Not Simon 🐐

Kimsuky

January 20, 2025

Country: Democratic People's Republic of Korea (DPRK) Organization: Reconnaissance General Bureau (RGB) Objective: Espionage, Cryptocurrency Theft (Page last updated January 22, 2025)

Aliases:

APT43 (Mandiant)
APT-C-55 (Qihoo 360)
ARCHIPELAGO (Google TAG)
Black Banshee (PwC)
Emerald Sleet (Microsoft)
ITG16 (IBM)
Kimsuky (ASEC, CISA, Cisco, Cybereason, Cyfirma, ESTsecurity, ETDA, Genians, Hunt.io, JPCERT/CC, Lazarusholic, Kaspersky, Malpedia, Malwarebytes, MITRE, Rapid7, S2W, Securonix, SentinelOne, Wikipedia, Zscaler)
KTA082 (Kroll)
NICKEL KIMBALL (Secureworks)
SharpTongue (Volexity)
Sparkling Pisces (Unit 42)
Springtail (Symantec)
TA406 (Proofpoint)
TA427 (Proofpoint)
THALLIUM (formerly used by Microsoft)
Velvet Chollima (CrowdStrike, Rapid7)

Links to Other Groups

Konni (ESTsecurity)
Lazarus Group (ESTsecurity)

Vulnerabilities Exploited

CVE-2024-1709 (10.0 critical, in CISA's KEV Catalog) ConnectWise ScreenConnect Authentication Bypass Vulnerability Source: Kroll

The following seven vulnerabilities have the same source: Cyfirma

CVE-2024-21338 (7.8 high, in CISA's KEV Catalog) Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control Vulnerability
CVE-2021-44228 (10.0 critical, in CISA's KEV Catalog) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell).
CVE-2017-17215 (8.8 high) Huawei HG532 Remote Code Execution Vulnerability
CVE-2017-11882 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability
CVE-2020-0787 (7.8 high, in CISA's KEV Catalog) Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability
CVE-2017-0199 (7.8 high, in CISA's KEV Catalog) Microsoft Office and WordPad Remote Code Execution Vulnerability Additional source: SOCRadar
CVE-2017-0144 (8.8 high, in CISA's KEV Catalog) Microsoft SMBv1 Remote Code Execution Vulnerability

The following vulnerabilities have the same source: SOCRadar

CVE-2015-2545 (7.8 high, in CISA's KEV Catalog) Microsoft Office Malformed EPS File Vulnerability
CVE-2019-0604 (9.8 critical, in CISA's KEV Catalog) Microsoft SharePoint Remote Code Execution Vulnerability

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK

Known Tools Used

External link: MITRE

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2025

January 22, 2025 – S2W: Kimsuky 그룹의 Babyshark 악성코드 캠페인 (Korean language, English translation: Babyshark malware campaign from Kimsuky group)
January 20, 2025 – Scarlet Shark: Analyst’s Note — Kimsuky

2021

December 21, 2021 – ASEC: APT Attack Cases of Kimsuky Group (PebbleDash)
November 19, 2021 – Qihoo 360: 疑似APT-C-55（Kimsuky）组织利用商业软件Web Browser Password Viewer进行攻击 (Chinese language, English translation: APT-C-55 (Kimsuky) organization suspected to use commercial software Web Browser Password Viewer to attack)
November 18, 2021 – Proofpoint: Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals (Available as PDF)
November 16, 2021 – ASEC: Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)
November 10, 2021 – Cisco Talos: North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets
October 25, 2021 – Microsoft: Microsoft Digital Defense Report OCTOBER 2021 (PDF)
June 03, 2021 – Cyble: Kimsuky APT Group Distributes Fake Security App Disguised as KISA Security Program
June 01, 2021 – Malwarebyres: Kimsuky APT continues to target South Korean government using AppleSeed backdoor
May 06, 2021 – QiAnXin: 疑似Kimsuky APT组织利用韩国外交部为诱饵的攻击活动分析 (Chinese language, English translation: Analysis of the suspected Kimsuky APT group's attack activities using the South Korean Ministry of Foreign Affairs as bait)
May 05, 2021 – Qihoo 360: Kimsuky APT组织使用新型的AppleSeed Android组件伪装成安全软件对韩特定目标进行攻击 (Chinese language, English translation: Kimsuky APT uses new AppleSeed Android component disguised as security software to attack specific targets in South Korea)
March 26, 2021 – Qihoo 360: Kimsuky组织网络攻击活动追溯分析报告 (Chinese language, English translation: Kimsuky Organization Cyber Attack Activity Tracing Analysis Report)
March 04, 2021 – United Nations Security Council: Final report of the Panel of Experts (PDF) (ATTRIBUTION)

2020

November 22, 2020 – ESTsecurity: [스페셜 리포트] 탈륨(김수키)과 코니 APT 그룹의 연관관계 분석 Part3 (Korean language, English translation: [Special Report] Analysis of the relationship between Thallium (Kimsuky) and the Konni APT Group Part 3)
November 02, 2020 – Cybereason: Back to the Future: Inside the Kimsuky KGH Spyware Suite
October 27, 2020 – CISA: North Korean Advanced Persistent Threat Focus: Kimsuky (Available as a PDF)
September 30, 2020 – PwC:
- To catch a Banshee: how Kimsuky’s tradecraft betrays its complementary campaigns and mission
- To catch a Banshee (PowerPoint slides) (PDF)
July 25, 2020 ESTsecurity: [스페셜 리포트] 미국 MS가 고소한 탈륨 그룹, 대한민국 상대로 '페이크 스트라이커' APT 캠페인 위협 고조 (Korean language, English translation: [Special Report] Thallium Group, Sued by US MS, Raises Threat of ‘Fake Striker’ APT Campaign Against South Korea)
July 02, 2020 – IBM: Recent Activity from ITG16, a North Korean Threat Group
June 30, 2020 – ESTsecurity: 김수키(탈륨) 조직, 코로나19 테마와 WSF 파일 기반 공격 주의 (Korean language, English translation: Kimsuky (Thallium) Organization, Beware of COVID-19 Theme and WSF File-Based Attacks)
June 19, 2020 – ESTsecurity: 탈륨조직, 청와대 보안 이메일로 사칭한 APT 공격 수행 (Korean language, English translation: Thallium Organization Carries Out APT Attacks Impersonating Blue House Security Email)
June 11, 2020 – ESTsecurity: 김수키(Kimsuky) APT 그룹, 과거 라자루스(Lazarus) doc 공격 방식 활용 (Korean language, English translation: Kimsuky APT group uses past Lazarus doc attack methods)
June 02, 2020 – ESTsecurity: 김수키(Kimsuky) 그룹, HWP, DOC, EXE 복합적 APT 공격 작전 (Korean language, English translation: Kimsuky Group, HWP, DOC, EXE Complex APT Attack Operation)
May 29, 2020 – ESTsecurity: '북한 내 코로나19 상황 인터뷰' 문건으로 사칭한 김수키 APT 공격 주의! (Korean language, English translation: Beware of KimsukyAPT attack disguised as 'Interview on COVID-19 situation in North Korea'!)
May 27, 2020 – ESTsecurity: 핵 이슈를 다루는 학술 연구재단을 사칭한 Konni 조직의 새로운 APT 공격 (Korean language, English translation: New APT attack by Konni group impersonating academic research foundation dealing with nuclear issues)
April 10, 2020 – ESTsecurity: 김수키(Kimsuky)조직, 21대 국회의원 선거문서로 사칭한 스모크 스크린 APT 공격 수행 (Korean language, English translation: Kimsuky Organization Conducts Smoke Screen APT Attack Disguised as 21st National Assembly Election Document)
March 28, 2020 – ESTsecurity: '코로나19' 내용으로 가장한 김수키(Kimsuky) 조직의 스모크 스크린 APT 공격 주의! (Korean language, English translation: Beware of Smoke Screen APT Attacks by Kimsuky Organization Disguised as 'Corona 19' Content!)
March 23, 2020 – ESTsecurity: 국방부 출신 이력서를 위장한 김수키(Kimsuky) 조직의 '블루 에스티메이트 Part7' APT 공격 주의 (Korean language, English translation: Beware of the 'Blue Estimate Part 7' APT attack by the Kimsuky organization disguised as a Ministry of National Defense resume)
March 21, 2020 – ESTsecurity: 김수키(Kimsuky)조직, 코로나 바이러스 이슈를 악용하여 MacOS MS오피스 사용자를 타겟으로 진행중인 APT 공격 주의! (Korean language, English translation: Beware of APT attacks targeting MacOS MS Office users by the Kimsuky organization, exploiting the coronavirus issue!)
March 09, 2020 – PwC: Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2 (Archive of dead link)
March 02, 2020 – ESTsecurity: 이력서로 위장한 김수키(Kimsuky) 조직의 '블루 에스티메이트 Part5' APT 공격 주의 (Korean language, English translation: Beware of the 'Blue Estimate Part 5' APT attack by the Kimsuky organization disguised as a resume)
February 18, 2020 – PwC: Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1 (Archive of dead link)
February 06, 2020 – ESTsecurity: 김수키(Kimsuky) 조직, 실제 주민등록등본 파일로 둔갑한 '블루 에스티메이트 Part3' APT 공격 주의 (Korean language, English translation: Kimsuky Organization, Beware of 'Blue Estimate Part 3' APT Attack Disguised as Real Resident Registration Copy File)
January 14, 2020 – ESTsecurity: ‘통일외교안보특보 발표문건’ 사칭 APT 공격… 김수키(Kimsuky) 조직 소행 (Korean language, English translation: APT attack impersonating ‘Unification, Foreign Affairs, and Security Special Advisor Announcement Document’… Kimsuky Organization’s work)

