North Korean hacker group Kimsuky is not new to the cyber world. This highly sophisticated group of threat actors is active again, now targeting domains with permissive DMARC policies to launch highly targeted phishing attacks.
Kimsuky had always leveraged social engineering tactics, often using email as a medium for initiating attacks. However, in recent attacks, they have switched things up by exploiting DMARC policies that offer no protection. This highlights the need for DMARC enforcement practices, making them central to an organization’s security.
On 2nd May 2024, the Federal Bureau of Investigation (FBI), the U.S. Department of State, and the National Security Agency (NSA) issued a joint advisory warning about Kimsuky exploiting permissive DMARC policies to launch spearphishing attacks. Let’s delve deeper!
A Brief History of Kimsuky
The Kimsuky hacker group has many names – Velvet Chollima, Black Banshee, and Emerald Sleet being a few of them. Having their roots in North Korea, Kimsuky started launching cyber-espionage attacks targeting South Korean research and policy institutes, nuclear power operators, and ministerial bodies.
While this hacker group may have been active for more than a decade, they have recently broadened their horizons to target organizations in Russia, the US, and Europe.
Popular Kimsuky Attacks Reported in the Past
- “The first of its kind” Kimsuky attacks date back to 2019.
- Kimsuky allegedly stole sensitive data from South Korean nuclear power operator Korea Hydro & Nuclear Power in March 2015.
- In September 2020, Kimsuky targeted 11 officials from the United Nations Security Council, attempting to hack them.
Kimsuky Exploiting Relaxed DMARC Policies in 2024 Phishing Attacks
Your DMARC policy is a mandatory field in your DMARC record that determines the action taken on the client side for messages that fail DMARC. Your DMARC policy can instruct receiving servers to discard or quarantine failed messages. On a no-action mode, it can also instruct servers to take no action at all!
North Korean hacker group Kimsuky is targeting domains with no-action DMARC policies to exploit the lack of protection they offer. This provides them with a higher chance of successfully delivering their phishing emails.
What are the different DMARC policies you can configure?
As a domain owner you can choose one of the three DMARC policies: none, reject, and quarantine. As the name suggests, none is a no-action policy while reject and quarantine rejects and quarantines unauthorized emails.
To configure your policy, you need to add the p= tag to your DMARC record when you create your record.
What is a no-action/permissive DMARC policy?
The DMARC none policy is permissive. It is a policy mode that offers no protection against cyber attacks. But does that mean it serves no purpose? That’s not quite true. DMARC none is typically used in the beginning stages of your email authentication journey, which can be called as the “monitoring only” phase. This mode can be used as a control to test your configuration and monitor your email traffic. However, we do not encourage staying on this policy for long periods since it leaves your domain vulnerable to cyber attacks. Your ultimate goal should be to safely move to an enforcement mode.
The following is an example of a DMARC record with a permissive or weak DMARC policy:
v=DMARC1; p=none;
Here the p=none tag denotes that the policy is set to “none” offering no protection. Furthermore, this DMARC record does not have any ‘rua’ tags set up, hence the monitoring purpose of the DMARC ‘none’ policy is not being utilized.
How can a weak DMARC policy harm you?
There is one prominent drawback of the DMARC none policy that may harm you under certain circumstances. It is that when on a none policy, even when DMARC fails for your email, the email is still delivered to the recipient. This means that if your domain is spoofed by a threat actor to send phishing emails to your clients, the emails will get delivered despite failing DMARC authentication.
Anatomy of Kimsuky Spearphishing Attacks
There are several versions of Kimsuky attacks that federal agencies have warned about in their advisories between 2023 and 2024. Let’s explore some key takeaways to understand Kimsuky’s attack tactics:
- Kimsuky is known for impersonating government agencies, think tanks, and media outlets in spearphishing emails. They may also use spoofed websites to gain access to personal information and login credentials from victims.
- They usually target well-known organizations and impersonate real officials and employees so they can easily gain the trust of unsuspecting victims.
