Cyber security researchers have identified a new malicious campaign related to the North Korean state-provided danger actor, known as Kimsuki who exploits a now found to be a now found found to be affecting Microsoft remote desktop services to achieve early access.
Activity is named Larva -24005 By Ahnlab Safety Intelligence Center (ASEC).
The South Korean Cyber Security Company said, “In some systems, initial access was achieved through exploiting RDP vulnerability (bluecap, CVE -2019-0708). “While an RDP vulgarity scanner was found in the agreement system, there is no evidence of its real use.”
CVE-2019-0708 (CVSS Score: 9.8) is an important artificial bug in remote desktop services that can enable remote code execution, making informal attackers arbitrarily establishing programs, accessing data and even creating new accounts with full user rights.
However, for an opponent to take advantage of the defect, they will need to send a specially designed request for the target system remote desktop service through RDP. It was patched by Microsoft in May 2019.
Another early access vector adopted by The Threat actor is the use of the Fishing Mail that triggers another known equation editor vulnerability (CVE-2017-11882, CVSS Score: 7.8).
Once obtained access, the attacker proceeds to take advantage of a dropper to establish a malware strain to a malware strain, referred to as RDP Access, in addition to replacing the system settings to allow RDP access to the system settings. MySpy is designed to collect system information.
The attack ends in the deployment of kimalogger and randskwari to capture kestrokes.
The campaign has been evaluated to victims in South Korea and Japan, which is mainly in software, energy and financial sectors before October 2023. Some other countries targeted by the group include the United States, China, Germany, Singapore, South Africa, Netherlands, Mexico, Vietnam, Belgium, United Kingdom, Canada and Poland.
