DPRKs Kimsuky APT Abuses Weak DMARC Policies, Feds Warn

  /     /     /  
Publicated : 23/11/2024   Category : security


DPRKs Kimsuky APT Abuses Weak DMARC Policies, Feds Warn


Organizations can go a long way toward preventing spoofing attacks by changing one basic parameter in their DNS settings.



North Korean hackers are taking advantage of weak DMARC configurations to impersonate organizations in phishing attacks against individuals of strategic significance to the Kim Jong Un regime.
DMARC, short for Domain-based Message Authentication, Reporting & Conformance, is a security protocol for preventing email-based attacks. Unlike most security solutions, however, which potential victims implement for themselves, DMARC policies are set by email senders. In part for this reason, it can be easily overlooked.
On Thursday, the FBI and National Security Agency released a joint cybersecurity advisory detailing how the APT
Kimsuky
(aka APT 43, Thallium) is taking advantage.
For some time now
, it has been masquerading as organizations that have weak or nonexistent DMARC policies in convincing spear phishing emails.
This is a highly effective new tool in the arsenal of one of the more prolific social engineering threat groups that Mandiant tracks, Gary Freas, Mandiant senior analyst with Google Cloud, said in an email. Organizations in a variety of industries around the world are at risk of leaving themselves unnecessarily exposed.
Proper DMARC configuration
, in conjunction with proper management of SPF/DKIM, is low-hanging fruit to deliver high-impact prevention of phishing and spoofing of an organization.
Kimsukys primary objective is to steal valuable intelligence — regarding geopolitical events, other nations foreign policy strategies, and more — for the Kim regime. To do that, it aims cyberattacks at journalists, think tanks, government organizations, and the like.
To add legitimacy to these attacks, it often impersonates individuals from trusted organizations like these in highly targeted emails. Such emails are extra convincing when Kimsuky gains access to their puppets legitimate account or domain (often through a separate spear phishing attack) to send emails on their behalf.
This is what DMARC is designed to prevent. It combines two authentication mechanisms: the Sender Policy Framework (SPF), which checks that a senders IP address is authorized to send emails from their specified domain, and DomainKeys Identified Mail (DKIM), which uses public key cryptography for anti-tampering. Domain owners can set a DMARC record in their domain name system (DNS) settings to determine what happens should an email-en-route fail one of these checks: either block it (p=reject), treat it with suspicion (p=quarantine), or do nothing (p=none).
The FBI-NSA joint advisory suggests organizations favor p=reject or p=quarantine to prevent threat actors like Kimsuky from sending emails from their domains.
DMARC hygiene is critical, says Jeremy Fuchs, Harmony Email analyst at Check Point. Its a fantastic way to ensure that when someone gets an email from your company, it’s actually from your company. It can be a big project, though, to ensure p=reject state, especially when you have many domains. This is why reporting, monitoring, and consistent hygiene is key.
DMARC is not a silver bullet, as hackers have plenty of ways to spoof, but it can be a good starting point.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
DPRKs Kimsuky APT Abuses Weak DMARC Policies, Feds Warn