2019

December 30, 2019 – Microsoft: Microsoft takes court action against fourth nation-state cybercrime group
October 17, 2019 – ESTsecurity: 김수키(Kimsuky) 조직 소행 추정 ‘대북 분야 국책연구기관’ 사칭 스피어피싱 공격 발견 (Korean language, English translation: Spear phishing attack impersonating ‘national research institute in the North Korea field’ suspected to be by Kimsuky organization discovered)
October 01, 2019 – ESTsecurity: 코니(Konni) APT 조직, HWP 취약점을 이용한 'Coin Plan' 작전 감행 (Korean language, English translation: Konni APT Group Conducts 'Coin Plan' Operation Using HWP Vulnerability)
September 27, 2019 – ESTsecurity: 북한 파일명으로 보고된 Kimsuky 조직의 '스모크 스크린' PART 3 (Korean language, English translation: Kimsuky Organization's 'Smoke Screen' Reported by North Korean File Name PART 3)
August 24, 2019 – ESTsecurity: 코니(Konni) APT 조직, 안드로이드 스파이 활동과 김수키 조직 유사성 분석 (Korean language, English translation: Analysis of Similarities Between Konni APT Organization, Android Spying Activities, and Kimsuky Organization)
June 27, 2019 – ESTsecurity: 비트코인 1,500만원 돌파하면서 김수키(Kimsuky) APT 공격 중 (Korean language, English translation: Kimsuky APT Attack in Progress as Bitcoin Surpasses 15 Million Won)
June 10, 2019 – ESTsecurity: [스페셜 리포트] APT 캠페인 'Konni' & 'Thallium(Kimsuky)' 조직의 공통점 발견 (Korean language, English translation: [Special Report] Commonalities Discovered Between APT Campaigns 'Konni' & 'Thallium (Kimsuky)' Organizations)
May 28, 2019 – ESTsecurity:
- 김수키 조직, 사이버 안전국 암호화폐 민원안내로 사칭해 APT 공격 수행 (Korean language, English translation: Kimsuky's organization impersonates the Cyber Security Bureau's cryptocurrency civil affairs office to carry out APT attacks)
- 김수키 조직, 한국 암호화폐 거래소 이벤트 사칭 APT 공격 발생 (Korean language, English translation: Kimsuky Organization, APT Attack Impersonating Korean Cryptocurrency Exchange Event)
May 21, 2019 – ESTsecurity: 김수키(Kimsuky) 2차 북미정상회담 좌담회 사칭 APT 공격, '작전명 라운드 테이블' (Korean language, English translation: Kimsuky 2nd North American Summit Roundtable Discussion Impersonation APT Attack, 'Operation Name Roundtable')
May 20, 2019 – ESTsecurity: 김수키 조직, 한국을 겨냥한 '페이크 스트라이커' APT 작전 개시 (Korean language, English translation: Kim Soo-ki Organization Launches 'Fake Striker' APT Operation Targeting Korea)
May 13, 2019 – ESTsecurity: 암호화된 APT 공격, Kimsuky 조직의 '스모크 스크린' PART 2 (Korean language, English translation: Encrypted APT Attacks, Kimsuky Organization's 'Smoke Screen' PART 2)
April 26, 2019 – Unit 42: BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat
April 17, 2019 – ESTsecurity: 한ㆍ미 겨냥 APT 캠페인 '스모크 스크린' Kimsuky 실체 공개 (아웃소싱 공격) (Korean language, English translation: APT campaign targeting Korea and the US 'Smoke Screen' Kimsuky's true identity revealed (outsourcing attack))
April 03, 2019 – ESTsecurity: 김수키(Kimsuky) 조직, 스텔스 파워(Operation Stealth Power) 침묵 작전 (Korean language, English translation: Kimsuky Organization, Operation Stealth Power Silence Operation)
February 22, 2019 – Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks

2018

June 19, 2018 – ESTsecurity: 김수키(Kimsuky) APT조직, 미북 정상회담 전망 및 대비 문서로 공격 (Korean language, English translation: Kimsuky APT Organization Attacks with Documents on US-North Korea Summit Outlook and Preparation)
May 28, 2018 – ESTsecurity: 판문점 선언 관련 내용의 문서로 수행된 '작전명 원제로(Operation Onezero)' APT 공격 분석 (Korean language, English translation: Analysis of APT attack 'Operation Onezero' conducted with documents related to the Panmunjom Declaration)
April 19, 2018 – ESTsecurity: 2010년 해외 대상 APT 공격자, 오퍼레이션 베이비 코인(Operation Baby Coin)으로 한국 귀환 (Korean language, English translation: 2010 Overseas APT Attacker Returns to Korea with Operation Baby Coin)
February 12, 2018 – ESTsecurity: 오퍼레이션 김수키(Kimsuky)의 은밀한 활동, 한국 맞춤형 APT 공격은 현재 진행형 (Korean language, English translation: Operation Kimsuky's covert activities, Korea-tailored APT attacks are currently ongoing)
February 02, 2018 – McAfee: Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems

2013

September 11, 2013 – Kaspersky: The “Kimsuky” Operation: A North Korean APT?

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

CyberAv3ngers

January 19, 2025

Country: Islamic Republic of Iran Organization: Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) Objective: Disruption (Page Last Updated: January 19, 2025)

Aliases:

CyberAv3ngers (CERT-FA, CISA, ETDA, Fortinet, Kaspersky, Malpedia, MITRE, SentinelOne)
Storm-0784 (Microsoft)

Links to Other Groups/Personas

Soldiers of Solomon (CISA, Microsoft)

Identified Members

Hamid Reza Lashgarian (حمیدرضا لشکریان): head of IRGC-CEC, also IRGC-Qods Force commander
Hamid Homayunfal (حمید همایون فال): IRGC-CEC senior official
Mahdi Lashgarian (مهدی لشکریان): IRGC-CEC senior official
Milad Mansuri (میلاد منصوری): IRGC-CEC senior official
Mohammad Bagher Shirinkar (محمد باقر شیرین کار): IRGC-CEC senior official
Mohammad Amin Saberian (محمد امین صابریان): IRGC-CEC senior official

General Information

Rewards for Justice

Vulnerabilities Exploited

CVE-2023-6448 (9.8 critical, in CISA's KEV Catalog) Unitronics Vision PLC and HMI Insecure Default Password Vulnerability Source: CISA
CVE-2023-28130 (7.2 high) CheckPoint Gaia Portal Privilege Escalation Vulnerability Source: SentinelOne

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

December 18, 2024 – CISA: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities (UPDATE)
October 09, 2024 – OpenAI: Influence and cyber operations: an update (PDF)
February 02, 2024:
- U.S. State Department: Designating Iranian Cyber Officials
- U.S. Treasury: Treasury Sanctions Actors Responsible for Malicious Cyber Activities on Critical Infrastructure (ATTRIBUTION to IRGC-CEC)

2023

December 01, 2023 – CISA: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities (ATTRIBUTION to IRGC)
November 30, 2023 – SentinelOne: Iran-Backed Cyber Av3ngers Escalates Campaigns Against U.S. Critical Infrastructure
November 28, 2023 – CISA: Exploitation of Unitronics PLCs used in Water and Wastewater Systems
November 26, 2023 – CBS News: Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group (news article)
October 16, 2023 – Kaspersky: A hack in hand is worth two in the bush

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Silk Typhoon

January 11, 2025

Country: People's Republic of China Organization: Ministry of State Security (MSS) Objective: Espionage (Page Last Updated: January 17, 2025)

Aliases:

HAFNIUM (formerly used by Microsoft) (ETDA, Malpedia, Mitre, Rapid7, Wikipedia)
Operation Exchange Marauder (Volexity)
Red Dev 13 (PwC)
Silk Typhoon (Microsoft)
UNC2639 (FireEye/Mandiant)
UNC2640 (FireEye/Mandiant)
UNC2643 (FireEye/Mandiant)

Identified Member

Yin Kecheng

Links to Other Groups

APT40 (Hainan State Security Department (HSSD), of the MSS)

Vulnerabilities Exploited

CVE-2021-40539 (9.8 critical, in CISA's KEV Catalog) Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability Source: Implied to be CVE-2021-40539 by Microsoft
CVE-2021-44228 (10.0 critical, in CISA's KEV Catalog) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell). Source: Microsoft

The following four vulnerabilities have the same source: Microsoft

CVE-2021-26855 (9.1 critical; NVD 9.8, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability (aka ProxyLogon)
CVE-2021-26857 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability (aka ProxyLogon)
CVE-2021-26858 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability (aka ProxyLogon)
CVE-2021-27065 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability (aka ProxyLogon)

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK

Known Tools Used

External link: MITRE

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2025

January 17, 2025:
- U.S. State Department: U.S. Takes Action Against PRC-Linked Cyber Actors for Treasury Hack and Salt Typhoon
- U.S. Treasury: Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise (ATTRIBUTION)
January 10, 2025 – CNN: Chinese hackers breached US government office that assesses foreign investments for national security risks (news article)
January 08, 2025 – Bloomberg: White House Rushes to Finish Cyber Order After China Hacks (news article)
January 06, 2025 – CISA: CISA Update on Treasury Breach (news article)
January 01, 2025 – Washington Post: Treasury’s sanctions office hacked by Chinese government, officials say (news article)

