{"id":2866,"date":"2025-04-22T11:56:41","date_gmt":"2025-04-22T11:56:41","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2866"},"modified":"2025-04-22T11:56:41","modified_gmt":"2025-04-22T11:56:41","slug":"north-korea-backed-kimsuky-targets-unpatched-bluekeep-systems-in-new-campaign","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2866","title":{"rendered":"North Korea-backed Kimsuky targets unpatched BlueKeep systems in new campaign"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The infamous BlueKeep flaw from 2019, tracked as CVE-2019-0708, has come back to haunt security professionals as reports of fresh, in-the-wild abuse surface.<\/p>\n

The dangerous, \u201cwormable<\/a>\u201d RCE flaw affecting Microsoft\u2019s remote desktop protocol (RDP) was exploited in a new campaign by North Korea-backed Kimsuky APT,\u00a0 targeting vulnerable South Korean and Japanese systems.<\/p>\n

South Korean cybersecurity company AhnLab detected the campaign during a breach investigation. \u201cThe AhnLab Security Intelligence Center (ASEC) discovered a new operation related to the Kimsuky group and named it Larva-24005,\u201d researchers said in a blog post<\/a>. \u201cThe threat actors exploited the RDP vulnerability to infiltrate the (breach-affected) system.\u201d<\/p>\n

Kimsuky (aka APT43, Velvet Chollima, Black Banshee, and THALLIUM) is a threat group primarily known for espionage activities aligned with North Korea\u2019s state interests. Common vectors used by this group for initial access include spear-phishing, <\/em>software flaws, and social engineering.<\/p>\n

BlueKeep was abused for initial access<\/h2>\n

During their investigation, researchers were able to find BlueKeep vulnerability scanners in the compromised system, indicating the use of the flaw for initial access. The detected scanner tools include RDPScanner CLI Type, and RDPScanner GUI Type.<\/p>\n

However, the investigation did not reveal any evidence of BlueKeep\u2019s actual use by the threat actors. Other methods, such as attaching malware files to emails and planting them through the Microsoft Office Equation Editor vulnerability (CVE-2017-11882) were observed, the blog noted.<\/p>\n

\u201cAfter gaining access to the system, the threat actor used a dropper to install MySpy malware and RDPWrap, and modified the system settings to allow RDP access,\u201d researchers said.<\/p>\n

Both MySpy and RDPWrap are legitimate Windows-based tools used for pen-testing and running concurrent remote sessions, respectively, but are popularly weaponized by threat actors for unauthorized surveillance and persistent remote access.<\/p>\n

Apart from persistence, the Larva-24005 campaign was seen dropping, as final payloads, malware like KimaLogger and RandomQuery keyloggers.<\/p>\n

The campaign targeted South Korea and Japan<\/h2>\n

Based on the analysis of the campaign infrastructure, threat actors have been attacking South Korea, the US, China, Japan, Germany, Singapore, South Africa, the Netherlands, Mexico, Vietnam, Belgium, the UK, Canada, Thailand, and Poland.<\/p>\n

However, AhnLab researchers were only able to retrieve samples of phishing emails sent to South Korea and Japan. \u201cThese threat actors have been attacking South Korea\u2019s software, energy, and financial industries since October 2023,\u201d the researchers said.<\/p>\n

As indicators of compromise (IOCs), the researchers shared a list of hash functions (MD5), URLs, and domain names (FQDN) that security teams can set detection alerts for.<\/p>\n

Although buzzy for its high exploitability and impact, with CVSS 9.8 out of 10, the BlueKeep flaw has almost no exploitation history, with only one reported<\/a> <\/em>abuse in November 2019, months after the flaw was fixed in May, for the purpose of crypto-mining. The bigger concern, however, is the flaw gaining Kimsuky\u2019s attention, an APT group infamous for its creative obfuscation techniques<\/a>, convincing social engineering campaigns<\/a>, and widespread espionage<\/a> attacks.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The infamous BlueKeep flaw from 2019, tracked as CVE-2019-0708, has come back to haunt security professionals as reports of fresh, in-the-wild abuse surface. The dangerous, \u201cwormable\u201d RCE flaw affecting Microsoft\u2019s remote desktop protocol (RDP) was exploited in a new campaign by North Korea-backed Kimsuky APT,\u00a0 targeting vulnerable South Korean and Japanese systems. South Korean cybersecurity […]<\/p>\n","protected":false},"author":0,"featured_media":2867,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2866","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2866"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2866"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2866\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2867"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2866"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2866"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2866"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}