- The phishing attack is conducted in various phases and not in a one-and-done way. In the process, the attackers may assume the role of several different identities in consecutive emails to maintain credibility.
- After a few harmless initial attempts, once trust is established, the final email delivered by the attackers contains an encrypted malicious attachment.
- This attachment is laced with malicious code that infiltrates the user’s account, network, or device, ultimately providing Kimsuky access to these systems.
- The emails impersonating legitimate think tanks target agencies that have weak DMARC policies (p=none) configured for their domain.
- Unfortunately, due to the no-action DMARC policy configured by the think tank or organization, emails that fail DMARC authentication are still delivered to the recipient’s main inbox. This ultimately marks the success of the Kimsuky phishing attack.
Preventing Kimsuky Phishing Attacks Exploiting Weak DMARC Policies
The FBI in their IC3 report outlines several preventive measures that you can take to prevent the recent Kimsuky attacks. Let’s explore what they are:
1. Configure Enforced DMARC Policies
To prevent Kimsuky from exploiting weak DMARC policies – shift to something stronger like an enforced policy. “Quarantine” and “reject” are two such policy modes you can configure. On these policies, impersonated phishing emails are either discarded or quarantined instead of being delivered directly to the client’s inbox.
However, if configured incorrectly, your legitimate emails may get discarded as well! This is why it is important to exercise caution when configuring an enforced policy. Here’s how you can safely implement DMARC reject:
- Sign up on PowerDMARC for free and select the DMARC record generator too
- Create a new DMARC record with a p=reject policy
Note: If you’re setting up DMARC for the first time, use a policy of “none” to monitor all your sending sources using our dashboard and reporting views.
Once the legitimate sending sources have been correctly configured to send DMARC compliant emails, you can enforce DMARC by updating your policy to quarantine, and then reject. Our hosted DMARC solution allows you to easily switch between policy modes without accessing your DNS. Once you are confident with your setup, simply navigate to Hosted DMARC and update your policy mode.
- Enable DMARC reporting using the “rua” tag, and define an email address to receive your reports
- Access your DNS management console and replace your current DMARC record with the new one. Note that you must replace your current record and not publish a new record for the same domain if it already has one published.
When on p=reject, you must monitor your email traffic regularly to ensure your legitimate messages are getting delivered. Our DMARC reporting tool simplifies DMARC report management to ensure deliverability. Get started today to safely transition to an enforced policy and strengthen your defenses against Kimsuky!
2. Detect Warning Signs in Emails
The FBI outlines several warning signs present in phishing emails, which can be dead giveaways. Let’s go through what these are:
- Grammatically incorrect and poorly written emails
- Initial emails that sound particularly harmless, followed by ones with malicious links or attachments
- The malicious attachments require recipients to click on “Enable Macros” to view. They are usually password-protected in an effort to evade antivirus filters
- Emails originating from spoofed domains with misspelled domain names
- Emails impersonating, governments, universities and think tanks but sent from randomized sources that do not contain the accurate domain name
All of these can be tell-tale signs of a Kimsuky phishing attack. Under these circumstances, it is best advised to not engage with the contents of the email or click on any attachments.
To Conclude
The recent resurgence of Kimsuky attacks exploiting permissive DMARC policies further proves the ever-evolving nature of cyber attacks. As we’ve seen, their adeptness at leveraging no-action DMARC policies highlights the critical need for organizations to enforce stronger measures to safeguard against phishing attacks.
The joint advisory issued by the FBI, U.S. Department of State, and NSA serves as a stark reminder of the imminent dangers posed by such threat actors. By shifting towards enforced DMARC policies and remaining vigilant for warning signs outlined by federal agencies, organizations can fortify their defenses and mitigate the risk of falling victim to Kimsuky’s sophisticated tactics.
Businesses and entities must stay proactive in adapting and updating security protocols. To get started, contact us today!
- Travel Cybersecurity Threats and How to Stay Protected - December 18, 2024
- Cybersecurity Best Practices for Digital Nomads in Japan - December 17, 2024
- NCSC Mail Check Changes & Their Impact on UK Public Sector Email Security - December 13, 2024