Email Senders Must Do This 1 Thing

The Federal Bureau of Investigation, National Security Agency and the U.S. Department of State have issued a joint cybersecurity advisory warning of state-sponsored email hack attacks that evade authentication security measures.

The attackers have been identified as APT43, a hacking group linked to the North Korean military intelligence agency. APT43, also known as Kimsuky, has been using email authentication bypass as a means to impersonate journalists, researchers and other academics as part of coordinated spear-phishing campaigns designed to “provide stolen data and valuable geopolitical insight to the North Korean regime by compromising policy analysts and other experts.” The joint security advisory recommends that all those responsible for their email domain, where an email is served from in other words, be that in a personal or organizational capacity, do one thing immediately: update their Domain-based Message Authentication, Reporting and Conformance security policy.

05/08 update below. This article was originally published on May 6.

Joint Cybersecurity Advisory Reveals Details Of North Korea Hacking Campaign

In Joint Cybersecurity Advisory JCSA-20240502-001, national security and intelligence agencies warn not only anyone who might be a potential target but all email users of the dangers of the state-sponsored North Korean Kimsuky malicious hacking group. Kimsuky, as part of North Korea’s military intelligence cyber program, is tasked with helping to maintain “consistent access to current intelligence about the United States, South Korea, and other countries of interest to impede any perceived political, military, or economic threat to the regime’s security and stability,” according to the JCSA authors.

ForbesMicrosoft Warns Windows Users Of Ongoing Russian Hack AttackBy Davey Winder

Specifically, the APT43/Kimsuky group is line-managed, so to speak, by North Korea’s military intelligence 63rd Research Center, which has been known to U.S. intelligence agencies since 2012. The primary mission of Kimsuky would appear to be to compromise expert targets such as policy analysts in order to attain data offering valuable geopolitical insight. In which case, you might be thinking, why should this FBI warning worry anyone else? Simply put, every successful attack, even the most basic of phishing campaigns, can help build better attacks yet to come. In particular, the crafting of the most credible emails in spearphishing attacks that focus on high-value targets holding the most sensitive of data. Why it should bother you, apart from the obvious national security reasons, is the method being employed by the attackers which can leverage your misconfigured email authentication settings.

Misconfigured DMARC Records Allow Malicious Email Spoofers Free Reign

Domain-based Message Authentication, Reporting and Conformance is one of those things most email users have never heard of, but everyone with their own email server really needs to have done. There’s a reason that Google has recently implemented new email authentication rules that will see non-authenticated messages from bulk senders to Gmail addresses returned unopened. That reason is to reduce the amount of spam and, in turn, reduce the potential for that spam to be carrying malicious content to Gmail users. Although spearphishing campaigns would not trigger the Gmail sender limits, the same authentication technology is what is being bypassed by the Kimsuky attackers. So how are they doing it?

What Is DMARC?

First, you need to understand that DMARC is a security protocol that enables a receiving email server to know if the email originated from where it claims. In other words, DMARC authenticates that a message has not been spoofed but does come from the person, or at least the organizational email domain, it claims. It’s actually very good at doing this, apart from when it isn’t. The DMARC policy will instruct the receiving email server what to do with that message after first checking that the associated Sender Policy Framework and DomainKeys Identified Mail authentication records are a match. The DMARC policy itself can be configured so as to send the email on to the recipient’s inbox, mark it as spam or reject it totally.

Exploiting DMARC Security Policy Apathy

This is where Kimsuky comes in. They exploit the fact that many DMARC policies have been left blank or marked as no action to be taken if an email fails the tests, as there’s a p=none modifier to show no policy exists. The JSAC itself includes a number of real-world examples of emails sent by Kimsuky. After warning that Kimsuky campaigns will start with a broad reconnaissance phase, the advisory states that “content from emails of previously compromised email accounts” are also used to enhance the authenticity of the communication. Kimsuky will create fake usernames but use legitimate domain names in order to spoof individuals from organizations such as think tanks and higher education institutions. These emails don’t come from the actual organization’s domain but the hacker-controlled email address and domain instead. And all because DMARC policy was found to be lacking.

