CyberWire Daily - Who is that stealing my credentials? [Research Saturday]
Episode Date: August 5, 2023Aleksandar Milenkoski from SentinelOne joins to discuss their work on "Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence." Researchers... have been tracking the North Korean APT group Kimsuky and their attempt at a social engineering campaign targeting experts in North Korean affairs. The research states "The campaign has the objective of stealing Google and subscription credentials of a reputable news and analysis service focusing on North Korea, as well as delivering reconnaissance malware." Kimsuky has been tracked engaging in extensive email correspondence using spoofed URLs and extensive email correspondence, along with Office documents weaponized with the ReconShark malware. The research can be found here: Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So through our collaboration with NK News,
we got the opportunity to take a look at the emails,
analyze the malicious activities and basically scope the overall campaign that was going on at the time.
That's Alexander Milankovsky, senior threat researcher at Sentinel Labs.
The research we're discussing today is titled Kimsuki Strikes Again.
New social engineering campaign aims to steal credentials and gather strategic intelligence.
We collaborate with NK News and NK Pro.
So just a little bit of context for the listeners.
NK News and NK Pro is a prominent news and analysis outlet on North Korean affairs,
which collaborates with experts in North Korean affairs and publishes detailed reports on North Korea to its subscription base.
So the campaign that we talked about in our research
is basically a social engineering campaign done via email correspondence
that was targeting experts in North Korean affairs and members of NKPRO.
It is a subscription service of NK News.
So through our collaboration with NK News,
we got the opportunity to take a look at the emails,
analyze the malicious activities,
and basically scope the overall campaign that was going on at the time.
Well, before we dig into the specific campaign here,
can you share with us what do we know about KimSuki?
Sure. So KimSuki is a North Korean nexus trade actor
that's been active since at least 2012.
The group in overall, in general, is known for a lot of badness,
like primarily conducting targeted social engineering
and spear phishing campaigns by impersonating relevant individuals.
In general, the group's goal is to collect strategic intelligence,
for example, on geopolitical affairs, foreign policy developments, and so on,
primarily done through credential theft and delivery of malware.
One prominent characteristic of the group is that it's consistently active
and it's very persistent as well.
And it dedicates a lot of time and effort in conducting its campaigns.
How would you rate their sophistication?
Kim Sook is very active and very persistent.
So it's very thorough in conducting social engineering campaigns. This means
also planning who is sending the mail,
the tone of the emails, and one of their
characteristics is really first establishing trust
and rapport with the victims. And the initial communication
usually does not contain any malicious artifacts.
At least that was the case in the campaign that we discussed in our
latest research. However, they use every available opportunity during the correspondence
to deliver either weaponized documents or malicious links and whatnot. So from that perspective,
from the social engineering perspective, I would say that they are very, very persistent and very
active and very dedicated on that front. Well, let's walk through this particular campaign.
How does it begin? What's the initial contact like?
Right. So what we observed in general is primarily a social engineering campaign
done via email correspondence.
Again, that was targeting experts in North Korean affairs
and members of NKPro, the subscription service of NK News.
So the overall campaign was done via email.
The social engineering attacks involved mainly two types of activities.
So they were contacting experts in North Korean affairs, sending draft Google documents for the experts to review.
And the other vector was they were sending requests
or resetting accounts to NK Pro membership,
basically leading or luring members to malicious websites
that capture entered credentials.
When focusing on the correspondence with the targeted experts
in North Korean affairs, as I mentioned before,
the hallmark of this activity is that the attackers
focused on first establishing trust or rapport with the victims, and the initial communication
did not contain any malicious activity. The email that you all share in your research here
is quite interesting. They're reaching out to people and asking for them to share their expertise on the NK nuclear threat.
So really, I guess, touching a bit of the victim's ego to start with.
Well, the individuals that were targeted were experts in those affairs. So maybe some further context for the listeners. NK Pro, that is the subscription service of NK News,
collaborates with such experts in North Korean affairs
and publishes detailed reports on North Korea to its subscription base.
As I mentioned before, Kim Sook is very dedicated to social engineering campaigns.
So the way that they targeted the individuals was consistent with the usual things or activities that the targeted individuals are usually involved in.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
from our sponsor Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise
by an 18% year-over-year increase
in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools
expand your attack surface
with public-facing IPs
that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So they're using some custom domains here to make it appear
as though their correspondence is coming from NK Pro?
