A North Korean state-sponsored menace actor is suspected of collaborating with the Play ransomware gang in a September cyberattack, Palo Alto Networks Unit 42 reported Wednesday.
The group tracked by Unit 42 as Jumpy Pisces, often known as Andariel, Onyx Sleet and Stonefly, made preliminary entry by way of a compromised account in Might 2024 after which deployed open-source and {custom} instruments for lateral motion and persistence.
By September, the preliminary entry established by Jumpy Pisces was leveraged to conduct pre-ransomware exercise and finally deploy the Play ransomware payload. Unit 42 believes with “average confidence” that this factors to a collaboration between Jumpy Pisces and Play.
“This alteration marks the primary noticed occasion of the group utilizing present ransomware infrastructure, probably appearing as an preliminary entry dealer (IAB) or an affiliate of the Play ransomware group,” the Unit 42 researchers wrote. “This shift of their techniques, methods and procedures (TTPs) indicators deeper involvement within the broader ransomware menace panorama.”
Jumpy Pisces, which has ties to the Reconnaissance Common Bureau of the Korean Individuals’s Military of North Korea, has used its personal {custom} ransomware up to now; in July, the U.S. Division of Justice indicted a member of the group for his alleged position in utilizing the {custom} Maui ransomware to focus on U.S. healthcare organizations.
Whereas it has historically been related to cyberespionage, Jumpy Pisces has lately been shifting to obvious financially motivated assaults, probably used to fund additional cyberattacks or different North Korean authorities and navy actions.
“These North Korean actors are good at getting access to networks. Nevertheless, they’re late to becoming a member of the ransomware sport, so collaboration with a gaggle that already has the infrastructure, processes, and procedures in place is a smart transfer,” Erich Kron, a safety consciousness advocate at KnowBe4, instructed SC Media. “Solely time will inform if this collaboration continues or if the North Korean group strikes on to creating their very own ransom infrastructure.”
Unit 42 famous that this obvious shift in techniques means organizations ought to take into account the exercise and indicators of nation-state actors like Jumpy Pisces to be a possible precursor to ransomware and use heightened vigilance when defending towards most of these threats.
How North Korean attacker paved the best way for Play ransomware
Unit 42 responded to the assault on one in all its clients in early September and traced the menace actor’s exercise again to the preliminary entry by way of a compromised account in late Might.
The menace actor first started spreading a personalized model of the open-source purple teaming device Sliver, in addition to its personal custom-developed device referred to as Dtrack throughout a number of hosts on the sufferer group over the Server Message Block (SMB) protocol. In addition they used a personalized model of the open-source credential dumping device Mimikatz throughout this early stage of the assault.
All through June, the menace actor continued to unfold Sliver and used Sliver beacons to speak with a command-and-control (C2) server at an IP deal with that has beforehand been linked to Jumpy Pisces. In August, the attacker started to create malicious providers, collect community configuration data and launch Distant Desktop Protocol (RDP) periods utilizing a devoted device to create privileged consumer accounts.
Days earlier than the ransomware deployment, Jumpy Pisces started to extract Home windows Safety Account Supervisor (SAM), Safety and System registry hives, continued its use of Mimikatz and continued to speak with the C2 server by way of Sliver beaconing. Communications with Jumpy Pisces C2 server continued up till the day of the ransomware deployment, Sept. 5, and the C2 server has been offline ever since, Unit 42 famous.
On Sept. 5, the compromised account that was initially used for the intrusion was accessed once more, and this entry was leveraged to conduct pre-ransomware actions, together with dumping of Native Safety Authority Subsystem Service (LSASS) credentials utilizing the duty Supervisor, abuse of Home windows entry tokens, escalation to system privileges by way of PsExec and extra lateral motion. Mass uninstallation of endpoint detection and response (EDR) sensors was additionally carried out simply previous to the ransomware deployment.
The assault culminated within the Play ransomware encryption of a number of hosts on the sufferer’s community on Sept. 5. Primarily based on using the identical account for preliminary entry and timeline of Sliver C2 communications, Unit 42 concluded that Jumpy Pisces possible coordinated with Play to conduct the assault, both as an affiliate or IAB, though Play at present claims to not run a ransomware-as-a-service (RaaS) program.
The researchers famous that along with Sliver, Mimikatz and its personal DTrack infostealer, Jumpy Pisces additionally used a trojanized binary designed to steal browser historical past, autofill data and bank card particulars from Chrome, Edge and Courageous browsers throughout the assault. The pre-ransomware exercise carried out on Sept. 5, together with use of TokenPlayer for Home windows entry token abuse and PsExec – each saved within the public “Music” folder – was additionally famous to be per earlier Play assaults.
Nation-state menace actors have been more and more been noticed deploying ransomware or working with ransomware teams, shifting from cyberespionage and sabotage to probably financially motivated crimes. In June, suspected China-sponsored menace teams APT41 and ChamelGang have been linked, together with Andariel, by SentinelOne and Recorded Future researchers to a wave of ransomware assaults between 2021 and 2023.
Moreover, the Cybersecurity and Infrastructure Safety Company (CISA) warned in August that the Iran-backed menace actor Pioneer Kitten had labored with associates of NoEscape, Ransomhouse and ALPHV/BlackCat to supply preliminary entry to victims’ networks in alternate for a reduce of the ransomware payouts.