Cybersecurity researchers have identified a new campaign linked to the North Korean threat actor Kimsuky, exploiting a significant vulnerability in Microsoft Remote Desktop Services (CVE-2019-0708). This vulnerability allows remote code execution and has been targeted since its patching in May 2019. The attackers also use phishing emails to exploit another vulnerability (CVE-2017-11882). Once access is achieved, they deploy MySpy malware and keyloggers to monitor keystrokes, primarily targeting sectors in South Korea and Japan, as well as multiple other countries.
Cybersecurity researchers have flagged a new malicious campaign related to the North Korean state-sponsored threat actor known as Kimsuky that exploits a now-patched vulnerability impacting Microsoft Remote Desktop Services to gain initial access.
In some systems, initial access was gained through exploiting the RDP vulnerability (BlueKeep, CVE-2019-0708), the South Korean cybersecurity company said. While an RDP vulnerability scanner was found in the compromised system, there is no evidence of its actual use.
However, in order for an adversary to exploit the flaw, they would need to send a specially crafted request to the target system Remote Desktop Service via RDP. It was patched by Microsoft in May 2019.
The attack culminates in the deployment of keyloggers like KimaLogger and RandomQuery to capture keystrokes. The campaign is assessed to have been sent to victims in South Korea and Japan, mainly software, energy, and financial sectors.
Collection
[
|
...
]