Kimsuky

OrigenCoreia do Norte

Técnicas (MITRE ATT&CK)130

FuenteMITRE ATT&CK

También conocido como:Black BansheeVelvet ChollimaEmerald SleetTHALLIUMAPT43TA427SpringtailEarth KumihoPatheticSlug

Análisis Vexday

Kimsuky é um grupo de espionagem cibernética originário da Coreia do Norte (DPRK), ativo pelo menos desde 2012 e rastreado pelo MITRE ATT&CK sob o identificador G0094 — também referenciado pelos aliases Black Banshee, Velvet Chollima, Emerald Sleet, THALLIUM, APT43 e TA427. O grupo iniciou suas operações visando agências governamentais sul-coreanas, think tanks e especialistas temáticos, expandindo posteriormente seu escopo para abranger a ONU e organizações nos setores governamental, educacional, de serviços empresariais e manufatureiro nos Estados Unidos, Japão, Rússia e Europa. Suas coletas são focadas em questões de política externa e segurança nacional relacionadas à Península Coreana, política nuclear e sanções internacionais. Ao grupo são atribuídas 3 CVEs conhecidas e 130 técnicas documentadas no framework MITRE ATT&CK.

Técnicas (MITRE ATT&CK) 130

Cómo opera el grupo, mapeado por la matriz MITRE ATT&CK y organizado por las fases de un ataque.

Reconocimiento

Email Addresses Employee Names Gather Victim Org Information Social Media Search Engines Search Victim-Owned Websites Search Open Technical Databases Phishing for Information Spearphishing Link Query Public AI Services

Preparación de recursos

Acquire Infrastructure Domains Server Web Services Domains Establish Accounts Social Media Accounts Email Accounts Email Accounts Develop Capabilities Malware Tool Code Signing Certificates Exploits Upload Malware

Acceso inicial

Exploit Public-Facing Application Phishing Spearphishing Attachment Spearphishing Link

Ejecución

Scheduled Task PowerShell Windows Command Shell Visual Basic Python JavaScript Native API Malicious Link Malicious File Malicious Copy and Paste Component Object Model

Persistencia

Additional Local or Domain Groups External Remote Services Local Account Browser Extensions Web Shell Windows Service Registry Run Keys / Startup Folder

Escalada de privilegios

Change Default File Association

Acceso a credenciales

LSASS Memory Network Sniffing Multi-Factor Authentication Interception Steal Web Session Cookie Credentials In Files Private Keys Credentials from Web Browsers Adversary-in-the-Middle

Descubrimiento

System Service Discovery Query Registry System Network Configuration Discovery System Owner/User Discovery Process Discovery System Information Discovery File and Directory Discovery System Time Discovery Browser Information Discovery Security Software Discovery Local Storage Discovery

Movimiento lateral

Remote Desktop Protocol Internal Spearphishing Pass the Hash

Recolección

Data from Local System Keylogging Web Portal Capture Local Data Staging Screen Capture Remote Email Collection Email Forwarding Rule Clipboard Data Browser Session Hijacking Archive via Utility Archive via Custom Method

Comando y control

Web Protocols File Transfer Protocols Mail Protocols Dead Drop Resolver Bidirectional Communication Ingress Tool Transfer Non-Standard Encoding Remote Desktop Software Dynamic Resolution

Exfiltración

Automated Exfiltration Exfiltration Over C2 Channel Exfiltration to Cloud Storage

Impacto

Service Stop Financial Theft

defense-impairment

Modify Registry Code Signing Disable or Modify Tools Disable or Modify System Firewall

Vulnerabilidades explotadas 3

CVEs que este grupo es conocido por explotar, según MITRE ATT&CK. Ordenadas por gravedad real.

CVE-2020-0688HIGHEPSS 100%KEV CVE-2014-7169CRITICALEPSS 100%KEV CVE-2016-6662EPSS 68%

El grupo Kimsuky usa técnicas y explota fallas reales. El Pentest Autónomo con IA de TrueHacking simula esos ataques en tu infraestructura y aporta más seguridad a tu aplicación.

Conocer el Pentest Autónomo con IA →