2024

December 30, 2024 – New York Times: China Hacked Treasury Dept. in ‘Major’ Breach, U.S. Says (news article)

2022

April 12, 2022 – Microsoft: Tarrask malware uses scheduled tasks for defense evasion

2021

December 11, 2021 – Microsoft: Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability
August 19, 2021 – National Counterintelligence and Security Center: HAFNIUM Compromises MS Exchange Servers (PDF)
July 19, 2021:
- U.S. White House: The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China
- CISA: Mitigate Microsoft Exchange Server Vulnerabilities (ATTRIBUTION)
- UK Government: UK and allies hold Chinese state responsible for a pervasive pattern of hacking
- NCSC-UK: UK and allies hold Chinese state responsible for pervasive pattern of hacking
April 13, 2021 – U.S. Department of Justice: Justice Department Announces Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities
March 23, 2021 – Rapid7: Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange
March 11, 2021 – ShadowServer: Shadowserver Special Reports – HAFNIUM Exchange Victims
March 10, 2021 – FBI: Compromise of Microsoft Exchange Server (PDF)
March 04, 2021 – FireEye: Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
March 02, 2021:
- Microsoft: New nation-state cyberattacks
- Microsoft: HAFNIUM targeting Exchange Servers with 0-day exploits
- Volexity: Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

CTI Report Template

January 10, 2025

This is a variation of Kraven Security's Cyber Threat Intelligence Report Template which contains great information already but I added my own preferences. Feel free to use this however you'd like.

Report: # Date: Priority: Low/Moderate/High/Critical Source and Reliability Information: Admiralty Scale Score [A-F][1-6] Sensitivity: Traffic Light Protocol

Executive Summary
Key Takeaways
Intelligence Assessment
Key Intelligence Gaps
Indicators of Compromise (IOCs)
MITRE ATT&CK Techniques
Detection Opportunities
Appendices
- Probability Matrix
- Priority Matrix
- Source Reliability and Information Credibility
- Confidence Levels
- Feedback Contacts
- Definitions and Acronyms

1. Executive Summary

A brief summary of the report. It should explain the report's significance, create a simple, easy-to-follow narrative of its key findings, and support a single decision. The reader should be able to make an informed decision based entirely on this summary. Aim to answer the following questions concisely:

What intelligence requirement(s) has this report fulfilled?
Why is this report relevant to the organization?
What is the biggest takeaway?
What new intelligence has been provided?
Does this report support or contradict existing assumptions, security initiatives, or objectives?

2. Key Takeaways

A bulleted list of the key findings from this report. Aim to answer the following questions:

Who is this report for?
Where was the data collected (source)?
Who was the attacker?
Who was the victim?
Why does this report matter to the target audience?
What is the main takeaway from this report?

This bulleted list is followed by a table summarizing key intelligence and a general analysis of the threat the report discusses using the Diamond Model. This allows key intelligence metrics to be easily identified and visualized.

Intelligence Requirements Addressed	Citation of the IR addressed by this report
Data Sources
Threat Actor	Primary threat actor (and aliases) or N/A or Unknown
Victim Location	Country of victim
Sectors	Industry targeted
Motivation	Cybercrime / Espionage / Hacktivism / Ransomware / ICS / Other / Unknown

Diamond Model

Capabilities	Adversary	Infrastructure	Victim
MITRE technique, malware, hacking tool	Threat Actor, alias, email address, persona	IP address, domain name, URL, C2 server	company, workstation/server name, email address

3. Intelligence Assessment

This section should include:

A call to action, recommendation, or judgment: This threat (e.g., activity, threat actor, malware, etc.) demonstrates X and could potentially impact us. Therefore, we should do Y.
Any new information: This threat has a new tool, capability, TTP, etc. Key evidence: The threat has the following characteristics that uniquely distinguish it.
Estimative language (see Probability Matrix): “I assess with a level of certainty that < judgment> will impact us .”
Background information: Any relevant background information about the threat actor, malware, TTP, etc., to give context to this new assessment.
Relations to your organization: How does this threat relate to your organization? Does it target your country or sector? Does it target vulnerabilities in the systems or technologies you use? Does it relate to any previous security incidents or detections?

This section should include a kill chain analysis technique like Lockheed Martin’s Cyber Kill Chain. List the IOCs or TTPs found at each stage of the attack to create an attack narrative for the reader. The security operations team can then use this to identify possible mitigations or gaps.

Cyber Kill Chain

S1: Reconnaissance
S2: Weaponization
S3: Delivery
S4: Exploitation
S5: Installation
S6: Command & Control
S7: Actions on Objective

4. Key Intelligence Gaps

A bulleted list that summarizes additional information the CTI team needs to complete their analysis and raise the confidence of the assessment. You should highlight gaps affecting the assessment, such as if new information is discovered or existing information is proven wrong.

These gaps should be tracked externally from the report using a project/task management system.

5. Indicators of Compromise (IOCs)

This section consists of IOCs found on endpoint devices (workstations, servers, mobile devices), in network logs, related malware, and any vulnerabilities relevant to the threat being discussed.

Endpoint Artifact: Endpoint Artifact, Type, Description, Tactic
Network Artifacts: Network Artifact, Type, Description, Kill Chain Stage (first observed, last observed)
Malware: Malware, Hash Type, File Hash, Description, Malware Analysis Report, Kill Chain Stage
Common Vulnerabilities and Exposures (CVEs): CVE ID, CVSS (include version) Score, Patch Available (Y/N), Remediation, Date Reported, Patch Applied (Y/N/ N/A)
MITRE ATT&CK Techniques: Tactic, Technique, Procedure, D3FEND, Security Control
Detection Opportunities: Rule/Query, Name, Type, Description, Reference (source)

6. Appendices

Probability Matrix

almost no chance	very unlikely	unlikely	roughly even chance	likely	very likely	almost certain(ly)
remote	highly improbable	improbable	roughly even odds	probable (probably)	highly probable	nearly certain
01-05%	05-20%	20-45%	45-55%	55-80%	80-95%	95-99%

Analysts are strongly encouraged not to mix terms from different rows. Products that do mix terms must include a disclaimer clearly noting the terms indicate the same assessment of probability.

To avoid confusion, products that express an analyst's confidence in an assessment or judgment using a “confidence level” (e.g., “high confidence”) must not combine a confidence level and a degree of likelihood, which refers to an event or development, in the same sentence.

Priority Matrix

You should assign each report a priority based on its impact on your organization. The following table describes four general priority levels you can assign to a report.

Low: The threat requires regular monitoring and should be addressed when possible.
Moderate: The threat needs to be monitored closely and addressed.
High: The threat needs to be addressed quickly and monitored.
Critical: Immediate action is required.

Source and Information Reliability

Each report should include an evaluation of source reliability. An industry standard is the Admiralty Scale, developed by NATO. This scale scores source reliability on a scale of A-F and information credibility on a scale of 1-6. Attaching an appendix that describes this to the reader provides clarity.

Source Reliability (A-F)

A (Completely reliable): The source has a history of consistently providing accurate information.
B (Usually reliable): Most of the time, the source provides accurate information.
C (Fairly reliable): The source has provided accurate information on occasion.
D (Not usually reliable): The source has provided accurate information infrequently.
E (Unreliable): The source has rarely or never provided accurate information.
F (Reliability cannot be judged): The source’s reliability is unknown or untested.

Information Credibility (1-6)

1 (Confirmed): Other independent sources have confirmed the information.
2 (Probably true): The information is likely true but has not been confirmed.
3 (Possibly true): The information might be true, but it is unconfirmed.
4 (Doubtful): The information is unlikely to be true.
5 (Improbable): The information is very unlikely to be true.
6 (Cannot be judged): The credibility of the information cannot be assessed.

Confidence Levels

High: Good quality of information, evidence from multiple collection capabilities, possible to make a clear judgment.
Moderate: Evidence is open to a number of interpretations, or is credible and plausible but lacks correlation.
Low: Fragmentary information, or from collection capabilities of dubious reliability.

Sensitivity Matrix

Each report should attach a sensitivity level as defined by your organization’s data protection policy. This ensures data is handled appropriately and only shared with appropriate personnel. Attaching an appendix that describes this to the reader provides clarity.

TLP:RED: For the eyes and ears of individual recipients only, no further disclosure. Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting
TLP:AMBER: Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: If the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT.
TLP:GREEN: Limited disclosure, recipients can spread this within their community. Sources may use TLP:GREEN when information is useful to increase awareness within their wider community. Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: When “community” is not defined, assume the cybersecurity/cyber defense community.
TLP:CLEAR: Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.

Feedback Contacts

Provide a point of contact where the intelligence consumer can direct their feedback once the intelligence report has been published. This will help the CTI team improve future reports, ensure intelligence requirements are being met, and maintain communication channels.

Definitions and Acronyms

A list of key terms and acronyms used throughout the report. This lets the reader understand how the CTI team defines a particular technical term.

