The North Korean APT hacking group known as Kimsuky has been identified as exploiting vulnerabilities in ScreenConnect, specifically targeting CVE-2024-1708 and CVE-2024-1709. These exploits have been utilized to deploy a new strain of malware named ToddleShark.
What is the Kimsuky Hacking Group?
A new malware variant called Toddleshark surfaced recently after Kimsuky, a group of North Korean hackers exploit ScreenConnect flaws.
Kimsuky, also recognized as Thallium and Velvet Chollima, is a state-sponsored hacking entity from North Korea notorious for its cyber espionage activities targeting various organizations and governments worldwide.
ScreenConnect Vulnerabilities
On February 20, 2024, ConnectWise warned its ScreenConnect customers about authentication bypass and remote code execution vulnerabilities. The urgent recommendation was to upgrade servers to version 23.9.8 or higher to mitigate risks associated with these flaws.
Related Article: Linux Backdoor GTPDOOR Can Secretly Attack Mobile Carrier Networks, Exposing IP Addresses
Exploitation and Attack
Public exploits for the identified vulnerabilities were swiftly made available, leading to immediate exploitation by threat actors, including ransomware groups.
Kimsuky capitalized on these exploits to orchestrate cyber attacks, furthering its agenda of espionage.
Characteristics of ToddleShark Malware
ToddleShark, the latest malware variant attributed to Kimsuky, demonstrates polymorphic attributes, indicating its sophisticated design for prolonged intelligence gathering.
To evade detection, ToddleShark employs various techniques, including leveraging legitimate Microsoft binaries and altering system registries, Bleeping Computer reports.
Operation Mechanism
Initially, Kimsuky infiltrates vulnerable ScreenConnect endpoints, leveraging the exploits to bypass authentication and execute malicious code. The malware then utilizes legitimate Microsoft binaries to execute obfuscated scripts, blending malicious activities with legitimate processes.
Persistent Access and Data Theft
ToddleShark ensures persistent access by creating scheduled tasks to execute malicious code routinely. It collects a plethora of system information from infected devices, including network configurations, user accounts, and installed software, which is subsequently encoded and exfiltrated to the attackers' command and control infrastructure.
Polymorphic Traits
One of ToddleShark's unique features is its polymorphic nature, which enables it to mutate and evade detection. Through randomized functions, variable names, and dynamic URL generation, the malware poses a significant challenge to traditional detection methods.
Upcoming Information
Kroll, a leading cybersecurity firm, is set to release detailed insights and indicators of compromise (IoCs) related to ToddleShark, offering valuable information to cybersecurity professionals and organizations combating such threats.
Kimsuky's exploitation of ScreenConnect vulnerabilities pinpoints the persistent threat state-sponsored hacking groups pose. Organizations are urged to remain vigilant, promptly patch vulnerabilities, and deploy effective cybersecurity measures to mitigate attacks that might infect their systems.
In other news, we reported another malware in the form of SSH-Snake. This threat specializes in stealing keys, and it can evade detection systems.
According to security experts, it is identified as a "self-modifying worm" that can easily access networks without any trace.
