How North Korean Hackers Use VPN Update Flaws to Spread Malware

South Korea’s National Cyber Security Center (NCSC) has issued a stark warning about a recent wave of cyberattacks by North Korean state-backed hackers. Exploiting vulnerabilities in VPN software updates, these hackers have managed to infiltrate networks, install malware, and steal sensitive information. This advisory comes amid South Korea’s ongoing industrial modernization efforts and highlights the increasing threat of cyber-espionage from its northern neighbor.

The Hackers Behind the Attack

The NCSC attributes these attacks to two notorious North Korean hacking groups: Kimsuky (APT43) and Andariel (APT45), both known for their affiliations with the Lazarus Group. These groups operate under the North Korean Reconnaissance General Bureau and have a history of targeting specific sectors to fulfill state policy objectives.

Method of Attack: Trojanized Updates and Installers

Kimsuky Attack Overview: In January 2024, Kimsuky compromised a South Korean construction trade organization’s website. When employees attempted to log in, they were prompted to install security software named “NX_PRNMAN” or “TrustPKI.” These installers, digitally signed with a valid certificate from D2Innovation, a Korean defense company, bypassed antivirus checks and deployed malware.

Once installed, the malware captured screenshots, stole data from browsers (including credentials, cookies, bookmarks, and history), and exfiltrated GPKI certificates, SSH keys, Sticky Notes, and FileZilla data. This campaign affected several South Korean construction companies, public institutions, and local governments.

Andariel Attack Overview: In April 2024, the Andariel group exploited a vulnerability in a domestic VPN software’s communication protocol to push out fake software updates. These updates installed DoraRAT, a remote access trojan designed to steal large files, such as machinery and equipment design documents, and exfiltrate them to the attacker’s command and control server.

Preventive Measures and Recommendations: The NCSC advises operators of potentially targeted websites to request security inspections from Korea’s Internet & Security Agency (KISA). They also recommend implementing strict software distribution approval policies and requiring administrator authentication for the final distribution stage. Other general advice includes timely software and OS updates, ongoing employee security training, and monitoring government cybersecurity advisories to quickly identify and mitigate emerging threats.

Similar Attacks and Broader Implications: This incident is part of a broader trend of supply chain attacks. In related activity, a Chinese hacking group breached an ISP to poison DNS entries, leading to malware installation via automatic software updates. Such attacks underscore the importance of securing software supply chains and maintaining robust cybersecurity defenses.

How Technijian Can Help

At Technijian, we understand the critical importance of robust cybersecurity measures to protect your business from sophisticated cyber threats. Our comprehensive cybersecurity solutions include:

• Advanced Threat Detection and Response: Utilizing cutting-edge technology to identify and respond to threats in real-time.
• Regular Security Audits: Conducting thorough security audits to identify vulnerabilities and implement necessary patches.
• Employee Training Programs: Providing ongoing training to ensure your staff is aware of the latest cyber threats and best practices.
• 24/7 Monitoring and Support: Offering round-the-clock monitoring and support to detect and mitigate threats promptly.
• Secure Software Development Practices: Ensuring that all software updates and installations are rigorously tested and verified.

By partnering with Technijian, you can rest assured that your business is protected against the landscape of cyber threats. Contact us today to learn more about how we can help secure your Bossiness.

About Technijian

Technijian is a leading Managed Service Provider (MSP) offering comprehensive IT Solutions tailored to meet the diverse needs of businesses. Specializing in IT Security and Network Security, Technijian ensures your organization’s data is protected against cyber threats. Our robust IT Services include 24/7 IT Support, ensuring seamless operation and minimal downtime for your business.

As experts in Cloud Computing Services, Technijian enables businesses to harness the power of the cloud for enhanced flexibility, scalability, and efficiency. Our IT Management solutions streamline operations, allowing you to focus on core business activities while we handle the complexities of your IT infrastructure.

Our team of skilled IT Consultants provides strategic guidance and customized IT Solutions, aligning technology with your business goals. Technijian’s comprehensive range of IT Services ensures optimal performance and reliability, making us your trusted partner in Information Technology.

With a commitment to excellence, Technijian delivers proactive Managed IT Services, anticipating and addressing potential issues before they impact your business. Our dedication to providing top-notch IT Support around the clock guarantees that your IT environment remains secure, efficient, and aligned with industry best practices. Choose Technijian for unparalleled IT Solutions that drive your business forward.