Threat actors breach South Korean atomic research institute via VPN vulnerability

Threat actors from suspected North Korea APT group Kimsuky breached a South Korean atomic research institute via a VPN vulnerability.

According to The Record, the Korea Atomic Energy Research Institute (KAERI) said the breach occurred on May 14, 2021, via a vulnerability in a virtual private network (VPN) server. The organization subsequently blocked the attackers’ IP address and upgraded the affected system after it discovered the attack, on May 31.

Investigations revealed the source IP addresses of the attackers were allegedly traced backed to the suspected APT group Kimsuky, known for cyberattacks against South Korean COVID-19 vaccine developers last year.

Although the exact VPN vulnerability was not disclosed in the KAERI press release, Pieter Arntz of Malwarebytes wrote it may have been one of the common and publicly known vulnerabilities, such as those previously exploited by the Russian Foreign Intelligence Service (SVR).

On April 2, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert after observing Advanced Persistent Threat (APT) actors exploiting FortiOS vulnerabilities CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.

Last October, CISA had also previously observed attackers exploiting multiple VPN-related vulnerabilities exposed on internet facing devices, such as:

• Citrix NetScaler (CVE-2019-19781)
• Pulse Secure (CVE-2019-11510)
• Palo Alto Networks (CVE-2020-2021)
• F5 BIG-IP (CVE-2020-5902)
• FortiGuard FortiOS SSL VPN (CVE-2018-13379)
• MobileIron (CVE-2020-15505).

What is so surprising is that many of the vulnerabilities are older and should have patched many months ago.

Mitigations

It is worth repeating some of the solid mitigations previously provided by the FBI and CISA in addressing VPN-related threats such as:

• Patch all affected VPN and external facing devices according to vendor advisories.
• Regularly back up and protect data (air gap, password protection, etc.).
• Implement network segmentation.
• Require administrator credentials to install software.
• Implement a recovery plan to restore sensitive data.
• Use multifactor authentication where possible.
• Regularly change passwords.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Audit user accounts with administrative privileges and configure access controls with least privilege.
• Install and regularly update anti-malware software on all hosts.
• Ensure phishing protections (such as “external” banners for external emails) and security awareness training.

Related Articles

• Hackers target 50K vulnerable Fortinet devices to steal passwords
• APT actors exploit legacy internet-facing vulnerabilities in combination with Zerologon to target organizations
• APT attackers exploit multiple VPN software vulnerabilities
• Hackers are targeting vulnerable VPNs
• Microsoft warns of active exploits in the wild of Zerologon vulnerability
• Exploit code available for ‘Zerologon’ vulnerability (CVE-2020-1472) that affects Microsoft Netlogon
• Citrix patches Critical vulnerability exploited in the wild (updated)
• Attackers continue to target unpatched Pulse Secure VPN systems
• Alert: Threat actors continue to exploit patched Pulse Secure VPN devices
• Palo Alto Networks patches Critical PAN-OS authentication bypass vulnerability (CVE-2020-2021)
• F5 patches Critical RCE vulnerability (CVE-2020-5902) in BIG-IP configuration utility