Andariel

December 28, 2024

Country: Democratic People's Republic of Korea (DPRK) Organization: Lab 110, 3rd Bureau of the Reconnaissance General Bureau (RGB) Objective: Espionage, Ransomware (Page last updated December 27, 2024)

Aliases:

Andariel (Cisco Talos, ESET, ETDA, Kaspersky, Lazarusholic, MITRE, Trend Micro, Wikipedia)
APT45 (Mandiant)
Clasiopa (Symantec)
DarkSeoul (McAfee)
Jumpy Pisces (Unit 42)
Nickel Hyatt (Secureworks)
Onyx Sleet (Microsoft)
PLUTONIUM (previously used by Microsoft)
Silent Chollima (CrowdStrike, Malpedia)
Stonefly (Symantec)
TA430 (Proofpoint)

Connections to other groups:

Storm-0530 (Microsoft) (previously tracked as DEV-0530)

Identified Members

Rim Jong Hyok:
- FBI Most Wanted
- Rewards for Justice

Vulnerabilities Exploited

CVE-2023-42793 (9.8 critical, in CISA's KEV Catalog) JetBrains TeamCity Authentication Bypass Vulnerability Source: Microsoft

The following five vulnerabilities have Microsoft as their source:

CVE-2023-46604 (Vendor 10.0/ NVD 9.8 critical, in CISA's KEV Catalog) Apache ActiveMQ Deserialization of Untrusted Data Vulnerability
CVE-2023-22515 (Vendor 10.0/ NVD 9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Data Center and Server Broken Access Control Vulnerability
CVE-2023-46604 (Vendor 10.0/ NVD 9.8 critical, in CISA's KEV Catalog) Apache ActiveMQ Deserialization of Untrusted Data Vulnerability Other sources: ASEC
CVE-2023-27350 (9.8 critical, in CISA's KEV Catalog) PaperCut MF/NG Improper Access Control Vulnerability
CVE-2021-44228 (10.0 critical, in CISA's KEV Catalog) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell) Other sources: ASEC, CISA, Cisco Talos

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK

Known Tools Used

External link: MITRE

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

December 23, 2024 – ASEC: Andariel 그룹의 국내 솔루션 대상 공격 사례 분석 (SmallTiger) (Korean language; English translated title: “Analysis of Attack Cases Targeting Domestic Solutions of Andariel Group (SmallTiger)”)
November 04, 2024 – Vlad Pasca: Recent Keylogger Attributed to North Korean Group Andariel Analyzed Through A Hybrid Analysis Perspective
October 30, 2024 – Unit 42: Jumpy Pisces Engages in Play Ransomware
October 16, 2024 – KrCERT/CC: TTPs #11: Operation An Octopus – 중앙 집중형 관리 솔루션을 노리는 공격전략 분석 (Korean language; English translated title: “TTPs #11: Operation An Octopus – Analysis of attack strategies targeting centralized management solutions”)
October 02, 2024 – Symantec: Stonefly: Extortion Attacks Continue Against U.S. Targets
August 05, 2024 – National Cyber Security Center of Korea (NCSC): 북한 해킹조직의 건설ㆍ기계 분야 기술절취 주의 (Korean language, PDF; English translated title: “Beware of North Korean hacking organizations stealing construction and machinery technology”)
July 25, 2024:
- U.S. State Department: Rewards for Justice – Reward Offer for Information on North Korean Malicious Cyber Actor Targeting U.S. Critical Infrastructure
- U.S. Department of Justice: North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers (ATTRIBUTION)
- CISA: North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs (available as PDF, links Clasiopa to Andariel)
- NCSC-UK: NCSC and partners issue warning over North Korean state-sponsored cyber campaign to steal military and nuclear secrets
- Microsoft: Onyx Sleet uses array of malware to gather intelligence for North Korea
- Mandiant: APT45: North Korea’s Digital Military Machine
June 24, 2024 – ASEC: Xctdoor Malware Used in Attacks Against Korean Companies (Andariel)
May 27, 2024 – ASEC: SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel)
May 16, 2024 – ASEC: Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group)
April 23, 2024 – Korean National Police Agency: 경찰청·방위사업청 등 관계기관 합동 특별점검을 통해 북한의 케이(K)-방산업체 해킹 공격 규명 및 보호조치 실시 (Korean language; English translated title: “Investigation of North Korea's K-Defense Industry Hacking Attacks and Implementation of Protective Measures through Joint Special Inspection by Related Agencies including the National Police Agency and Defense Acquisition Program Administration”)
March 11, 2024 – ASEC: Andariel Group Exploiting Korean Asset Management Solutions (MeshAgent)

2023

December 11, 2023 – Cisco Talos: Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang
December 05, 2023 – SecurityScorecard: North Korean State-Sponsored Cyber Attack: Unveiling the Intricacies of Threat Actor Group Andariel (PDF)
December 04, 2023 – Seoul Metropolitan Police: 北 해킹조직‘안다리엘’평양發 해킹공격으로 방산기술 탈취, 북한으로 랜섬웨어 수익금 송금 (Korean Language; English translated title: “North Korean hacking group 'Andariel' steals defense technology through hacking attacks from Pyongyang, sends ransomware profits to North Korea”)
November 17, 2023 – ASEC: Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604)
November 10, 2023 – ASEC: Circumstances of an Attack Exploiting an Asset Management Program (Andariel Group)
October 18, 2023 – Microsoft: Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability
September 12, 2023 – Qihoo360: APT-C-26（Lazarus）组织使用EarlyRat的攻击活动分析 (Chinese language; English translated title: “Analysis of the APT-C-26 (Lazarus) group’s attack activities using EarlyRat”)
September 01, 2023 – Ministry of Foreign Affairs of Japan: 北朝鮮の核その他の大量破壊兵器及び弾道ミサイル関連計画その他の北朝鮮に関連する国際連合安全保障理事会決議により禁止された活動等に関与する者に対する資産凍結等の措置の対象者の追加について (Japanese language; English translated title: “Addition of persons subject to asset freeze and other measures for those involved in North Korea's nuclear and other weapons of mass destruction and ballistic missile-related programs and other activities prohibited by United Nations Security Council resolutions related to North Korea”)
August 22, 2023 – ASEC: Analysis of Andariel’s New Attack Activities
June 28, 2023 – Kaspersky: Andariel’s silly mistakes and a new malware family
May 16, 2023 – Deutsche Cyber- Sicherheitsorganisation (DCSO): Andariel’s “Jupiter” malware and the case of the curious C2
May 09, 2023 – ESET Research: APT Activity Report Q4 2022—Q1 2023 LAZARUS EXTENDS TARGETING TO ALL MAJOR DESKTOP OSes (PDF)
February 23, 2023 – Symantec: Clasiopa: New Group Targets Materials Research
February 15, 2023 – ASEC: Distribution of Malware Exploiting Vulnerable Innorix: Andariel

2022

August 09, 2022 – Kaspersky: Andariel deploys DTrack and Maui ransomware
July 07, 2022 – CISA: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector
June 03, 2022 – ASEC: 한국에서만 활동하는 안다리엘 그룹, 지난 2년간의 행적 (Korean Language; English translation: Andariel Group, active only in Korea, the past two years)
May 11, 2022 – ASEC: Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped)
April 27, 2022 – Symantec: Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets
March 23, 2022 – Mandiant: Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations (ATTRIBUTION)

2021

June 15, 2021 – Kaspersky: Andariel evolves to target South Korea with ransomware
April 19, 2021 – Malwarebytes: Lazarus APT conceals malicious code within BMP image to drop its RAT
March 25, 2021 – U.S. Department of Health and Human Serivces (HHS): North Korean Cyber Activity (PDF)

2020

May 12, 2020 – CISA: MAR-10288834-3.v1 – North Korean Trojan: PEBBLEDASH (Malware Analysis)
February 19, 2020 – LEXFO: The Lazarus Constellation: A study on North Korean malware (PDF)

2019

September 13, 2019 – U.S. Treasury: Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups (ATTRIBUTION)

2018

July 16, 2018 – Trend Micro: New Andariel Reconnaissance Tactics Uncovered
June 23, 2018: ASEC: Full Discloser of Andariel, A Subgroup of Lazarus Threat Group. (dead link)
May 23, 2018 – ASEC: Andariel Group 동향 보고서 (PDF, Korean language; English translated title: “Andariel Group Trend Report”)

2017

August 04, 2017 – Black Hat Europe 2017 (Chi-en (Ashley) Shen & Kyoung-ju Kwak & Min-Chang Jang): Nation-State Moneymule's Hunting Season: APT Attacks Targeting Financial Institutions (PDF)
July 26, 2017 – Financial Security Institute (FSI): Campaign Rifle – Andariel, the Maiden of Anguish (DOCX file)
- See related S2W: Campaign Rifle: Andariel, The Maiden of Anguish (July 26, 2021)
February 12, 2017 – BAE Systems: Lazarus & Watering-hole attacks

2015

November 20, 2015 – Global Information Assurance Certification (GIAC): Tracing the Lineage of DarkSeoul (PDF)
November 18, 2015 – Unit 42: TDrop2 Attacks Suggest Dark Seoul Attackers Return

2013

July 08, 2013 – McAfee: Dissecting Operation Troy: Cyberespionage in South Korea (PDF, archive of dead link)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Patch Tuesday

December 26, 2024

Here's a handy resource: A list of vendor security advisories, sorted by Patch Tuesday schedule (if they adhere to it). This is not a complete or definitive list, but it's better than nothing. I also don't worry about all of the listed vendors, and didn't include ones who don't even have a portal/landing page for security advisories. I'll try to keep the page updated when I add more vendors, or know that their link changed. (Ideally you'd be monitoring these on your own using RSS). Visit the Vendor Verbiage page to figure out what was publicly disclosed or exploited.

