U.S. cybersecurity agencies have warned that the hacking wing of North Korea’s Reconnaissance General Bureau (RGB), codenamed APT43, is exploiting weak and missing Domain-based Message Authentication Reporting and Conformance (DMARC) policies to send spoofed spearphishing emails appearing as if they came from a legitimate domain’s email exchange. The spearphishing emails using this technique have been sent to think tanks, research centers, academic institutions, and media organizations in the United States, Europe, Japan, and South Korea since at least 2018.
DMARC is security protocol that validates whether an email seemingly sent from an organization’s domain was indeed sent from that domain. Securely configured DMARC policies help ensure threat actors, like APT43, are unable to spoof an organization’s legitimate email domain when sending spearphishing messages to a target.
To mitigate this threat, U.S. cybersecurity agencies recommend organizations update their DMARC security policy to use "v=DMARC1; p=quarantine;" or "v=DMARC1; p=reject;" configurations. These policies will instruct email servers to quarantine and block all emails that fail DMARC checks, as well as tag them as potential spam.
Identify, measure, and reduce your risk with a personalized attack surface report.
Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.
Try it free
Source: Bleeping Computer
Analysis
Adding credibility to spearphishing emails by making them appear as if they are coming from a legitimate organization reduces the chances the malicious email will be flagged as spam and increases the likelihood that the recipient will read the email, and even open documents or links included within.
Thus, it’s an effective technique, and its use is expected of a sophisticated state-sponsored actor like APT43. Fortunately, the threat this technique poses can be mitigated by organizations understanding and properly configuring DMARC policies, and other security protocols, for their domains.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for threats emanating from actors like APT43. This research contributes to the timely deployment of signatures into Field Effect’s MDR solution to detect and mitigate these threats.
Field Effect MDR users are automatically notified if a missing, weak, or misconfigured DMARC policy is detected in association with one of their domains and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
In addition to the mitigation advice provided by U.S. cybersecurity agencies above, Field Effect recommends implementing a Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). SPF and DKIM are additional email authentication methods that provide additional layers of security on which DMARC protocols rely. To verify which security protocols are configured on a domain, users can use the free tool offered by the Global Cyber Alliance found here.
Finally, Field Effect users are encouraged to submit suspicious emails they receive to our Suspicious Email Analysis Service (SEAS) which will provide them with details regarding any potential threat the email may contain.
Related Articles