DPRK. The information in the advisory helps organizations review and strengthen cyber defenses.
The advisory was issued by the United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA).
What are the TTPs Covered in the Advisory?
Threat actors were observed to have leveraged the following vulnerabilities to gain access to the victims' network:
CVE 2021-44228 (Apache log4j remote code execution vulnerability)
CVE-2021-20038 (SonicWall SMA100 buffer overflow vulnerability)
CVE-2022-24990 (TerraMaster OS unauthenticated remote command execution vulnerability)
Threat actors also hide malware in the X-Popup instant messenger app as initial infection vector.
Ransomware used by DPRK threat actors include Maui, H0lyGh0st, BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.
What is Mitigation?
The advisory provides mitigation methods. For details, see the Appendix for a link to "Alert (AA23-040A): #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities".
What is the Status of Protection?
FortiGuard Labs has the following AV signatures in place for the available samples referenced in the IOC section in the advisory:
Java/Webshell.V!tr
PHP/Webshell.NIJ!tr
PHP/Webshell.NOK!tr
VBA/Agent.BSL!tr
W32/Agent.C5C2!tr
W32/Agent.FD!tr
W32/Agent.GT!tr
W32/Agent.QCD!tr.spy
W32/Agent.SRR!tr
W32/DTrack!tr.bdr
W32/Filecoder.AX!tr
W32/Filecoder.OLY!tr
W32/KeyLogger.RKT!tr
W32/MagicRAT.B!tr
W32/MagicRAT.C!tr
W32/MagicRAT.D!tr
W32/MagicRAT.E!tr
W32/MAUICRYPT.YACC5!tr.ransom
W32/MulDrop19.28718!tr
W32/NukeSped.HD!tr
W32/NukeSped.JF!tr
W32/PossibleThreat
W32/Scar.JEV!tr
W64/Agent.ACBX!tr
W64/Filecoder.788A!tr.ransom
W64/GenKryptik.FTAR!tr
W64/NukeSped.HA!tr
W64/NukeSped.HD!tr
W64/NukeSped.IF!tr
W64/NukeSped.LC!tr
W64/NukeSped.LE!tr
W64/NukeSped.LT!tr
Riskware/Xpopup
Malicious_Behavior.SB
W32/Malicious_Behavior.VEX
PossibleThreat.PALLASH
FortiGuard Labs has the following IPS signatures in place for the exploited vulnerabilities in the advisory:
Apache.Log4j.Error.Log.Remote.Code.Execution (CVE-2021-44228)
SonicWall.SMA100.mod_cgi.Buffer.Overflow (CVE-2021-20038)
TerraMaster.TOS.Api.PHP.Information.Disclosure (CVE-2022-24990) - default action is set to "pass"
Outbreak Alert
A 0-day exploit was discovered on a popular Java library Log4j2 that can result to a Remote Code Execution (RCE). This is a widely deployed library, and while systems protected by Fortinet Security Fabric are secured by the protections below, all systems need to upgrade ASAP as this is 10.0 severity. Due to the high visibility and attention, subsequent vulnerabilities have since emerged.
View the full Outbreak Alert Report
Joint Cybersecurity Advisory (CSA) has released the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by Peoples Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). Previously, FortiGuard labs has already published various Outbreaks Alerts included in the released CISA's advisory such as: Apache Log4j, Hikvision Webserver Vulnerability, Atlassian Confluence OGNL RCE Vulnerability, Microsoft Exchange Server RCE Vulnerabilities etc. See the full list at: https://www.fortiguard.com/outbreak-alert Links to dedicated reports on each published outbreak by FortiGuard Labs are added to Additional Resources section below.
View the full Outbreak Alert Report
A new campaign conducted by the Lazarus Group is seen employing new DLang-based Remote Access Trojans (RATs) malware in the wild. The APT groups has been seen to target manufacturing, agricultural and physical security companies by exploiting the Log4j vulnerability and using it for initial access leading to a C2 (command and control) channel with the attacker.
View the full Outbreak Alert Report
A campaign targeting SonicWall SMA 100 series appliances is currently under active exploitation, leveraging both known vulnerabilities and potential zero-days to gain persistent access to enterprise networks. The threat actors deploy a custom Linux-based rootkit for stealth and long-term persistence.
View the full Outbreak Alert Report
This report provides an overview of ongoing Iran-linked cyber operations, highlighting activity attributed to state-aligned proxies and hacktivist groups. The vulnerabilities listed are suspected to be exploited by actors associated with Iran in real-world campaigns, consistent with observed tactics, techniques, and procedures (TTPs). Iran-linked operations continue to rely on distributed, lower-complexity techniques, including phishing, DDoS, data exfiltration, and destructive attacks. Initial access is primarily achieved through exploitation of known, unpatched vulnerabilities and exposed edge infrastructure, reflecting a persistent and opportunistic threat posture targeting government, critical infrastructure, and enterprise environments.
