Has something online ever made you think "Wow"? This is what happened to me when I discovered Kimsuky APT. I love tech/hacker stories. This story is so crazy. They are using GPKI certificates, rootkits, and Cobalt Strike—everything a hacker's toolkit contains.
Here is why this is significant:
• They can potentially bypass security checks.
• Malware appears as trusted software.
• Security teams have difficulty identifying it.
Summary: The Kimsuky group is dangerous and cannot be stopped when using exploit kit certificates with rootkits and Cobalt Strike.
Next you hear about APT groups, remember Kimsuky is no joke. And you should probably check your systems security....just an idea.
What is Kimsuky?
Kimsuky is a hacker group from North Korea that targets governmental and corporation networks, mainly in South Korea but other places as well if you have not heard of them. They are smart, slow and frightening. They have no intention to hack and run; they hack, they throw up a tent, they sit and continuously gather intelligence and then they run. That is very interesting, but also very frightening.KPGI certificates: False Trust
Kimsuky uses GPKI certificates. A GPKI is a digital ID certificate, where computers use certificates for their identity verification--in a simplified manner. Similar to certificates used for links on websites. To verify that a government´s system is trusted, GPKI verification comes into play when Kimsuky employs fake GPKI certificates, that permits the system to believe their software is trusted.Here is why this is significant:
• They can potentially bypass security checks.
• Malware appears as trusted software.
• Security teams have difficulty identifying it.
Rootkits: An Obscure Presence in Your Computer
Rootkits are another piece of the puzzle they have. They allow hackers to hide inside the computer nearly ghost-like, or so I have seen. I once tried malware on a dedicated test computer and rootkits quickly turned invisible. Kimsuky can navigate across networks without anyone knowing they are there.Cobalt Strike: Hacking's Blade
They even utilize Cobalt Strike, meant for testing security, however, hackers picked it up and use it anyhow. This tool allows Kimsuky to take over and control computers to steal data. It is to hackers what giving someone the keys to a big building, except the building is a government network.Summary: The Kimsuky group is dangerous and cannot be stopped when using exploit kit certificates with rootkits and Cobalt Strike.
Final thoughts
I feel a twinge of anxiety reading about Kimsuky, but also a shot in the arm to continue to harden my systems. Have you ever compared what real hackers do, compared to the movies? It's not like that, there are no explosions, just real smarts.Next you hear about APT groups, remember Kimsuky is no joke. And you should probably check your systems security....just an idea.
