North Korean APT Hackers Exploiting DMARC Misconfigs For Phishing Attacks


DMARC is an email authentication protocol that helps domain owners protect against unauthorized use like “email spoofing” and “phishing attacks.”

By leveraging existing protocols like “SPF” and “DKIM,” DMARC enables domain owners to publish policies in their “DNS records” that dictate how receiving servers should “handle emails” that “fail authentication checks.”

EHA

Barracuda researchers recently identified that North Korean APT hackers have been actively exploiting DMARC misconfigs for phishing attacks.

Hackers Exploiting DMARC Misconfigs

The cybersecurity landscape has been recently shocked by North Korean hacking group Kimsuky’s sophisticated exploitation of email security vulnerabilities, specifically targeting misconfigured DMARC protocols. 

Operating under North Korea’s Reconnaissance General Bureau, this APT group launched strategic spear-phishing campaigns by bypassing weak email authentication systems, including the “SPF” and “DKIM” checks.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

Their attacks primarily focused on compromising “think tanks,” “media organizations,” and “academic institutions.” 

They target them by crafting malicious emails that “appear legitimate” due to “domain spoofing” techniques. 

Kimsuki email attack (Source – Barracuda)

These malicious emails successfully evaded standard security measures as many organizations had implemented inadequate DMARC policies (either set to ‘none’ or improperly configured) instead of using strict ‘quarantine’ or ‘reject’ settings. 

This security oversight allowed “Kimsuky” to deliver potentially harmful content directly to users’ inboxes.

It’s been noted they particularly target sensitive information related to “foreign policy” and “nuclear matters.” 

This incident shows how ‘technical misconfigurations’ in email authentication protocols can create significant security vulnerabilities, even in seemingly “well-protected systems.”

The Kimsuky group executes the phishing attacks via a calculated two-phase email strategy. 

Initially, they dispatch seemingly legitimate emails masquerading as “trustable institutions” to establish trust with their targets. 

Once trust is gained, they launch the “second phase” by sending “follow-up emails” that contain “malicious payloads,” either via the “infected attachments” or “malicious hyperlinks.” 

Their attacks become particularly powerful when they successfully infiltrate legitimate email systems. This enables them to evade the essential email authentication protocols. 

⁤In one instance, they invited targets to a “North Korea policy conference” by sending a “spear-phishing email,” which was able to pass ‘SPF’ and ‘DKIM’ verification due to their use of a hacked legitimate email system.

Many organizations make incorrect use of the “DMARC” functionality, which facilitates the “monitor-only” policy that only logs threats without actively blocking them.. 

This creates a “dangerous false sense” of security around operational email addresses and opens such boxes to attacks where illicit and harmful spam mails can go undetected. 

Recommendations

Here below we have mentioned all the recommendations:-

  • Use “quarantine” or “reject” for failing emails.
  • Use AI-driven email protection to detect sophisticated threats that DMARC may miss.
  • Conduct regular phishing simulations.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar



Source link