March 5, 2024 at 12:04PM
North Korean threat actors have exploited ConnectWise ScreenConnect’s security flaws to launch TODDLERSHARK malware, overlapping with known Kimsuky malware BabyShark and ReconShark. Exploiting exposed setup wizard, threat actors execute VB-based malware, gaining ‘hands on keyboard’ access. Toddlershark exhibits polymorphic behavior and is used for reconnaissance. NIS accuses North Korea of compromising domestic semiconductor manufacturers’ servers.
Based on the meeting notes, the key takeaways are as follows:
– North Korean threat actors have exploited security flaws in ConnectWise ScreenConnect to deploy a new malware called TODDLERSHARK.
– TODDLERSHARK overlaps with known Kimsuky malware such as BabyShark and ReconShark, and exhibits polymorphic behavior to evade detection.
– The ConnectWise flaws in question are CVE-2024-1708 and CVE-2024-1709, which have been heavily exploited by multiple threat actors.
– South Korea’s National Intelligence Service (NIS) accused North Korea of compromising the servers of two domestic semiconductor manufacturers and pilfering valuable data.
– The threat actors targeted vulnerable servers to gain initial access and leveraged living-off-the-land (LotL) techniques to evade detection.
These takeaways provide a comprehensive understanding of the malware and the actions taken by threat actors, as well as the response and accusations made by South Korea’s NIS.