Do This 1 Thing Now To Mitigate Kimsuky Attack Threat, FBI Urges

The FBI and NSA advisory urges all email users to act on one piece of mitigation advice that could help prevent such attacks from succeeding. That advice follows on from recent moves by Google to protect users of the Gmail service from spammers by demanding bulk emails use domain authentication protections.

ForbesGmail Celebrates 20th Birthday And Enforces New Security Rules 1 AprilBy Davey Winder

The new Gmail rules are to be applauded, but all email users have been advised by the FBI and NSA to take one action immediately: update your or your organization’s DMARC security policy.

To do this, you should ensure that your DMARC policy, which can be edited within your email domain’s DNS settings, is one of two configurations: “v=DMARC1; p=quarantine,” which instructs the email server to quarantine emails that fail DMARC testing as spam or “v=DMARC1; p=reject,” which tells the server to reject or block the email. If you only use a web service such as Gmail, and don’t administer an organisation’s custom domain, then you need not be concerned. Everyone else, though, should check with their IT team or web hosting company and ensure that the DMARC policy is properly configured.

“Spearphishing continues to be a mainstay of the DPRK cyber program,” NSA cybersecurity director Dave Luber said, “and this CSA provides new insights and mitigations to counter their tradecraft.”

05/07 update:

Proofpoint Security Researchers Analyze Recent Kimsuky Group Activity

Researchers working at Proofpoint have taken a deep dive into what the cybersecurity company labels threat actor TA427, better known as APT43 or Kimsuky. Describing the North Korea-aligned group working in support of the Reconnaissance General Bureau as “one of the most active state-aligned threat actors currently tracked” by Proofpoint, the researchers have noted new attack tactics being employed by Kimsuky. This uptick in various techniques being employed by the threat actor follows on from the group “impersonating key DPRK subject matter experts in academia, journalism, and independent research,” as part of a long-term strategic intelligence gathering campaign, Proofpoint said. The problem is that, thanks to what the researchers referred to as a clear degree of success, there are no indications that Kimsuky is either slowing down or becoming less agile as far as such tactic-switching is concerned. Hence the joint advisory from the FBI and NSA.

Kimsuky Employs Web Beacons As Part Of The Initial Attack Reconnaissance

One of the new tactics to be employed by Kimsuky is the use of web beacons. Only spotted by the Proofpoint team as being actively used by the threat actors in February 2024, web beacons embed a hyperlinked but non-visible object, often a single same color as the background pixel, to help validate and track targets. This works by linking that invisible pixel to an image server which attempts to load it in the content that is being rendered. The image itself is benign, but its value as part of the initial reconnaissance is as malicious as it is priceless. Not only do these beacons show that “emails are active,” but also gather “fundamental information about the recipients’ network environments, including externally visible IP addresses, User-Agent of the host, and time the user opened the email,” the report explained. The tactic itself is far from new, of course, being a favorite of advanced persistent threat groups, but coupled with exploiting poorly implemented, if implemented at all, DMARC policies to spoof legitimate-looking personas is a profitable current one for Kimsuky.

Look For Kimsuky Campaign Indicators Of Compromise

When it comes to indicators of compromise, the Proofpoint researchers have noted that the following message subjects have been used during the latest spike of activity from Kimsuky:

• Invitation: August DPRK meeting
• Draft Taiwan Issue
• Emergence of Indigenous Nuclear Weapons Debate
• Request for Meeting (Korean Embassy)
• Invitation to Korea Global Forum 2024 (Seoul, February 20-21)
• Event with the Korea Society “Rumbles of Thunder and Endangered Peace on the Korean Peninsula”
• Invitation: US Policy Toward North Korea – Pocantico Center February 6-8
• RISG 2024 Winter Meeting Invitation
• Invitation to speak at the East Asia Strategy Forum
• Discussion about DPRK sanctions
• Invitation: 3/5 Conference – An Allied Approach to North Korea
• Essay Series: Peaceful Co-existence with North Korea

How To Check Your DMARC Record Using This Free Tool

Proofpoint has a free DMARC record-checking tool that allows users to check up to 100 domains. This tool pokes the domain records of the organization being researched and will validate that a permissive DMARC policy of the type often exploited by APT actors, such as APT43, is not present.

