The US Cybersecurity and Infrastructure Security Agency (CISA), US National Security Agency (NSA), the US Federal Bureau of Investigation (FBI), the U. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) have issued a joint alert detailing the tactics, techniques, and procedures (TTPs) North Korean state-sponsored ransomware groups are using to attack the public health sector and other sectors of critical infrastructure.
Note
- Lots of useful stuff you can leverage in this alert. Ingest the included IOCs then run through the mitigations, even if you don’t think you’re a target they are good Cyber practices to help you keep the bar raised.
- It’s good to see nations band together to jointly develop and publish guidance on ransomware gangs. While the alert calls out the tactics and techniques employed by a state-sponsored actor; they are virtually the same as those employed by other ransomware gangs. A primary defensive focus should be on ensuring that known vulnerabilities have been patched as part of your vulnerability management process. Let’s deny the cybercriminal initial access and ability to escalate privileges on the network.
- This appears to align with the DPRKs intention to continue to fund its military by using funding sources that evade sanctions. They have just made a huge show of force with a large military parade touting the most ICBMs we have seen so far. It makes sense for Korea and the US to focus on cutting off the funding source, which is not only Crypto and Ransomware but other illicit activities.
Read more in