Page last updated: December 25, 2024.

First Monday of the month

Android: https://source.android.com/docs/security/bulletin

First Weekday of the month

Qualcomm: https://docs.qualcomm.com/product/publicresources/securitybulletin

Second Tuesday of the month

Preferred on (second Tuesday) of the month (but whenever)

Arm: link shortened for length reasons
Cisco: https://sec.cloudapps.cisco.com/security/center/publicationListing.x
Google Chrome: https://chromereleases.googleblog.com/

Third Tuesday of the month

Atlassian: https://www.atlassian.com/trust/security/advisories

Quarterly

Oracle (third Tuesday of January, April, July, and October): https://www.oracle.com/security-alerts/
Splunk: https://advisory.splunk.com/

Regular Schedule? LOL

AMD: https://www.amd.com/en/resources/product-security.html
Apple: https://support.apple.com/en-us/100100
Citrix: https://support.citrix.com/s/topic/0TO4z0000001GYdGAM/security-bulletin?language=en_US
Dell: https://www.dell.com/support/security/en-us
Draytek: https://www.draytek.com/about/security-advisory/
Elastic: https://discuss.elastic.co/c/announcements/security-announcements/31?ascending=false&order=activity
GitLab: https://about.gitlab.com/releases/categories/releases/
Jenkins: https://www.jenkins.io/security/advisories/
JetBrains: https://www.jetbrains.com/privacy-security/issues-fixed/
Juniper: https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=relevancy&f:ctype=[Security%20Advisories]
Mozilla: https://www.mozilla.org/en-US/security/advisories/
Okta: https://trust.okta.com/security-advisories/
Palo Alto Networks: https://security.paloaltonetworks.com/
Red Hat: https://access.redhat.com/security/security-updates/security-advisories
Rockwell Automation: https://www.rockwellautomation.com/en-us/trust-center/security-advisories.html
SolarWinds: https://www.solarwinds.com/trust-center/security-advisories
SonicWall: https://psirt.global.sonicwall.com/vuln-list
VMware: https://support.broadcom.com/web/ecx/security-advisory?
Zimbra: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Patching? LMAO

D-Link: https://supportannouncement.us.dlink.com/

Vendor Verbiage

December 23, 2024

Software vendors make it extremely difficult (by design) to understand when a vulnerability affecting their product is either publicly known (proof of concept) or exploited in the wild (possibly as a zero-day). Everyone's language is different from each other. I have compiled a list of messages (sorted by vendor name) from official security advisories that either imply or explicitly state proof of concept or evidence of exploitation. I have included a link and date for reference, in case these vendors change their verbiage in the future. Pair this with the Patch Tuesday post.

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

A

Adobe:

Proof of Concept: “Adobe is aware that CVE-2024-53961 has a known proof-of-concept...” Link (December 23, 2024)
Exploited in the Wild:
- “Adobe is aware that CVE-2023-29298 has been exploited in the wild in limited attacks targeting Adobe ColdFusion.” Link (July 19, 2023)
- “As of September 28, Adobe is aware of a report that CVE-2018-15961 is being actively exploited in the wild.” Link (September 28, 2018)
- “Adobe is aware that CVE-2024-34102 has been exploited in the wild in limited attacks targeting Adobe Commerce merchants.” (Link: June 26, 2024)

Apple:

Exploited in the wild:
- “Apple is aware of a report that this issue may have been exploited.” (Link: January 22, 2024)
- “Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.” (Link: November 19, 2024)

Arm:

Exploited in the Wild:
- “Arm is aware of reports of this vulnerability being exploited in the wild.” (Link: June 07, 2024)
- “There is evidence that this vulnerability may be under limited, targeted exploitation.” (Link: October 02, 2023)

Atlassian:

Exploited in the Wild:
- “Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.” “UPDATE: We have evidence to suggest that a known nation-state actor is actively exploiting CVE-2023-22515 and continue to work closely with our partners and customers to investigate.” (Link: October 05, 2023)
- “As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware.” (Link: November 06, 2023)
- “Atlassian is aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server.” (Link: June 03, 2022)

B

Barracuda:

Exploited in the Wild:
- “Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances.” (Link: May 23, 2023)
- “Earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.” (Link: May 30, 2023)
- ”...including that exploitation occurred on a subset of compromised Barracuda Email Security Gateway (ESG) appliances by an aggressive and highly skilled actor conducting targeted activity...” (Link: June 15, 2023)

C

Check Point:

Exploited in the Wild:
- “Following our security update on May 27, 2024, Check Point's dedicated task force continues investigating attempts to gain unauthorized access to VPN products used by our customers. On May 28, 2024 we discovered a vulnerability in Security Gateways with IPsec VPN in Remote Access VPN community and the Mobile Access software blade (CVE-2024-24919). Exploiting this vulnerability can result in accessing sensitive information on the Security Gateway.” (Link: May 29, 2024)
- “Yesterday (May 27, 2024) we delivered a solution that addresses attempts we saw on a small number of customers’ VPN remote access networks as referenced below. Today, we found the root cause for these and are now releasing a fix.” (Link: May 28, 2024)

Cisco:

Proof of Concept: “The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory.” (Link: September 04, 2024)
Exploited in the Wild:
- “Cisco is aware of active exploitation of these vulnerabilities.” (Link: October 16, 2023)
- “The Cisco Product Security Incident Response Team (PSIRT) is aware of malicious use of the vulnerability that is described in this advisory.” (Link: October 23, 2024)
- “In November 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild.” (Link: December 02, 2024)

Citrix:

Exploited in the Wild:
- “Exploits of these CVEs on unmitigated appliances have been observed.” (Link: January 16, 2024)
- “Exploits of CVE-2023-3519 on unmitigated appliances have been observed.” (Link: July 18, 2023)
- “We are aware of a small number of targeted attacks in the wild using this vulnerability” (Link: June 07, 2023)

D

D-Link:

Proof of Concept:
- “0-day Vulnerability” (Link: September 06, 2022)
- “On May 15th, 2024, a 3rd party security researcher, publically 0-day disclosed the D-Link Router DIR-X4860 (firmware ver. 1.04b03) with potential vulnerabilities.” (Link: May 16, 2024)

E

F

F5:

Exploited in the Wild:
- “F5 has observed threat actors using this vulnerability to exploit CVE-2023-46748.” (Link: October 30, 2023)
- “This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators.” (Link: October 30, 2023)

Fortinet:

Exploited in the Wild:
- “Reports have shown this vulnerability to be exploited in the wild.” (Link: November 27, 2024)
- “Note: This is potentially being exploited in the wild.” (Link: February 08, 2024)
- “A third-party report is indicating this may be exploited in the wild.” (Link: October 11, 2024)

G

Google (Android):

Exploited in the Wild:
- “Note: There are indications that the following may be under limited, targeted exploitation.” (Link: November 04, 2024)
- “Note: There are indications that CVE-2024-36971 may be under limited, targeted exploitation.” (Link: August 05, 2024)

Google (Chrome):

Exploited in the Wild:
- “Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild.” (Link: January 16, 2024)
- “Updated on 26 August 2024 to reflect the in the wild exploitation of CVE-2024-7965 which was reported after this release.” (Link: August 26, 2024)

H

I

Ivanti:

Proof of Concept: “However, a Proof of Concept is publicly available...” (Link: August 12, 2024)
Exploited in the Wild:
- “We are aware of a limited number of customers’ Ivanti Connect Secure appliances being exploited by CVE-2025-0282 at the time of disclosure.” (Link: January 08, 2025)
- “We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379 or CVE-2024-9380 are chained with CVE-2024-8963” (Link: October 08, 2024)
- ”...at time of disclosure we were aware of a limited number of customers impacted by CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893.” “We are aware of less than 20 customers impacted by the vulnerabilities prior to public disclosure.” (Link: January 10, 2024)

J

JetBrains:

Exploited in the Wild:
- “On October 17, 2023, the Microsoft Threat Intelligence Center team reached out to JetBrains to inform us they have observed multiple North Korean nation-state threat actors actively exploiting the CVE-2023-42793 vulnerability since early October 2023.” (Link: October 18, 2023)
- “On December 13, 2023 the Cybersecurity & Infrastructure Security Agency of the U.S. Department of Homeland Security (CISA) released a public advisory, in which they shared new ways in which this vulnerability (CVE-2023-42793) has been exploited by Russian nation-state threat actors as of September 2023.” (Link: December 14, 2023)
- “Customer A ... Believed they were impacted by the CVE-2024-27198 vulnerability.” “They noticed several unauthorized admin accounts created on the server.” “Their TeamCity environment had been compromised through the recent vulnerabilities.” “Several unknown user accounts had been created on their TeamCity server.” (Link: March 11, 2024)

Juniper:

Proof of Concept: “However, a proof-of-concept exploit does exist in the wild.” (Link: June 28, 2021)
Exploited in the Wild: “Juniper SIRT is aware of successful malicious exploitation of these vulnerabilities.” (Link: November 08, 2023)

K

L

M

Microsoft:

Proof of Concept: “Publicly disclosed: Yes” (Link: December 10, 2024)
Exploited in the Wild: “Exploited: Yes” ; “Exploitability assessment: Exploitation Detected” (Link: December 10, 2024)

Mozilla Foundation:

Exploited in the Wild:
- “We have had reports of this vulnerability being exploited in the wild.” (Link: October 09, 2024)
- “An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.” (Link: November 30, 2016)

N

O

Oracle:

