DMARC y Mark and Phishy Bunch

All right. Hello. Sorry, I'll try not to talk too loud into the mic, but uh welcome back from lunch. Uh I hope not everybody falls asleep during this. I know the afternoon slots are a little tough sometimes. So, uh I'll try to keep this engaging, keep everybody awake, but I'm Gary Freeze. I work at Mandate. I'm a senior cyber threat intelligence analyst on the advanced intelligence access program. Um and I work in our DPRK focused, North Korea focused uh threat cell. Uh today I'm going to talk to you a little bit about how AP43 is exploiting and leveraging some improper email configuration uh to conduct some of their fishing operations. Sorry, little background on who we are. Uh you see the logo here,

that's our de facto coin uh de facto sticker. In fact, I'm going to set some stickers up here. If you want to grab some after uh the presentation, feel free. Um if you want to leave some of your stickers, uh I will certainly accept them. uh they'll go on the laptop that's already flooded. But um we we're a team made of about half a dozen to a dozen folks that kind of cycle in and out uh working on special projects focused on uh North Korean cyber operations. We got started uh about six, seven years ago. Uh a couple of the folks that are on the cell now uh worked with at a previous client, Michael

Barnhart. Maybe you've heard of him. Uh he's kind of our de facto cat herder. Uh but he's also the face of our team. He's usually the one out on the speaking tours. Um I'm from the Rochester area originally, so I kind of stole this opportunity to uh come back home uh and and do a little presentation. So, um but what we were observing back then before when we got started is uh we were seeing a lot of activity that we thought was related to DPRK, ran it down and kind of showed, hey, here's our empirical evidence. Here's here's why we think this is North Korea. Who else cares about this? And we talked to Fireey the

predecessor uh well merged with Mandant then Mandant splint back off now we're part of Google but uh we talked to some of the Fireey folks and some of the other professionals out there and and it didn't seem like anybody really had a grasp on what North Korea cyber looked like didn't really seem to care too much either. I think it was kind of the prevailing thought at the time of like they don't really have internet access so nobody should care about it right. Um but we were able to show that they were doing stuff from kind of all over the world but also they're very uh crafty. Uh, so they're limited internet access. They're able to kind of leverage it with

some partnerships and places that they they go abroad. If you've ever heard of IT workers related to DPRK, they're deployed abroad working uh some of the the uh militia cyber actors as well, they're working outside the country. So, they get crafty to try to find that internet access that they need to go after people. So, we've been kind of preaching the gospel. Uh, we think we're making some headway. It seems like some of the the partners that we've we've developed with seem to have a lot of telemetry that helps us. So, we've uh this has been a labor of love for us or hate, I don't know, whatever it is. Uh little background on kind of North

Korea. If you don't know, uh it's a very total totalitarian oppressive regime. The main focus of the Kim dynasty is to stay in power. They use coercion, they use propaganda, they use indoctrination, uh you know, violence, uh uh solitude and confinement and imprisonment and work camps and stuff to keep the population from uprising against the regime, stay in power. Their second national priority is to establish legitimacy on a on a geopolitical scale. And a big part of that is the nuclearization of their military. So, we see them all the time talking to folks uh with these fishing operations, trying to gather in information and intel on how the West views the regime, how it would respond to a nuclear weapon in

North Korea, how it would respond to some of the activities that uh the the Kim regime partakes. Uh violation of human rights and stuff like that is is a big deal in the on the geopolitical scale. Um they've embraced cyber as a major part uh a major tool in their arsenal to uh build out their military capabilities, steal proprietary information, steel research, enhance their abilities to nuclearize, but also get into space, right? They want an ICBM that can reach from Pyongyang to anywhere in the world. Uh they they view that as and and it's, you know, it's no secret, right? Nuclearized countries are typically the ones that are taken a little more seriously, right? a nuke in

the hands of this guy, you know, we we we don't want that. But they think it's going to be something that will make them a player on the grand scale. So, uh, they want to be part of the international picture. So, who is AP43? Well, this is one of our most recent graduated APS. If you've ever heard the term Lazarus Group, that's kind of the catchall term for North Korea Cyber. We track several entities that fall under that bigger umbrella. Kim Suki is another term that's used for a uh some of the activity of Kim Suki is what we track as AP43. Some of that additional activity we track as different actors or subsets of actors, but AP43 aligns fairly

closely with the actor that a lot of public uh uh uh entities track as Kim Suki. We like to say or or call them their kind of cick function, right? because the operations that they conduct, they're going out gathering intel, whether it's OSENT, fishing people to get information. Uh they're they're constantly searching for intelligence that they can send back to the regime uh and inform their decision-m, inform how they'll proceed on things, gather uh you know, how the how the West feels about Korean Peninsula affairs. Room 35 is a term that was used previously under the the previous kind of way that DPRK uh was organized. A lot of their units were like room or lab or something along

