Email Senders Must Do This 1 Thing

The Federal Bureau of Investigation, National Security Agency and the U.S. Department of State have issued a joint cybersecurity advisory warning of state-sponsored email hack attacks that evade authentication security measures.

The attackers have been identified as APT43, a hacking group linked to the North Korean military intelligence agency. APT43, also known as Kimsuky, has been using email authentication bypass as a means to impersonate journalists, researchers and other academics as part of coordinated spear-phishing campaigns designed to “provide stolen data and valuable geopolitical insight to the North Korean regime by compromising policy analysts and other experts.”

05/07 update below. This article was originally published on May 7.

Joint Cybersecurity Advisory Reveals Details Of North Korea Hacking Campaign

In Joint Cybersecurity Advisory JCSA-20240502-001, national security and intelligence agencies warn not only anyone who might be a potential target but all email users of the dangers of the state-sponsored North Korean Kimsuky malicious hacking group. Kimsuky, as part of North Korea’s military intelligence cyber program, is tasked with helping to maintain “consistent access to current intelligence about the United States, South Korea, and other countries of interest to impede any perceived political, military, or economic threat to the regime’s security and stability,” according to the JCSA authors.

ForbesMicrosoft Warns Windows Users Of Ongoing Russian Hack AttackBy Davey Winder

Specifically, the APT43/Kimsuky group is line-managed, so to speak, by North Korea’s military intelligence 63rd Research Center, which has been known to U.S. intelligence agencies since 2012. The primary mission of Kimsuky would appear to be to compromise expert targets such as policy analysts in order to attain data offering valuable geopolitical insight. In which case, you might be thinking, why should this FBI warning worry anyone else? Simply put, every successful attack, even the most basic of phishing campaigns, can help build better attacks yet to come. In particular, the crafting of the most credible emails in spearphishing attacks that focus on high-value targets holding the most sensitive of data. Why it should bother you, apart from the obvious national security reasons, is the method being employed by the attackers which can leverage your misconfigured email authentication settings.

Misconfigured DMARC Records Allow Malicious Email Spoofers Free Reign

Domain-based Message Authentication, Reporting and Conformance is one of those things most email users have never heard of, but everyone with their own email server really needs to have done. There’s a reason that Google has recently implemented new email authentication rules that will see non-authenticated messages from bulk senders to Gmail addresses returned unopened. That reason is to reduce the amount of spam and, in turn, reduce the potential for that spam to be carrying malicious content to Gmail users. Although spearphishing campaigns would not trigger the Gmail sender limits, the same authentication technology is what is being bypassed by the Kimsuky attackers. So how are they doing it?

First, you need to understand that DMARC is a security protocol that enables a receiving email server to know if the email originated from where it claims. In other words, DMARC authenticates that a message has not been spoofed but does come from the person, or at least the organizational email domain, it claims. It’s actually very good at doing this, apart from when it isn’t. The DMARC policy will instruct the receiving email server what to do with that message after first checking that the associated Sender Policy Framework and DomainKeys Identified Mail authentication records are a match. The DMARC policy itself can be configured so as to send the email on to the recipient’s inbox, mark it as spam or reject it totally.

This is where Kimsuky comes in. They exploit the fact that many DMARC policies have been left blank or marked as no action to be taken if an email fails the tests, as there’s a p=none modifier to show no policy exists. The JSAC itself includes a number of real-world examples of emails sent by Kimsuky. After warning that Kimsuky campaigns will start with a broad reconnaissance phase, the advisory states that “content from emails of previously compromised email accounts” are also used to enhance the authenticity of the communication. Kimsuky will create fake usernames but use legitimate domain names in order to spoof individuals from organizations such as think tanks and higher education institutions. These emails don’t come from the actual organization’s domain but the hacker-controlled email address and domain instead. And all because DMARC policy was found to be lacking.

Do This 1 Thing Now To Mitigate Kimsuky Attack Threat, FBI Urges

The FBI and NSA advisory urges all email users to act on one piece of mitigation advice that could help prevent such attacks from succeeding. That advice follows on from recent moves by Google to protect users of the Gmail service from spammers by demanding bulk emails use domain authentication protections.

