Cybersecurity researchers are flagging new malicious campaigns related to a North Korean state-sponsored threat actor known as Kimsuky, who leverages vulnerabilities that are now patched to influence Microsoft Remote Desktop services and gain early access.
This activity is named larva-24005 by the Ahnlab Security Intelligence Center (ASEC).
“Some systems have gained initial access by leveraging RDP vulnerabilities (BlueKeep, CVE-2019-0708),” says the Korean cybersecurity company. “The RDP vulnerability scanner was found on a compromised system, but there is no evidence of its actual use.”
CVE-2019-0708 (CVSS score: 9.8) is a critical decorative bug in Remote Desktop Services that allows remote code execution, allowing unauthorized attackers to install any program, access data, and create new accounts with full user rights.
However, in order for the enemy to take advantage of the flaws, they must send a specially created request to the target system Remote Desktop Services via RDP. The patch was applied by Microsoft in May 2019.
Another initial access vector employed by threat actors is the use of embedded phishing email files that trigger vulnerabilities in another known equation editor (CVE-2017-11882, CVSS score: 7.8).
Once access is gained, the attacker will leverage the dropper to change the system settings that allow RDP access, as well as install a malware distortion called the RDPWrap tool called the RDPWrap. MySpy is designed to collect system information.
This attack culminates in the deployment of keyloggers such as Kimalogger and RandomQuery to capture Kiystrokes.
The campaign has been rated since October 2023 as being sent to victims of the former, mainly in the software, energy and financial sectors, South Korea and Japan. Other countries targeted by the group include China, Germany, Singapore, South Africa, the Netherlands, Mexico, Vietnam, Belgium, Belgium, UK, Canada, Thailand and Poland.
Source link
