Kimsuky Takes Advantage of BlueKeep RDP Flaw to Infiltrate Systems in South Korea and Japan

Kimsuky Takes Advantage of BlueKeep RDP Flaw to Infiltrate Systems in South Korea and Japan

BlueKeep RDP vulnerability exploitation,” ASEC stated.

A Sophisticated Method of Attack

The Kimsuky group, also known as Thallium, Velvet Chollima, and Black Banshee, has traditionally targeted South Korea, with occasional campaigns against Japan and the United States.

The typical profile for targets includes key think tanks, government entities, and defense companies.

With the exploitation of the BlueKeep Remote Desktop Protocol (RDP) vulnerability, Kimsuky showcased an elevated level of sophistication, stepping up its game from classic spear-phishing tactics to more advanced means of incursion.

The BlueKeep vulnerability, officially designated as CVE-2019-0708, impacts Windows 7, Windows XP, Server 2003, Server 2008, and Server 2008 R2.

The weakness allows for the execution of arbitrary code, providing the opportunity for remote command execution without the need for user interaction – a capability heavily exploited by the Kimsuky group in this attack.

The Infiltrator: Larva-24005 Malware

ASEC noticed a strong correlation between the Larva-24005 variant and Kimsuky group, with evidence pointing to the latter using the variant as part of their cyber espionage campaigns.

The Larva-24005 has been seen exploiting BlueKeep vulnerability to provide initial access before downloading additional malware modules to fully take over the victim’s machine.

The multiple layers of the attack further indicate a strategic, coordinated, and calculated effort to breach desired systems.

Preventive Measures and Recommendations

Organizations need to consider immediate measures to circumvent this threat.

ASEC implores businesses to apply the required patches provided by Microsoft for the BlueKeep vulnerability.

Despite the patch having been released more than two years ago, there are evidently still systems around the globe that remain exposed and vulnerable.

Furthermore, companies should engage in continuous monitoring and regular security assessments.

Approaches such as security awareness training, regular software updates, and threat hunting will play a crucial role in minimizing the risk created by these sophisticated cyber-attacks.

Follow-Up Reading

1. BlueKeep (CVE-2019-0708) Exploitation Spotted in the Wild – Microsoft Security

2. Detailed analysis of Larva-24005 – AhnLab Security Intelligence Center

3. Deep-Dive into Kimsuky APT – Symantec Threat Intelligence

AegisLens

Stay ahead of cyber threats with AegisLens. Get real-time CVE updates, expert insights, and tools to secure your world. #CyberSecurity #ThreatIntel #Infosec
Inside the Jaguar Land Rover Cyberattack: What We Know (and What It Means)

Inside the Jaguar Land Rover Cyberattack: What We Know (and What It Means)

Bitdefender Enhances Business Email Security with Mesh Acquisition: A Power-Shift for MSPs

Bitdefender Enhances Business Email Security with Mesh Acquisition: A Power-Shift for MSPs

CISA Alert: Linux Vulnerability Targeted by Cyber Attackers with Proven Exploit

Breaking Down the Exploitation of Google Chrome Zero-Day CVE-2025-2783 by TaxOff for Trinper Backdoor Deployment

Breaking Down the Exploitation of Google Chrome Zero-Day CVE-2025-2783 by TaxOff for Trinper Backdoor Deployment

Understanding the Recurring Zyxel Firewall Vulnerability: A Focus on Network Security

Understanding the Sitecore CMS Exploit Chain: The Role of Hardcoded ‘b’ Password

Understanding the Sitecore CMS Exploit Chain: The Role of Hardcoded ‘b’ Password

Leave a Reply