those lines. We we assess this is pretty close to a one one with what room 35 used to be and that was their OSENT uh their CIC basically back then. Um they're very prolific in social engineering. I say prolific because they're successful. I don't say prolific because they're really good at uh you know really sophisticated right they're not very sophisticated but they don't have to be because it works they don't care about OBSAC too much which is great for us but also they're you know brings them down on the sophistication scale but they make up for that lack of sophistication with volume. We see millions and millions of fishing uh emails and campaigns, you know, uh tons

of infrastructure. We can't keep up, right, with how quick they turn and burn off of infrastructure and tactics. They're really agile, really flexible. We're constantly finding new infrastructure, new ways that they're doing things. And the Demark stuff that I'm going to talk about in just a moment is just one of those new tactics they've incorporated. Okay, so here's some examples of questions journalists might ask, right, about North Korea, some of the human rights stuff. Is is the United States ever going to have a friendly or cordial relationship with Pyongyang? Are they ever going to come to terms on, you know, sanctions and and get North Korea some some money to feed their people, but also get them to seed some of this

stuff about human rights? Nuclear weapons against low Earth orbit satellites. How might the United States and its allies respond? Except these are false flag, right? So these are questions that they actually ask other journalists, academics, people in think tanks, NOS's with spoofed personas, right? They pretend to be somebody and they send it out. And we've seen them really create a lot of spoof domains uh in some of some of the previous operations, but the Demar stuff has really kind of changed the game for them. Uh the funny uh the kind of funny part about the low earth orbit satellite piece was that that was a question asked to a journalist uh about how they thought the US would respond to the

North Korean regime using a nuclear weapon against Starlink satellites. Contextually, it was around the same time of the kickoff of like the the latest Russian Ukrainian conflict and Elon at the time had talked about opening up Starlink for the Ukrainian populace to kind of maintain connection with the outside world, maintain communications. So, we see that they keep their finger on the pulse, right? They they understand what's going on in the world and they're going to use those concepts, those conversations, those ideas in their operations, uh, and and send it out. And it was, you know, almost almost immediately, right, in the grand scheme, it was almost immediately after Elon made the announcement. So, they moved pretty quickly. So, here's an

example of a fishing email we see. I know it's kind of hard to see on the screen, but in the from line, I've obiscated it to protect the innocent, but that's a legitimate person, their legitimate username at their legitimate domain sent to another legitimate person at a legitimate domain. Right? They're asking about presenting at a private workshop, attending one at the Pocontentico Center in Terrytown. That's a real thing, real place, real uh event. Um the dates even align and all that. So, they've done their homework, done gone and done their research and got the information for it. They're sending this off to establish rapport. We see often times this stuff will happen because they're trying to make friends, right?

Establish that cordial relationship and then follow on with things. We don't often see them employ malware, although they do have a couple of custom sets of malware and some commodity malware that they will lean on, but they're often just doing collect, right? They're just trying to gather intel. So, this might be an opening email and then maybe afterwards you'll get five, six questions about how the West feels about North Korea, things about nuclear proliferation, that sort of stuff. And on that note, here's another example of an email. Again, obuscated to protect the innocent, but the front line, legitimate person, legitimate username at a legitimate domain. Okay, and this did hit the inbox of the both of these

hit the inbox of the sender. Okay, that's an important piece. So, this is this is the follow-on email they might get with the questions, can you share, you know, an assessment of North Korea, some trending stuff, uh how would the US uh uh or what what are North Korean policies and what's the US allied approach? Okay, so the question begs like how are they doing what they're doing then? As I said, it's a legitimate person at the legitimate domain and it reaches the sender or the recipient's inbox, right? Well, little background on why that shouldn't happen is uh SPF, DKIM, and Demar were introduced to really combat this, right? So, what that is is SPF and DKIM address

authentication and demark is kind of how you handle it. If if somebody tries to send something on behalf of your domain and they're not an authorized sender, what are you telling the people that are receiving it to do? Right? So, we're relying a little bit on trust and that's kind of where the fault lies in this. But ultimately, it's to protect organizations and and end users, right? We say all the time as security professionals, the weakest part of our security plan is the human factor, right? Whether it's a mistake an administrator makes or if it's the end user, right? They're not often savvy or they may not know what to expect. But if we're failing them by not handling SPF

and and DKIM and Demark properly, then we can't really blame them, right? Um when SPF and or DKIM fail, right? So if the your DNS record doesn't match, you're not an authorized sender, the it gets marked as fail for either SPF or DKIM, then demark gets failed as as total, right? Uh and and then there's a demar text property that will tell F recipient what to do, right? How do you handle this email if it's failed? There's really three options. Uh P equals reject. That's the good one, right? Just get rid of it. They're not allowed to send on my behalf. Just get rid of it, right? P equals quarantine, mark it as junk, market as spam. Tell