Exploited in the Wild: “It was reported as being actively exploited “in the wild” by CrowdStrike.” (Link: November 18, 2024)

P

Palo Alto Networks:

Proof of Concept:
- “We are aware of a publicly available conference talk and blog posts discussing this issue. A proof of concept for this issue is also publicly available.” (Link: November 25, 2024)
- “However, a proof of concept for this issue is publicly available.” (Link: October 09, 2024)
- “Proof of concepts for this vulnerability have been publicly disclosed by third parties.” (Link: April 29, 2024)
Exploited in the Wild:
- “Palo Alto Networks is aware of customers experiencing this denial of service (DoS) when their firewall blocks malicious DNS packets that trigger this issue.” (Link: December 26, 2024)
- “Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability.” (Link: November 18, 2024)
- “Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability.” (Link: April 29, 2024)
- “Palo Alto Networks recently learned that an attempted reflected denial-of-service (RDoS) attack was identified by a service provider. This attempted attack took advantage of susceptible firewalls from multiple vendors, including Palo Alto Networks.” (Link: August 10, 2022)

PaperCut:

Exploited in the Wild: “We have evidence to suggest that unpatched servers are being exploited in the wild.” “PaperCut received our first report from a customer of suspicious activity on their PaperCut server on the 18th April at 03:30 AEST / 17th April 17:30 UTC.” (Link: April 18, 2023)

Progress Software (MOVEit):

Exploited in the Wild: “NOTE: this is exploited in the wild in May and June 2023” (Link: June 16, 2023)

Q

Qlik:

Exploited in the Wild: “Qlik has received reports that this vulnerability may be being used by malicious actors.” (Link: May 15, 2024)

QNAP:

Exploited in the Wild: “QNAP detected a new DeadBolt ransomware campaign on the morning of September 3rd, 2022 (GMT+8). The campaign appears to target QNAP NAS devices running Photo Station with internet exposure.” (Link: September 03, 2022)

Qualcomm:

Exploited in the Wild: “There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation.” (Link: October 07, 2024)

R

S

SolarWinds:

Exploited in the Wild: “This is being exploited in the wild.” (Link: June 06, 2024)

SonicWall:

Proof of Concept: “SonicWall PSIRT is aware that a proof of concept (PoC) exploit for this vulnerabilities is publicly available” (Link: September 27, 2024)
Exploited in the Wild: “This vulnerability is potentially being exploited in the wild.” (Link: September 06, 2024)

Sophos:

Exploited in the Wild:
- “Sophos has observed this vulnerability being used in the wild.” (Link: October 20, 2022)
- “In December 2023, we delivered an updated fix after identifying new exploit attempts against this same vulnerability in older, unsupported versions of the Sophos Firewall.” (Link: December 11, 2023)

SysAid:

Exploited in the Wild: “The investigation determined that there was a zero-day vulnerability in the SysAid on-premises software.”“The vulnerability was exploited by a group known as DEV-0950 (Lace Tempest), as identified by the Microsoft Threat Intelligence team.” (Link: November 08, 2023)

T

TP-Link:

Exploited in the Wild: “TP-Link is aware of reports that the Remote Code Execution (REC) vulnerability detailed in CVE-2023-1389 in AX21 has been added to the Mirai botnet Arsenal.” (Link: April 27, 2023)

Trend Micro:

Exploited in the Wild: “ITW Alert: Trend Micro has observed at least one active attempt of potential exploitation of this vulnerability in the wild.” (Link: September 13, 2022)

U

V

Veritas:

Exploited in the Wild: “March 2023: A known exploit is available in the wild for the vulnerabilities below and could be used as part of a ransomware attack.” (Link: March ?? 2023)

Versa:

Proof of Concept: “A proof of concept exists in the lab environment.” (Link: September 20, 2024)
Exploited in the Wild: “This vulnerability has been exploited in at least one known instance by an Advanced Persistent Threat actor.” (Link: August 26, 2024)

VMware (Broadcom):

Proof of Concept: “VMware has confirmed that exploit code leveraging CVE-2021-39144 against impacted products has been published.” (Link: October 27, 2022)
Exploited in the Wild:
- “VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812.” (Link: November 18, 2024) (Link: August 26, 2024)
- “VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild.” (Link: June 20, 2023)

W

X

Y

Z

Zimbra:

Exploited in the Wild: “Important: This vulnerability has been actively exploited, making it imperative to take immediate action.” (Link: July 13, 2023)

Zoho (ManageEngine):

Proof of Concept: “The exploit POC for the above vulnerability is available in public.” (Link: July 19, 2022)

Zyxel:

Exploited in the Wild: “Zyxel is aware of recent attempts by threat actors to target Zyxel firewalls through previously disclosed vulnerabilities” (Link: November 27, 2024)

Gamaredon

December 8, 2024

Country: Russia Organization: Federal Security Service (FSB) Center 16 and 18 Objective: Information Theft, Espionage Page last updated: December 12, 2024

Aliases:

ACTINIUM (formerly used by Microsoft)
ARMAGEDON [sic] (Security Service of Ukraine (SSU))
Aqua Blizzard (Microsoft)
BlueAlpha (Recorded Future)
Blue Otso (PwC)
Gamaredon (Gamaredon Group) (Anomali, BlackBerry, CERT-EU, ESET, ETDA, Fortinet, Intezer, Malpedia, MITRE, Trend Micro, Wikipedia, Yoroi)
IRON TILDEN (Secureworks)
Primitive Bear (CISA, Palo Alto Networks)
Shuckworm (Symantec)
STEADY#URSA (Securonix)
Trident Ursa (Unit 42)
UAC-0010 (CERT-UA)

Links to Other Groups

InivisiMole (ESET)

Identified Members

Sources: SSU, European Union

Sklianko Oleksandr Mykolaiovych (Deputy Chief, 4th Section of the Counterintelligence Operations Service (SCO), FSB Department in occupied Crimea and Sevastopol)
Chernykh Mykola Serhiiovych (Head of the unit identified as responsible for conducting Gamaredon operations, 4th Section of the SCO, FSB Department in occupied Crimea and Sevastopol)
Starchenko Anton Oleksandrovych (Officer within the unit identified as responsible for conducting Gamaredon operations, 4th Section of the SCO, FSB Department in occupied Crimea and Sevastopol)
Miroshnychenko Oleksandr Valeriiovych (Officer within the unit identified as responsible for conducting Gamaredon operations, 4th Section of the SCO, FSB Department in occupied Crimea and Sevastopol) ▪ Sushchenko Oleh Oleksandrovych (Officer within the unit identified as responsible for conducting Gamaredon operations, 4th Section of the SCO, FSB Department in occupied Crimea and Sevastopol)

Vulnerabilities Exploited

CVE-2017-0199 (7.8 high, in CISA's KEV Catalog) Microsoft Office and WordPad Remote Code Execution Vulnerability (Source: BlackBerry)

Associated with InvisiMole activity: (Source: ESET)

CVE-2019-0708 (9.8 critical, in CISA's KEV Catalog) Microsoft Remote Desktop Services Remote Code Execution Vulnerability (aka BlueKeep)
CVE-2017-0144 (8.8 high, in CISA's KEV Catalog) Microsoft SMBv1 Remote Code Execution Vulnerability (aka EternalBlue)
CVE-2007-5633 (CVSSv2: 7.2 high) speedfan.sys local privilege escalation vulnerability (Bring Your Own Vulnerable Driver)

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK Navigator Layers

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

December 11, 2024 – Lookout: Lookout Discovers Two Russian Android Spyware Families from Gamaredon APT
December 05, 2024 – Recorded Future: BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure, 16 page PDF
September 26, 2024 – ESET Research: Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023, 52 page PDF
June 24, 2024 – European Union: COUNCIL DECISION (CFSP) 2024/1779 of 24 June 2024 amending Decision (CFSP) 2019/797 concerning restrictive measures against cyberattacks threatening the Union or its Member States (PDF) (ATTRIBUTION and sanctions)
February 01?, 2024: Securonix: Securonix Threat Research Security Advisory: Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell Backdoor

2023

November 17, 2023 – Check Point Research: Malware Spotlight – Into the Trash: Analyzing LitterDrifter
August 28, 2023 – National Security and Defense Council of Ukraine (RNBO): Gamaredon Activity Amid Ukraine's Counteroffensive (PDF)
July 13, 2023 – CERT-UA: Summary information on the activities of the UAC-0010 group as of July 2023
July 24, 2023 – NKSC-LT (Lithuania): Report on Cyber Lessons Learned During the War in Ukraine (PDF)
June 15, 2023 – Symantec: Shuckworm: Inside Russia's Relentless Cyber Campaign Against Ukraine
March 20, 2023 – ThreatMon: Cybergun: Technical Analysis of the Armageddon's Infostealer (PDF, archive of broken link)
March 17, 2023 – State Service of Special Communications and Information Protection of Ukraine (SSSCIP): Gamaredon carried out 74 cyberattacks against Ukraine in 2022
March 13, 2023 – ThreatMon: Beyond Bullets and Bombs: An Examination of Armageddon Group's Cyber Warfare Against Ukraine (PDF, archive of broken link)
January 24, 2023 – Trellix: Cyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity
January 23, 2023 – European Repository of Cyber Incidents: ADVANCED PERSISTENT THREAT profile Gamaredon (PDF)
January 19, 2023 – BlackBerry: Gamaredon (Ab)uses Telegram to Target Ukrainian Organizations
January 09, 2023 – State Cyber Protection Centre of Ukraine (SCPC): ANOTHER UAC-0010 STORY (PDF)