From APT43 To APT42, North Korea To Iran

05/08 update: Threat intelligence researchers working for Mandiant, a subsidiary of Google, have published a thorough analysis of another state-sponsored advanced persistent threat group. APT42 is, the researchers said, operating not under the control of North Korea though, but rather Iran. To be more precise, the group is thought to be exploiting intelligence-gathering campaigns on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization. It would appear that there are enough clear operational overlaps when it comes to these hacking attacks for APT42 to also be known as Charming Kitten, Mint Sandstorm and TA453. Whatever the name, there are some similarities with how APT43, or Kimsuky, works. Notably, APT42 is known to be targeting academia, legal services, media organizations and activists by impersonating journalists and event organizers.

The Mandiant intelligence report, Uncharmed: Untangling Iran’s APT42 Operations, warns that APT42 is using “enhanced social engineering schemes to gain access to victim networks, including cloud environments.” Although it isn’t clear whether APT42 has employed DMARC policy weaknesses in order to garner initial trust from targets, that trust is certainly the focus of the initial phase of any hacking attack by the Iranian group.

Building Trust With Real Credentials And Fake News

The Mandiant threat intelligence research team of Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock and Jonathan Leathery, say that APT42 was observed using social engineering schemes to harvest real credentials which were then used in order to gain basic access to cloud environments from where it “covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection.”

Spear-phishing, which can be thought of as highly-targeted and thoroughly researched phishing, is central to the way that APT42 operates. Indeed, the researchers said that the group uses precisely this method to deliver two custom backdoor malware programs called NICECURL and TAMECAT. These deployments are then used as a “command execution interface or as a jumping point to deploy additional malware.”

The credential-harvesting part of any operation usually comprises three stages according to the Mandate analysis.

1. Emails that contain malicious links using lures such as documents related to foreign affairs topics, especially those with an Iranian connection.
2. These then direct the target to fake websites that are using address shorteners or copycat domains which often include yet another decoy document.
3. Finally, the by-now-invested user is redirected to a fake Google or Microsoft account login page where the credential harvesting occurs.

Mandiant said it identified three distinct clusters of infrastructure used by the group, all employing similar tactics, techniques and procedures while varying in terms of the domains, decoys, themes and masquerading patterns used.

APT42 Attack Cluster A: News Outlets and NGOs

Active from 2021 through to today, this cluster targets the credentials of “journalists, researchers, and geopolitical entities in regions of interest to Iran.” It does this by posing as well-known publications including The Washington Post, The Economist and The Jerusalem Post. Most often, this would involve the attackers using typosquatted domains where an address looks convincing at first glance but uses different character-swapping techniques, such as a q instead of a g, for example, or another domain identifier altogether, such as .press instead of .com or similar.

APT42 Attack Cluster B: Generic Legitimate Services

Also active today, but observed since 2019, this cluster targets those perceived as a threat to Iran and has included journalists and human rights activists. This cluster involves posing as login pages, file hosting services and even YouTube. Using realistic-sounding invitations to conferences, as well as legitimate documents that are hosted on a cloud-based file service, the target is prompted for their credentials if they use the original links and their credentials harvested. Mandiant has observed examples where fake Google Meet invitations were used to garner Google credentials, while others directed the target to cloned Gmail login pages.

APT42 Attack Cluster C: Mailer Daemons And URL Shortening Services

The most recently initiated APT42 cluster started in 2022 and remains active to this day. It targets those affiliated with defense and foreign affairs in both the U.S. and Israel. “Specifically, in November 2023, Mandiant observed this cluster targeting a nuclear physics professor in a major Israeli university,” the researchers said. Again, spear-phishing campaigns using invitations to conferences and legitimate documents on cloud services were the attack route. URL shortening services were used to obfuscate real addresses, with credentials harvested upon login.