Cybersecurity researchers have recently identified a malicious campaign linked to the North Korean state-sponsored group, Kimsuky, which exploits a vulnerability in Microsoft Remote Desktop Services known as BlueKeep (CVE-2019-0708). This vulnerability, now patched, allowed attackers to gain initial access to systems through remote code execution.

The South Korean cybersecurity firm, AhnLab Security Intelligence Center (ASEC), has named this activity Larva-24005. They reported that initial access was sometimes achieved via the RDP vulnerability, though a scanner for this vulnerability was found on the compromised systems, there was no evidence it had been actively used.

BlueKeep has a critical CVSS score of 9.8 and was recognized as a wormable bug allowing unauthenticated attackers to compromise systems. To exploit it, attackers must send a specifically crafted request to the target system’s Remote Desktop Service. Microsoft issued a patch for this flaw in May 2019.

In addition to exploiting the RDP vulnerability, Kimsuky has used phishing emails that include files leveraging another vulnerability in Equation Editor (CVE-2017-11882), which has a CVSS score of 7.8. Once the attackers gain access, they deploy a dropper to install malware referred to as MySpy and a tool called RDPWrap, which modifies system settings to permit RDP access. MySpy is designed to gather system information, while keyloggers like KimaLogger and RandomQuery are deployed to capture keystrokes.

The campaign is primarily aimed at sectors within South Korea, including software, energy, and finance, and has been operational since October 2023. Kimsuky has also targeted countries beyond South Korea, such as the United States, China, Germany, Singapore, and several others, showcasing their global attack strategy.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.