ForbesGmail Celebrates 20th Birthday And Enforces New Security Rules 1 AprilBy Davey Winder

The new Gmail rules are to be applauded, but all email users have been advised by the FBI and NSA to take one action immediately: update your or your organization’s DMARC security policy.

To do this, you should ensure that your DMARC policy, which can be edited within your email domain’s DNS settings, is one of two configurations: “v=DMARC1; p=quarantine,” which instructs the email server to quarantine emails that fail DMARC testing as spam or “v=DMARC1; p=reject,” which tells the server to reject or block the email. If you only use a web service such as Gmail, and don’t administer an organisation’s custom domain, then you need not be concerned. Everyone else, though, should check with their IT team or web hosting company and ensure that the DMARC policy is properly configured.

“Spearphishing continues to be a mainstay of the DPRK cyber program,” NSA cybersecurity director Dave Luber said, “and this CSA provides new insights and mitigations to counter their tradecraft.”

05/07 update:

Proofpoint Security Researchers Analyze Recent Kimsuky Group Activity

Researchers working at Proofpoint have taken a deep dive into what the cybersecurity company labels threat actor TA427, better known as APT43 or Kimsuky. Describing the North Korea-aligned group working in support of the Reconnaissance General Bureau as “one of the most active state-aligned threat actors currently tracked” by Proofpoint, the researchers have noted new attack tactics being employed by Kimsuky. This uptick in various techniques being employed by the threat actor follows on from the group “impersonating key DPRK subject matter experts in academia, journalism, and independent research,” as part of a long-term strategic intelligence gathering campaign, Proofpoint said. The problem is that, thanks to what the researchers referred to as a clear degree of success, there are no indications that Kimsuky is either slowing down or becoming less agile as far as such tactic-switching is concerned. Hence the joint advisory from the FBI and NSA.

Kimsuky Employs Web Beacons As Part Of Initial Attack Reconnaissance

One of the new tactics to be employed by Kimsuky is the use of web beacons. Only spotted by the Proofpoint team as being actively used by the threat actors in February 2024, web beacons embed a hyperlinked but non-visible object, often a single same color as the background pixel, to help validate and track targets. This works by linking that invisible pixel to an image server which attempts to load it in the content that is being rendered. The image itself is benign, but its value as part of the initial reconnaissance is as malicious as it is priceless. Not only do these beacons show that “emails are active,” but also gather “fundamental information about the recipients’ network environments, including externally visible IP addresses, User-Agent of the host, and time the user opened the email,” the report explained. The tactic itself is far from new, of course, being a favorite of advanced persistent threat groups, but coupled with exploiting poorly implemented, if implemented at all, DMARC policies to spoof legitimate-looking personas is a profitable current one for Kimsuky.

Kimsuky Campaign Indicators Of Compromise

When it comes to indicators of compromise, the Proofpoint researchers have noted that the following message subjects have been used during the latest spike of activity from Kimsuky:

• Invitation: August DPRK meeting
• Draft Taiwan Issue
• Emergence of Indigenous Nuclear Weapons Debate
• Request for Meeting (Korean Embassy)
• Invitation to Korea Global Forum 2024 (Seoul, February 20-21)
• Event with the Korea Society “Rumbles of Thunder and Endangered Peace on the Korean Peninsula”
• Invitation: US Policy Toward North Korea – Pocantico Center February 6-8
• RISG 2024 Winter Meeting Invitation
• Invitation to speak at the East Asia Strategy Forum
• Discussion about DPRK sanctions
• Invitation: 3/5 Conference – An Allied Approach to North Korea
• Essay Series: Peaceful Co-existence with North Korea

Check Your DMARC Record Using This Free Tool

Proofpoint has a free DMARC record-checking tool that allows users to check up to 100 domains. This tool pokes the domain records of the organization being researched and will validate that a permissive DMARC policy of the type often exploited by APT actors, such as APT43, is not present.