Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » NSA, FBI Alert on N. Korean Hackers Spoofing Emails from Trusted Sources

NSA, FBI Alert on N. Korean Hackers Spoofing Emails from Trusted Sources

NSA, FBI Alert on N. Korean Hackers Spoofing Emails from Trusted Sources

https://firewall.firm.in/wp-content/uploads/2024/05/rmails.png

May 03, 2024NewsroomEmail Security / Malware

Spoofing Emails

The U.S. government on Thursday published a new cybersecurity advisory warning of North Korean threat actors’ attempts to send emails in a manner that makes them appear like they are from legitimate and trusted parties.

The joint bulletin was published by the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Department of State.

“The DPRK [Democratic People’s Republic of Korea] leverages these spear-phishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting DPRK interests by gaining illicit access to targets’ private documents, research, and communications,” NSA said.

The technique specifically concerns exploiting improperly configured DNS Domain-based Message Authentication, Reporting, and Conformance (DMARC) record policies to conceal social engineering attempts. In doing so, the threat actors can send spoofed emails as if they are from a legitimate domain’s email server.

Cybersecurity

The abuse of weak DMARC policies has been attributed to a North Korean activity cluster tracked by the cybersecurity community under the name Kimsuky (aka APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima), which is a sister collective to the Lazarus Group and is affiliated with the Reconnaissance General Bureau (RGB).

Proofpoint, in a report published last month, said that Kimsuky began to incorporate this method in December 2023 as part of broader efforts to target foreign policy experts for their opinions on topics related to nuclear disarmament, U.S.-South Korea policies, and sanctions.

Spoofing Emails

Describing the adversary as a “savvy social engineering expert,” the enterprise security firm said the hacking group is known to engage its targets for extended periods of time through a series of benign conversations to build trust with targets using various aliases that impersonate DPRK subject matter experts in thinks tanks, academia, journalism, and independent research.

“Targets are often requested to share their thoughts on these topics via email or a formal research paper or article,” Proofpoint researchers Greg Lesnewich and Crista Giering said.

“Malware or credential harvesting are never directly sent to the targets without an exchange of multiple messages, and […] rarely utilized by the threat actor. It is possible that TA427 can fulfill its intelligence requirements by directly asking targets for their opinions or analysis rather than from an infection.”

The company also noted that many of the entities that TA427 has spoofed either did not enable or enforce DMARC policies, thus allowing such email messages to get around security checks and ensure delivery even if those checks fail.

Furthermore, Kimsuky has been observed using “free email addresses spoofing the same persona in the reply-to field to convince the target that they are engaging with legitimate personnel.”

Cybersecurity

In one email highlighted by the U.S. government, the threat actor posed as a legitimate journalist seeking an interview from an unnamed expert to discuss North Korea’s nuclear armament plans, but openly noted that their email account would be blocked temporarily and urged the recipient to respond to them on their personal email, which was a fake account mimicking the journalist.

This indicates that the phishing message was originally sent from the journalist’s compromised account, thus increasing the chances that the victim would reply to the alternative fake account.

Organizations are recommended to update their DMARC policies to instruct their email servers to treat email messages that fail the checks as suspicious or spam (i.e., quarantine or reject) and receive aggregate feedback reports by setting up an email address in the DMARC record.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket