Recent intelligence reports indicate that a targeted cyber campaign has been orchestrated by the North Korean state-sponsored threat actor, known as Kimsuky, which exploits a patched vulnerability in Microsoft Remote Desktop Services to establish initial access into victim systems.
The AhnLab Security Intelligence Center (ASEC) has identified this malicious activity as Larva-24005. The researchers noted, “In certain instances, access was achieved via the exploitation of the RDP vulnerability known as BlueKeep (CVE-2019-0708).” They further clarified that while a vulnerability scanner for RDP was discovered on the affected systems, there is no substantiated evidence suggesting its deployment in the attack.
The BlueKeep vulnerability (CVE-2019-0708), which holds a critical CVSS score of 9.8, is a serious flaw that could provide unauthenticated attackers with remote code execution capabilities. This vulnerability allows for the installation of arbitrary software, data exfiltration, and the creation of user accounts with extensive privileges. It requires adversaries to send a specially crafted RDP request to the targeted Remote Desktop Service. This critical vulnerability was patched by Microsoft in May 2019, emphasizing the importance of timely updates to safeguard systems against potential exploitation.
In addition to exploiting this vulnerability, Kimsuky employs phishing emails containing files that leverage another known vulnerability in Microsoft Equation Editor (CVE-2017-11882), which has a significant CVSS score of 7.8. Once the attackers gain access, they utilize a dropper to deploy a malware strain identified as MySpy, alongside an RDP configuration tool known as RDPWrap. This malware is geared towards gathering system information, while the RDPWrap tool facilitates unauthorized remote access.
The culmination of this campaign includes the deployment of keyloggers such as KimaLogger and RandomQuery, which are specifically designed to capture keystrokes and compromise sensitive data.
This malicious campaign has primarily targeted entities in South Korea and Japan, focusing on sectors such as software, energy, and finance since October 2023. Additional targets include a range of countries such as the United States, China, Germany, Singapore, South Africa, the Netherlands, Mexico, Vietnam, Belgium, the United Kingdom, Canada, Thailand, and Poland.
