HKOWT news

Think straight, talk straight

NSA Warns of North Korean Hackers Spoofing Emails From Legit Domains

The Kimsuky hacking group is exploiting improper configurations of an email protection feature known as DMARC, US agencies say.

 

 

The US is warning that North Korean hackers are exploiting a security feature to spoof emails from official internet domains to make their phishing attacks look convincing. 

The warning comes from the NSA, FBI, and the State Department, which say the hackers are abusing a flaw with DMARC, an email protection system designed to stop such spoofing. 

Ideally, a properly configured DMARC policy will tell email servers to automatically block or flag as spam any messages that try to spoof the domain it’s protecting. It’s why DMARC has become a major safeguard across the industry to stop junk and malicious email messaging.   

But the NSA and the FBI alert notes that some DMARC policies have been configured with a “p=NONE” setting, “in which no email filtering action is taken on the message, despite the failed DMARC verification.”

“This ultimately allows the spearphishing email to be delivered to the victim’s inbox,” the agencies wrote in their 9-page alert. “While the sender of the email and the organization’s email domain appear to be legitimate, the North Korean cyber actor exploited the organization’s weak and overly permissive, rather than specifically defined, DMARC policy.”

The federal agencies say a North Korean state-sponsored group dubbed Kimsuky, or APT43, has been exploiting the flaws while impersonating “journalists, academics, or other experts in East Asian affairs with credible links to North Korean policy circles.” The goal has been to collect intelligence and access private documents and research from victim computers. 

The alert includes five sample emails that the North Korean hackers sent to targets from “late 2023 to early 2024, » which US investigators recovered. In one of the emails, the hackers impersonate an official at a think tank and invite the recipient to be a keynote speaker at an event. 

“Notably, a speaker fee is offered to further entice the recipient,” the US agencies say. “Additionally, the North Korean actor edited the ‘Reply-To’ email to route replies back to another seemingly legitimate, but fraudulent, account controlled by the actor.”

To address the threat, the alert urges companies and organizations to set their DMARC policy to one of two configurations, “v=DMARC1; p=quarantine;” or “v=DMARC1; p=reject;” which will cause receiving email servers to essentially flag the spoofed emails as spam.

Source: pcmag

Translate »
Facebook
Twitter
YouTube
YouTube
Set Youtube Channel ID
LinkedIn
Share
Instagram
Telegram
WeChat
WhatsApp
Tiktok