Update: North Korean Actors Exploit Weak DMARC Security

Introduction

In light of a May 2nd 2024 Cybersecurity Advisory (CSA) JCSA-20240502-001 from the FBI, State Department, and NSA, we are revisiting our previous blog post on the exploitation of DMARC policies by threat actors such as TA427. The joint advisory warns about North Korean cyber actors, specifically Kimsuky (aka Emerald Sleet, APT43, Velvet Chollima, and Black Banshee), who exploit improperly configured DMARC policies to mask their social engineering attacks.

“Spearphishing continues to be a mainstay of the DPRK cyber program and this CSA provides new insights and mitigations to counter their tradecraft,” said NSA Cybersecurity Director Dave Luber.

The Threat: Exploitation of DMARC by Kimsuky

The advisory underscores the critical importance of properly configuring DMARC policies to mitigate email spoofing and phishing risks. Kimsuky and other North Korean-aligned threat groups exploit weaknesses in DMARC configurations to send spoofed emails that appear legitimate, facilitating their spearphishing campaigns.

Actionable Steps

It is imperative that organisations to take proactive measures to secure their domains against such threats. Here are some actionable steps:

1. Update DMARC Policies: Ensure that your organisation's DMARC policies are properly configured and enforce actions against emails failing DMARC checks. Transitioning from permissive policies like `p=none` to more secure policies like `p=quarantine` or `p=reject` is crucial in mitigating the risk of email spoofing.
2. Protect Subdomains: Ensure your DMARC policies do not use the `sp=none` tag. VerifyDMARC detects subdomain activity automatically, ensuring nothing is overlooked. See our post on subdomains.
3. Ensure Complete Coverage: Apply enforcement DMARC policies to all domains, even those not actively in use. See our posts on parked domains and onmicrosoft.com domains for more information.
4. Enhance Monitoring: Regularly monitor DMARC policies and reports, investigating any suspicious activity. Prompt detection and response can prevent security breaches. Sign up for a VerifyDMARC trial today to get immediate insights.
5. Employee Training: Educate employees about the dangers of phishing attacks and how to identify suspicious emails. Implementing robust security awareness training programs can significantly reduce the likelihood of successful phishing attempts.

Conclusion

As the tactics of threat actors continue to evolve, organisations must remain vigilant and proactive in safeguarding their email infrastructure. By prioritising the implementation of robust DMARC policies and investing in comprehensive email security solutions, organisations can effectively mitigate the risk of falling victim to sophisticated phishing campaigns orchestrated by groups like Kimsuky.

Don’t wait for a breach to occur before taking action. Secure all your domains today with a risk-free 30 day trial of VerifyDMARC and fortify your defenses against cyber attacks.