Sure. So they basically used email domains that were mimicking legitimate domains. And also
when it comes to capturing credentials or stealing credentials, they also used
websites that they deconstructed and they mimic legitimate domains,
specifically of the NK Pro subscription service.
So you mentioned that they're very deliberate
about establishing rapport with their victims here
and that there could be several emails that go back and forth
before they actually send a malicious file.
Can you walk us through that?
I mean, at what point do they actually drop that malicious file?
So that depends on how the conversation goes.
So as I mentioned, they first try to establish reports.
For example, to the expert, they send Google,
draft Google documents for them to review.
If they notice that the target engages in the conversation,
after some time, they attempt to deliver payload.
One interesting thing to note about KimSuk is that
if they notice that the email correspondence slowed down or has died out,
they tend to send also reminders.
So that aligns with the persistency that I mentioned a few moments ago.
Yeah. What is the payload that they ultimately send?
So from a technical perspective, they have two goals, right?
The first goal is theft of Google email and NK Pro subscription credentials
through impersonation of legitimate login sites.
So these malicious sites, in the context of the emails,
they were in the form of links on which the victim should click.
These malicious sites were constructed to capture entered credentials, basically,
and transport them back to the threat actors.
The second goal from a technical perspective
was delivery of known Kimsuku reconnaissance malware.
Now, to think about this reconnaissance malware
is that it enables further precision attacks,
whether that would be through custom-tailored malware
or some exploits that the threat group has a position and whatnot down the line.
So what are your recommendations then for organizations to best protect themselves here?
Right.
So all the measures for protecting against social engineering attacks, I would say they
apply here as well.
One thing is verifying the legitimacy of emails, of course. This involves
usually examining the sender's email origin by investigating email headers, but even going beyond
that, like evaluating the language use, the overall style and tone of the email correspondence.
For example, if the sender is insisting on downloading a document or clicking on a given link,
this should be enough to raise suspicion.
Note that Kimsuki is known for reminding victims,
as I mentioned earlier, to do this
if they see that their correspondence has slowed down.
Going further, proper email or account security, of course.
So MFA or multiple-factor authentication is definitely a must.
We at Sentinel Labs recommend adopting
what we call attack-resilient MFA techniques,
such as the use of hardware tokens
in favor of some less secure MFA,
such as SMS messages or push notifications.
Threat actors these days are known to evade
SMS messages or push-based notification MFA authentication.
And finally, I mean, for the specifically targeted individuals,
it is also important to report suspicious activities to the authorities.
The NSA report, which was discussing this activity on a broader scale,
provides instructions how to do this regarding TeamSoup activity specifically.
It seems to me like this really is a reminder
of how your email account,
which in this case flows through these folks' Google accounts,
I mean, it really is the key to everything.
So much goes through there.
If someone gains access to your email account,
there's just so much they can do.
Exactly.
So we covered before the technical
goals of the campaign, right? But the technical goals always
translate to rather strategic or non-technical goals, right?
So in a way, by gaining access to the email inboxes of the targeted
experts on North Korea, the attackers can access their email correspondence,
which provides intelligence to Kim Suk-ho on its own,
I would say.
For example, Kim Suk-ho is known to deploy
kind of auto-forwarders of incoming emails
to their own email addresses.
So in a way that gives them real-time insight
into email correspondence.
But also important not to forget
is that access to victims' email inboxes also
enable Kim Suk-ho to possibly impersonate the affected victims in further attacks. So
this thing can propagate as well. We also mentioned that they targeted credentials to
the subscription content of NK Pro. So by gaining access to the subscription content of NK Pro, Kim Suk-woo, in a way, has a direct insight into how the Western world perceives the ongoing developments in North Korea.
So all of this, in a way, I would say, builds up the North Korean strategic intelligence, which ultimately guides North Korean authorities in the process of fine-tuning or further developing, if you wish, their overall strategy on a long-term basis.
Well, mid-term, short-term basis as well.
Our thanks to Alexander Milinkovsky from Sentinel-1 for joining us.
The research is titled, Kimsuki Strikes Again.
New social engineering campaign aims to steal credentials and gather strategic intelligence.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
The CyberWire Research Saturday podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Elliot Peltzman. Our executive editor is Peter Kilpie, and I'm Dave Bittner. Thanks for listening.