your end user that it might be bad, right? Or send it to your email appliance, right? Send it to your your deeper inspection if you've got something that sits behind the border. Okay? You may end up discarding it with that extra analysis or the user might just say, "Ah, it's junk. I'm getting rid of it." Right? That's that's the optimal outcome, but it still might not, right? If it does hit their junk folder, how many users do you think clicking stuff in junk, right? They might still. And then the bad one is P equals none. And this is this is where the problem lies. P equals none is basically like don't do anything with it, right? I

don't know why anybody would ever want to other than testing early and maybe it's a situation where they're testing to get things sent and then they forget to come back again. That human factor, right? But all of these organizations that we've seen these spoofed emails get through have this P equals none set in their email configuration. Okay. So basically what's happening is it's getting to a user's inbox because if you're an organization with 100,000 users and 100 million people that you interact with, do you have the bandwidth to analyze everyone and make a different decision based on the header information? Maybe. Right? Maybe. But not all. Right? If you're a small organization that doesn't have the

resources for that sort of thing, you know, you're probably not going to do that extra analysis either. Okay, so this is this is uh an example of how are they figuring out who's got this setting because they're not just guessing and getting it right. They can go to this is MX Toolbox. It's not the only one, but they can go here and they can see there's no demark policy set. Okay, so whoever this organization was, right? I can just go in here. I want to target XYZ organization. Uh, and I'm going to use ABC organization to spoof and then target them. I come here. I look at ABC organization. I see that they've got no

policy set. I now can spoof them and optimally it's or or reasonably expect that it's going to hit the user's inbox. And then I can establish that rapport. I can deliver malicious content and I look exactly like the person who sent it. Right? What do we always tell users? Make sure you check that from line. Make sure you know who it's from, right? Legitimate person, legitimate username, legitimate domain because they're able to spoof it based on this misconfiguration. Okay. Um, looking a little deeper into the email headers. Um, so we see that they're using a proxy email sender. So you can see the initial pass up there with SPF, but then you see down below

the demar fail. That's because it then went and checked the organization that they spoofed right after it went through the proxy sender and it said you're not authorized to send on behalf of this uh of this domain and it fails. But as you can see in the parenthesis there P equals none, right? So recipient was told to do nothing with it likely did nothing with it and it ended up in their inbox. Okay. Um so what what can we do about this? Right. Well, SPF, Demark, and DKIM, it's a fairly easy part of the configuration, but it's also fairly easy to overlook. As I mentioned, a lot of admins uh that we've had conversations with, they've said like we

were testing to make sure that our emails were getting where we want them to get to that we could send through this or we've also talked to them where they have mailers that they've worked with that have said like set your set your demark to P equals none so that I can send on your behalf, right? instead of going through and marking them as an authorized sender in SPF, right? Uh and and making sure that it passes properly and that they're an authorized sender, just set it to P equals none because it's easier, right? So, let's stop that to begin with. If you if you work at one of those mailer companies, right? Uh we'll forgive you, but let's stop doing

that. Uh but we need to have the conversations, right, with a smaller shop, right? If you if you have friends that work at a smaller shop that they don't have the personnel and they're overworked, right? How many people are overworked and underresourced? Let's have that conversation with them because this is a pretty easy thing to fix, right? It's it's basically a toggle switch if you've got uh you know a a application that you manage your uh mail exchanger from. So let's let's have the conversation, make sure people understand this because in addition to the ones that have been reported to us with DPRK doing it. I went and did a little research in Virus Total and found dozens just on a very

cursory search, dozens of organizations that have had either automated uploads from like antivirus uh or their you know their their uh mail system is set to analyze them and leverage the tools, but also others that were manually uploaded. And it's not just think tanks, NOS's, those sorts of organizations that might not care as much about security. The first one I found was a multinational finance corporation. So it's it's not it's not just the little guy or the guy who's, you know, secondary concern is security. So have those conversations, spread the word. Very easy thing to fix, very easy tactic to undercut. And and we're seeing it at the nation state level. This may be this may be more popular as

well. We this isn't something we can just go check for either, right? Because how many domains are out there? Can we just run MX Toolbox against them all? These have been reported to us. We don't know how many more people are doing it uh and getting away with it. So, um that's really it for me. I want to thank uh Kathy and the rest of the Bides folks for uh letting me present. This is actually my first presentation at a conference. So, appreciate you all sitting in as well. But I'll open the floor. Any questions? Yeah, if you're regularly emailing with an organization and you dig into them at discover they have this misconfiguration, what is a reasonably

