Article Details
Scrape Timestamp (UTC): 2025-04-21 16:45:39.731
Source: https://thehackernews.com/2025/04/kimsuky-exploits-bluekeep-rdp.html
Original Article Text
Click to Toggle View
Kimsuky Exploits BlueKeep RDP Vulnerability to Breach Systems in South Korea and Japan. Cybersecurity researchers have flagged a new malicious campaign related to the North Korean state-sponsored threat actor known as Kimsuky that exploits a now-patched vulnerability impacting Microsoft Remote Desktop Services to gain initial access. The activity has been named Larva-24005 by the AhnLab Security Intelligence Center (ASEC). "In some systems, initial access was gained through exploiting the RDP vulnerability (BlueKeep, CVE-2019-0708)," the South Korean cybersecurity company said. "While an RDP vulnerability scanner was found in the compromised system, there is no evidence of its actual use." CVE-2019-0708 (CVSS score: 9.8) is a critical wormable bug in Remote Desktop Services that could enable remote code execution, allowing unauthenticated attackers to install arbitrary programs, access data, and even create new accounts with full user rights. However, in order for an adversary to exploit the flaw, they would need to send a specially crafted request to the target system Remote Desktop Service via RDP. It was patched by Microsoft in May 2019. Another initial access vector adopted by the threat actor is the use of phishing mails embedding files that trigger another known Equation Editor vulnerability (CVE-2017-11882, CVSS score: 7.8). Once access is gained, the attackers proceed to leverage a dropper to install a malware strain dubbed MySpy and a RDPWrap tool referred to as RDPWrap, in addition to changing system settings to allow RDP access. MySpy is designed to collect system information. The attack culminates in the deployment of keyloggers like KimaLogger and RandomQuery to capture keystrokes. The campaign is assessed to have been sent to victims in South Korea and Japan, mainly software, energy, and financial sectors in the former since October 2023. Some of the other countries targeted by the group include the United States, China, Germany, Singapore, South Africa, the Netherlands, Mexico, Vietnam, Belgium, the United Kingdom, Canada, Thailand, and Poland.
Daily Brief Summary
North Korean state-sponsored group Kimsuky employed the BlueKeep RDP vulnerability (CVE-2019-0708) to infiltrate systems in South Korea and Japan.
The campaign, named Larva-24005, utilized phishing attacks and malware such as MySpy and RDPWrap to maintain access and escalate privileges.
Security patches for the exploited vulnerabilities, including the critical BlueKeep flaw, had been released by Microsoft as early as May 2019.
Attackers installed keyloggers, including KimaLogger and RandomQuery, to monitor and capture victim keystrokes.
Victims primarily included entities within the software, energy, and financial sectors, indicating a strategic selection of targets.
The operation signals ongoing cybersecurity risks posed by state-sponsored actors in the geopolitical landscape of East Asia.
This incident underscores the importance of timely system updates and comprehensive cybersecurity defenses against complex threat vectors.