2022

December 20, 2022 – Unit 42: Russia's Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine
November 21, 2022 – BlackBerry: Gamaredon Leverages Microsoft Office Docs to Target Ukraine Government and Military
November 08, 2022 – CERT-UA: Cyberattack by the UAC-0010 group: sending emails supposedly on behalf of the State Service for Special Communications (CERT-UA#5570) (Ukrainian language)
September 15, 2022 – Cisco Talos: Gamaredon APT targets Ukrainian government agencies in new campaign
August 15, 2022 – Symantec: Shuckworm: Russia-Linked Group Maintains Ukraine Focus
August 10, 2022 – CERT-UA: Cyberattacks by the UAC-0010 (Armageddon) group: GammaLoad, GammaSteel malware (CERT-UA#5134) (Ukrainian language)
July 26, 2022 – CERT-UA: Cyberattacks by the UAC-0010 (Armageddon) group using the GammaLoad.PS1_v2 malware (CERT-UA#5003,5013,5069,5071) (Ukrainian language)
June 20, 2022 – Elastic: Playing defense against Gamaredon Group
May 12, 2022 – CERT-UA: Cyberattacks by the UAC-0010 (Armageddon) group using the GammaLoad.PS1_v2 malware (CERT-UA#4634,4648) (Ukrainian language)
May 12, 2022 – Cisco: Network Footprints of Gamaredon Group
April 20, 2022 – Symantec: Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
April 07, 2022 – CERT-UA: Cyberattack by the UAC-0010 (Armageddon) group on Ukrainian state organizations (CERT-UA#4434) (Ukrainian language)
April 04, 2022 – CERT-UA:
- Cyberattack by the UAC-0010 (Armageddon) group on Ukrainian state organizations (CERT-UA#4378) (Ukrainian language)
- Cyberattack by the UAC-0010 (Armageddon) group on state institutions of the European Union countries (CERT-UA#4334) (Ukrainian language)
February 04, 2022 – Microsoft: ACTINIUM targets Ukrainian organizations
February 03, 2022 – Unit 42: Russia's Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine
February 01, 2022 – CERT-UA: Cyberattack by the UAC-0010 (Armageddon) group on Ukrainian state organizations (CERT-UA#3787) (Ukrainian language)
January 31, 2022 – Symantec: Shuckworm Continues Cyber-Espionage Attacks Against Ukraine

2021

November 04, 2021 Security Service of Ukraine (SSU):
- SSU identifies FSB hackers responsible for over 5,000 cyber attacks against Ukraine (video) (ATTRIBUTION)
- Gamaredon/Armageddon Group: FSB RF cyber attacks against Ukraine (PDF)
August 21, 2019 – Fortinet: The Gamaredon Group: A TTP Profile Analysis
March 03, 2021 – CERT-UA: Renewed cyberattacks using the Pterodo missile defense system of the Armageddon/Gamaredon hacker group (Ukrainian language)
February 23, 2021 – Cisco Talos: Gamaredon – When nation states don't pay all the bills
January 27, 2021 – CERT-EE (Estonia): Gamaredon Infection: From Dropper to Entry

2020

June 18, 2020 – ESET: Digging up InvisiMole's hidden arsenal, InvisiMole: The Hidden Part of the Story. Unearthing InvisiMole's Espionage Toolset and Strategic Cooperations (Whitepaper PDF, links InvisiMole to Gamaredon)
June 11, 2020 – ESET: Gamaredon group grows its game
April 17, 2020 – Trend Micro: Gamaredon APT Group Use Covid-19 Lure in Campaigns
February 17, 2020 – Yoroi: Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign
February 05, 2020 – SentinelOne: Pro-Russian CyberSpy Gamaredon Intensifies Ukrainian Security Targeting

2019

December 12, 2019 – Recorded Future: Operation Gamework: Infrastructure Overlaps Found Between BlueAlpha and Iranian APTs, archive of missing PDF report
December 05, 2019 – Anomali: Malicious Activity Aligning with Gamaredon TTPs Targets Ukraine
July 17, 2019 – Intezer: EvilGnome: Rare Malware Spying on Linux Desktop Users
June 04, 2019 – Yoroi: The Russian Shadow in Eastern Europe: A Month Later
April 30, 2019 – Threatbook: [Weibu Online Report] Gamaredon gang launches targeted attack on Ukrainian election (Chinese language)
April 24, 2019 – Yoroi: The Russian Shadow in Eastern Europe: Ukraininan MOD Campaign
January 07, 2019 – Vitali Kremez: Let's Learn: Deeper Dive into Gamaredon Group Pteranodon Implant Version '_512' (achieve of dead link)
February 27, 2017 – Unit 42: The Gamaredon Group Toolset Evolution

2015

April 28, 2015 – Lookingglass: Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare (PDF, archive of a dead link)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

North Korean IT Workers

November 23, 2024

Country: Democratic People's Republic of Korea (DPRK) Objective: Corporate Espionage, Financial Gain (Page Last Updated: January 23, 2025) Organizations:

313 General Bureau of the Munitions Industry Department (MID)
The Ministry of Atomic Energy Industry
Ministry of Defense
Korea People's Army
DPRK Education Commission's Foreign Trade Office
Pyongyang Information Technology Bureau of the Central Committee's Science and Education Department
Pyongyang University of Automation (training)
Technical Reconnaissance Bureau
- subordinate cyber unit: 110th Research Center
Chinyong Information Technology Cooperation Company (Chinyong)
Department 53 of The Ministry of The People’s Armed Forces
Department 53 front company Korea Osong Shipping Co (Osong)
Department 53 front company Chonsurim Trading Corporation (Chonsurim)
Liaoning China Trade Industry Co., Ltd (Liaoning China Trade)

Companies employing DPRK IT workers:

Yanbian Silverstar Network Technology Co. Ltd.
Volasys Silver Star

North Korean money laundering for DPRK IT workers:

Green Alpine Trading, LLC

Identified North Korean IT workers:

Jong Song Hwa (정성화), CEO of both Yanbian Silverstar Network Technology Co. Ltd. and Volasys Silver Star
Kim Ryu Song (김류성), president of Yanbian Silverstar
Ri Kyong Sik (리경식), president of Volasys Silver Star
Rim Un Chol (림은철), senior manager
Kim Mu Rim (김무림), senior manager
Cho Chung Pom (조충범), mid-level manager
Hyon Chol Song (현철성), mid-level manager
Son Un Chol (손은철), mid-level manager
Sok Kwang Hyok (석광혁), mid-level manager
Choe Jong Yong (최정용), IT worker
Ko Chung Sok (고충석), IT worker
Kim Ye Won (김예원), IT worker
Jong Kyong Chol (정경철), IT worker
Jang Chol Myong (장철명), IT worker

Identified individuals assisting DPRK IT workers:

Minh Phuong Vong
Matthew Isaac Knoot
Christina Marie Chapman
Oleksandr Didenko
Sim Hyon Sop (Sim)
Lu Huaying
Zhang Jian
Jong In Chol
Son Kyong Sik

Groups or Aliases:

CL-STA-0237 (Unit 42)
Nickel Tapestry (Secureworks)
UNC5267 (Mandiant)

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

Unknown Date

UK Office of Financial Sanctions Implementation HM Treasury: Advisory on North Korean IT Workers (PDF)
Republic of Korea Ministry of Foreign Affairs: Advisory on the Democratic People's Republic of Korea Information Technology Workers
Australian Government Department of Foreign Affairs and Trade: Advisory on Democratic People's Republic of Korea (DPRK) information technology (IT) workers

2025

January 23, 2025:
- U.S. Department of Justice: Two North Korean Nationals and Three Facilitators Indicted for Multi-Year Fraudulent Remote Information Technology Worker Scheme that Generated Revenue for the Democratic People’s Republic of Korea
- FBI: North Korean IT Workers Conducting Data Extortion
January 16, 2025 – U.S. Treasury: Treasury Targets IT Worker Network Generating Revenue for DPRK Weapons Programs
January 15, 2025 – Secureworks: NICKEL TAPESTRY Infrastructure Associated with Crowdfunding Scheme
January 08, 2025 – Microsoft Security: Threat Landscape Update: North Korean IT Workers, OSINT, and Remote Monitoring and Management Abuse