likely to succeed strategy for getting it? Yeah. So for us, for us, right, we were able to say like this is North Korea, you don't want this, right? That was that was kind of our crowbar that we were able to go at him with, right? But in a general sense, it's it's not always going to be North Korea. It might be some criminal operator that's trying to make money, etc. Just just talk to them about things like loss of reputation, uh impacted users, right? Because while these folks are just going out and trying to gather intel, who knows what other people are trying to do? Are they delivering malware? Are they delivering ransomware and stuff like that? Are they

uh harvesting creds, right? They may be delivering links to log into places and you trust them. Then you go and you put your creds in and then that all comes back on you because when when there's an incident and we find out patient zero is an email that came from your organization and you didn't have this properly configured. Well, now everybody knows you were the cause of it, right? So things like that. I think the reputation piece was big. Like I said, for us it was easy to say this is a nation state actor of a a pretty pretty bad nation, right? So uh but yeah, that loss of reputation is a big piece.

Yeah. Um, that's tough, right? I mean, you're you're basically going to have to find that that malicious content that is being sent, right? If if the mailer the mail service itself it itself is exploited, that's a little tougher. Uh if it's a setting like this that's easy to identify, sure. Uh but you know, that's that's more of like a an IR type deal and you're going to find that that malicious content that's coming in via email, right? Uh we've seen it. We've seen it, right? Send mail has been a big one that's been been abused a lot. Um APT29 loves loves email services because they can hit a lot of people. Good question. As far as setting uh you know,

protections for senders and everything, I know like SPF doesn't DNS lookups per query and like text 255 characters. So if you have an organization say you know a couple dozen domains that are all authorized to send mail as the parent doain how would you recommend working around that properly implement? Um that is that's a good question. I I'm not really sure because that could be kind of a blind spot. So you can do you can flatten it or you can do subdomains. There's also services for you. Yeah, proxies help. But again, if you're relying on a third party, right? I I understand your question. I think that's just kind of a blind spot when it comes to

really

Yeah, thanks. Any others? DNS of all the majors.

Google. I work for Google. I I honestly, you know, it I I'm not the guy to answer that question necessarily. I'm not an architect uh when it comes to that. So uh I default answer is [Laughter] Google. Any others? All right. Well, thank you all. Oh, yeah. Yeah. Go ahead. You mentioned earlier about North Korea kind of leveraging some malware. Can you elaborate on a little more kind of tools? Um I mean from the custom side you know there's there's there's a wide array of things but from the commodity side you see see things like cobalt strike often uh when they're when they're on uh on prem we have seen them leverage reuke in the past as well

for ransomware to for rev gen one thing that I didn't necessarily go deeply into is like every cyber actor that falls under the DPRK umbrella has either a primary or a secondary uh priority to make money, right? So, we see them work with ransomware actors as well, use using ransomware. Um, a lot of times what we've seen is like there there's a lot of credit harvesters that they that they like to use and they can come back and uh, you know, leverage account account access and stuff like that. Yeah. Um, I know I know they get a bad name because like I said, everybody kind of just thinks like it's the hermit kingdom. They don't have internet

access. They don't have any of that. But they're they're really sharp. They're really flexible. uh a couple of their actors uh we APC38 which has now evolved into like cryptocore and apple juice if you or trader trader sorry if you've heard those terms but really sophisticated really good custom malware development uh and Dario they're the ones focused on building the nuke really sophisticated as well really good custom malware that that they put together as

Oh yeah, that's a great question. Right. So those two emails that we had up, we suspect they used generative AI. So we saw maybe maybe 24 months ago 18 to 24 months ago we saw a drastic change in AP43's uh sophistication with regards to their emails and we had some telemetry that they're using things like you know uh generative AI chat bots those sorts of things they're using them and they are write me an email that says this from this person and it spits them out. So they they've got it in their toolbox. I know other threat actors from other nation states as well, but we've seen them directly using uh generative AI and chat bots to to to put fishing emails

and it it's it's a challenge then, right? Because a lot of our training for users is like spot the spot the needle in the haststack, the the incorrect use of the word 'the' or something along those that doesn't fit with native language. Things like chat GPT can can can write in dialects across different regions within just the United States, right? It it doesn't have to be English versus Spanish versus Chinese. It's literally like write me an email like I'm from Iowa and and it'll use dialect that's native to like those regions and stuff. So it is it's very much a challenge. So is there a time for us? Heristic analysis is huge right now. uh

the the you know with content I know it's a challenge uh in terms of evaluating like the body of an email or something along those lines but that that heristic analysis is is a huge huge deal and I know like the integration of AI is big right now with detections which should help um but yeah it's it's we can't we can't rely on static signatures and stuff anymore that's just kind of what it's what it's gotten to [Laughter] All right. Well, thank you all.

Appreciation for besides we would like to thank you. Thank you for joining us. And I'm sorry I didn't get a chance to do your intro. You got right on time. So, thank you again. Thank you. Like I said, there's some stickers up here if you guys want to if you want a sticker.