Threat actors breach South Korean atomic research institute via VPN vulnerability

Threat actors breach South Korean atomic research institute via VPN vulnerability

Threat actors from suspected North Korea APT group Kimsuky breached a South Korean atomic research institute via a VPN vulnerability.

According to The Record, the Korea Atomic Energy Research Institute (KAERI) said the breach occurred on May 14, 2021, via a vulnerability in a virtual private network (VPN) server. The organization subsequently blocked the attackers’ IP address and upgraded the affected system after it discovered the attack, on May 31.

Investigations revealed the source IP addresses of the attackers were allegedly traced backed to the suspected APT group Kimsuky, known for cyberattacks against South Korean COVID-19 vaccine developers last year.

Although the exact VPN vulnerability was not disclosed in the KAERI press release, Pieter Arntz of Malwarebytes wrote it may have been one of the common and publicly known vulnerabilities, such as those previously exploited by the Russian Foreign Intelligence Service (SVR).

On April 2, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert after observing Advanced Persistent Threat (APT) actors exploiting FortiOS vulnerabilities CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.

Last October, CISA had also previously observed attackers exploiting multiple VPN-related vulnerabilities exposed on internet facing devices, such as:

  • Citrix NetScaler (CVE-2019-19781)
  • Pulse Secure (CVE-2019-11510)
  • Palo Alto Networks (CVE-2020-2021)
  • F5 BIG-IP (CVE-2020-5902)
  • FortiGuard FortiOS SSL VPN (CVE-2018-13379)
  • MobileIron (CVE-2020-15505).

What is so surprising is that many of the vulnerabilities are older and should have patched many months ago.

Mitigations

It is worth repeating some of the solid mitigations previously provided by the FBI and CISA in addressing VPN-related threats such as:

  • Patch all affected VPN and external facing devices according to vendor advisories.
  • Regularly back up and protect data (air gap, password protection, etc.).
  • Implement network segmentation.
  • Require administrator credentials to install software.
  • Implement a recovery plan to restore sensitive data.
  • Use multifactor authentication where possible.
  • Regularly change passwords.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege.
  • Install and regularly update anti-malware software on all hosts.
  • Ensure phishing protections (such as “external” banners for external emails) and security awareness training.

Related Articles