2024

December 17, 2024 – U.S. Treasury: Treasury Disrupts North Korean Digital Assets Money Laundering Network
December 12, 2024:
- U.S. Department of Justice: Fourteen North Korean Nationals Indicted for Carrying Out Multi-Year Fraudulent Information Technology Worker Scheme and Related Extortions
- U.S. Department of State: Rewards for Justice – Reward Offer for Information on DPRK IT Companies, IT Workers, and Related Money Laundering
- Rewards for Justice Program: Yanbian Silverstar and Volasys Silverstar
November 22, 2024 – Microsoft Threat Intelligence: Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON
November 21, 2024 – SentinelOne: DPRK IT Workers | A Network of Active Front Companies and Their Links to China
November 14, 2024 – Unit 42: Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack
November 13, 2024 – Unit 42: Global Companies Are Unknowingly Paying North Koreans: Here's How to Catch Them
November 01, 2024 – New York State Department of Financial Services: Re: Cybersecurity Advisory – Threats Posed by Remote Technology Workers with Ties to Democratic People's Republic of Korea
October 24, 2024 – HYPR: HYPR Unmasks a Fake IT Worker: North Korea Isn't the Only Threat
October 19, 2024 – KnowB34: North Korean IT Worker Threat: 10 Critical Updates to Your Hiring Process
October 02, 2024 – CoinDesk: How North Korea Infiltrated the Crypto Industry
October 01, 2024 – Bundesamt für Verfassungsschutz (Germany): Private Sector Security Advisory | 02/2024 | 1 October 2024 | Subject: North Korean IT Workers
September 23, 2024 – Mandiant: Staying a Step Ahead: Mitigating the DPRK IT Worker Threat
August 19, 2024 – UK Government: Democratic People's Republic of Korea sanctions: guidance
August 14, 2024 – Cinder: We found North Korean engineers in our application pile. Here's what our ex-CIA co founders did about it.
August 08, 2024 – U.S. Department of Justice: Justice Department Disrupts North Korean Remote IT Worker Fraud Schemes Through Charges and Arrest of Nashville Facilitator
July 23, 2024 – KnowBe4: How a North Korean Fake IT Worker Tried to Infiltrate Us
May 16, 2024 – U.S. Department of Justice:
- Justice Department Announces Arrest, Premises Search, and Seizures of Multiple Website Domains to Disrupt Illicit Revenue Generation Efforts of Democratic People's Republic of Korea
- Charges and Seizures Brought in Fraud Scheme Aimed at Denying Revenue for Workers Associated with North Korea
- Criminal Complaint Charges Two Men With Conspiracy To Commit Wire Fraud
May 16, 2024 – U.S. Department of State:
- Rewards for Justice – Reward Offer for Information on North Korean IT Workers
- Rewards for Justice Program: North Korean Information Technology (IT) Workers
May 16, 2024 – FBI: Democratic People's Republic of Korea Leverages U.S.-Based Individuals to Defraud U.S. Businesses and Generate Revenue
April 22, 2024 – 38North: What We Learned Inside a North Korean Internet Server: How Well Do You Know Your Partners?
February 21, 2024 – Mandiant: The North Korean IT Workers (podcast on Spotify)

2023

December 11, 2023 – Nisos: Investigation: Probable DPRK Online Personas Used To Fraudulently Obtain Remote Employment at U.S. Companies
October 18, 2023 – FBI: Additional Guidance on the Democratic People's Republic of Korea Information Technology Workers
October 18, 2023 – U.S. Department of Justice: Justice Department Announces Court-Authorized Action to Disrupt Illicit Revenue Generation Efforts of Democratic People's Republic of Korea Information Technology Workers
July 2023 – FBI: North Korean Tactics, Techniques, and Procedures for Revenue Generation (PDF)
May 23, 2023 – U.S. Treasury: Treasury Targets DPRK Malicious Cyber and Illicit IT Worker Activities
May 23, 2023 – U.S. Department of State: Joint U.S.-ROK Symposium on Countering DPRK Sanctions Evasion Involving DPRK IT Workers
April 24, 2023 – U.S. Department of Justice: North Korean Foreign Trade Bank Representative Charged in Crypto Laundering Conspiracies

2022

May 16, 2022 – U.S. Treasury:
- Guidance on the Democratic People's Republic of Korea Information Technology Workers (PDF)
- Fact Sheet: Guidance on the Democratic People's Republic of Korea Information Technology Workers (PDF)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Salt Typhoon

September 29, 2024

Country: People's Republic of China Organization(s): Sichuan Juxinhe Network Technology Co., LTD. (Sichuan Juxinhe) Objective: Espionage (Page Last Updated: January 17, 2025)

Aliases:

Earth Estries (Trend Micro)
FamousSparrow (ESET, Fortinet)
GhostEmperor (Kaspersky, Malpedia, Rapid7)
Liminal Panda (CrowdStrike)
Salt Typhoon Microsoft)
UNC2286 (Mandiant)

Links to other groups

DRBControl (PDF, Source: ESET)
SparklingGoblin (subset of “Winnti” Source: ESET)
Tropic Trooper (Source: Kaspersky)
- Tropic Trooper (ETDA, Kaspersky, MITRE, Unit 42)
- KeyBoy (Citizen Lab, Rapid7, formerly used by PwC)
- Pirate Panda (Anomali, CrowdStrike)
UNC4841 (Mandiant)

Vulnerabilities Exploited

ProxyLogon (Sources: ESET, Kaspersky, Sygnia, Trend Micro):
- CVE-2021-26855 (9.8 critical, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-26857 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-26858 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-27065 (7.8 high, in CISA's KEV Catalog)
Source: Trend Micro
- CVE-2023-46805 (8.2 high, in CISA's KEV Catalog) Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
- CVE-2024-21887 (9.1 critical, in CISA's KEV Catalog) Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
- CVE-2023-48788 (9.8 critical, in CISA's KEV Catalog) Fortinet FortiClient EMS SQL Injection Vulnerability
- CVE-2022-3236 (9.8 critical, in CISA's KEV Catalog) Sophos Firewall Code Injection Vulnerability
unidentified Microsoft SharePoint and Oracle Opera business software vulnerabilities (Source: ESET)
CVE-2017-11882 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper) Microsoft Office Memory Corruption Vulnerability Source: Trend Micro
CVE-2012-0158 (8.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper, KeyBoy) Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability Sources: Unit 42, Citizen Lab
CVE-2017-0199 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper) Microsoft Office and WordPad Remote Code Execution Vulnerability Source: Citizen Lab
CVE-2015-1641 (7.8 high, in CISA's KEV Catalog. Note: associated with alias KeyBoy) Microsoft Office Memory Corruption Vulnerability Source: Citizen Lab

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2025

January 17, 2025:
- U.S. State Department: U.S. Takes Action Against PRC-Linked Cyber Actors for Treasury Hack and Salt Typhoon
- U.S. Treasury: Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise (ATTRIBUTION)
January 13, 2025 – Washington Post: Biden administration looks to penalize Salt Typhoon telecom hackers (news article)
January 05, 2025 – Wall Street Journal: How Chinese Hackers Graduated From Clumsy Corporate Thieves to Military Weapons (news article)

2024

December 29, 2024 – Reuters: AT&T, Verizon targeted by Salt Typhoon cyberespionage operation, but networks secure (news article)
December 04, 2024 – Wall Street Journal: Dozens of Countries Hit in Chinese Telecom Hacking Campaign, Top U.S. Official Says (news article)
December 03, 2024 – CISA: CISA and Partners Release Joint Guidance on PRC-Affiliated Threat Actor Compromising Networks of Global Telecommunications Providers
November 27, 2024 – Bloomberg: T-Mobile Engineers Spotted Hackers Running Commands on Routers (news article, archive of paywalled article)
November 25, 2024 – Trend Micro: Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
November 20, 2024 – Natto Thoughts: Salt Typhoon: Churning Up a Storm of Consternation
November 19, 2024 – CrowdStrike: Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector
November 15, 2024 – Wall Street Journal: T-Mobile Hacked in Massive Chinese Breach of Telecom Networks (news article)
November 07, 2024 – Trend Micro: Breaking Down Earth Estries' Persistent TTPs in Prolonged Cyber Operations
October 25, 2024 – Wall Street Journal: Chinese Hackers Targeted Phones of Trump, Vance, and Harris Campaign (news article)
October 25, 2024 – CISA: Joint Statement by FBI and CISA on PRC Activity Targeting Telecommunications (not explicitly mentioned)
October 11, 2024 – Washington Post: White House forms emergency team to deal with China espionage hack (news article)
October 04, 2024 – Wall Street Journal: U.S. Wiretap Systems Targeted in China-Linked Hack (news article)
September 25, 2024 – Wall Street Journal: China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack (news article)
September 05, 2024 – Kaspersky: Tropic Trooper spies on government entities in the Middle East
July 17, 2024 – Sygnia: The Return of Ghost Emperor's Demodex

2023

August 30, 2023 – Trend Micro: Earth Estries Targets Government, Tech for Cyberespionage

2022

February 28, 2022 – NCSC-UK: Malware Analysis Report: SparrowDoor (PDF)

2021

December 14, 2021 – Trend Micro: Collecting In the Dark: Tropic Trooper Targets Transportation and Government (archive of dead link)
October 19, 2021 – CrowdStrike: LIMINAL PANDA: A Roaming Threat to Telecommunications Companies
September 30, 2021 – Kaspersky: GhostEmperor: From ProxyLogon to kernel mode
September 23, 2021 – ESET: FamousSparrow: A suspicious hotel guest

2020

May 12, 2020 – Trend Micro: Tropic Trooper's Back: USBferry Attack Targets Air-gapped Environments (archive of dead link)
April 30, 2020 – Anomali: Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center

2018

August 08, 2018 – Citizen Lab: Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces
March 14, 2018 – Trend Micro: Tropic Trooper’s New Strategy

2017

November 16, 2017 – Lookout: Tropic Trooper Goes Mobile With Titan Surveillanceware
February 11, 2017 – PwC: The KeyBoys are back in town (archive of dead link)

2016

November 22, 2016 – Unit 42: Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
November 17, 2016 – Citizen Lab: It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community

2015

May 14, 2015 – Trend Micro: Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers (PDF)

2013

June 13, 2013 – Cisco: Scope of 'KeyBoy' Targeted Malware Attacks
June 07, 2013 – Rapid7: KeyBoy, Targeted Attacks against Vietnam and India (archive of dead link)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat