{
	"id": "1084e76c-bf4a-48de-a3ac-e647985b3bd6",
	"created_at": "2026-04-06T00:15:29.507497Z",
	"updated_at": "2026-04-10T03:27:03.186552Z",
	"deleted_at": null,
	"sha1_hash": "aa0a42476a20300252c58e1ceebd320ca258d2e2",
	"title": "#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 177594,
	"plain_text": "#StopRansomware: Ransomware Attacks on Critical Infrastructure\r\nFund DPRK Malicious Cyber Activities | CISA\r\nPublished: 2023-02-09 · Archived: 2026-04-05 18:41:35 UTC\r\nSUMMARY\r\nNote: This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for\r\nnetwork defenders that detail various ransomware variants and various ransomware threat actors. These\r\n#StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and\r\nindicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all\r\n#StopRansomware advisories and to learn about other ransomware threats and no-cost resources.\r\nThe United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S.\r\nCybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS),\r\nthe Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA)\r\n(hereafter referred to as the “authoring agencies”) are issuing this joint Cybersecurity Advisory (CSA) to highlight\r\nongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure\r\nsector entities.\r\nThis CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and\r\nupdates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the\r\nHealthcare and Public Health Sector. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to\r\nand conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical\r\ninfrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.\r\nThe authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports\r\nDPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea\r\ngovernments—specific targets include Department of Defense Information Networks and Defense Industrial Base\r\nmember networks. The IOCs in this product should be useful to sectors previously targeted by DPRK cyber operations\r\n(e.g., U.S. government, Department of Defense, and Defense Industrial Base). The authoring agencies highly discourage\r\npaying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.\r\nFor additional information on state-sponsored DPRK malicious cyber activity, see CISA’s North Korea Cyber Threat\r\nOverview and Advisories webpage.\r\nDownload the PDF version of this report: pdf, 661 kb.\r\nFor a downloadable copy of IOCs, see\r\nTECHNICAL DETAILS\r\nNote: This advisory uses the MITRE ATT\u0026CK for Enterprise framework, version 12. See MITRE ATT\u0026CK for\r\nEnterprise for all referenced tactics and techniques.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a\r\nPage 1 of 13\n\nThis CSA is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware\r\ncampaigns—namely Maui and H0lyGh0st ransomware. The authoring agencies are issuing this advisory to highlight\r\nadditional observed TTPs DPRK cyber actors are using to conduct ransomware attacks targeting South Korean and U.S.\r\nhealthcare systems.\r\nObservable TTPs\r\nThe TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations.\r\nAdditionally, these TTPs span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation:\r\nAcquire Infrastructure [T1583 ]. DPRK actors generate domains, personas, and accounts; and identify\r\ncryptocurrency services to conduct their ransomware operations. Actors procure infrastructure, IP addresses, and\r\ndomains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft.\r\nObfuscate Identity. DPRK actors purposely obfuscate their involvement by operating with or under third-party\r\nforeign affiliate identities and use third-party foreign intermediaries to receive ransom payments.\r\nPurchase VPNs and VPSs [T1583.003 ]. DPRK cyber actors will also use virtual private networks (VPNs) and\r\nvirtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of\r\nfrom DPRK.\r\nGain Access [TA0001 ]. Actors use various exploits of common vulnerabilities and exposures (CVE) to gain\r\naccess and escalate privileges on networks. Recently observed CVEs that actors used to gain access include\r\nremote code execution in the Apache Log4j software library (known as Log4Shell) and remote code execution in\r\nunpatched SonicWall SMA 100 appliances [T1190 and T1133]. Observed CVEs used include:\r\nCVE 2021-44228\r\nCVE-2021-20038\r\nCVE-2022-24990\r\nActors also likely spread malicious code through Trojanized files for “X-Popup,” an open source messenger commonly\r\nused by employees of small and medium hospitals in South Korea [T1195 ].\r\nThe actors spread malware by leveraging two domains: xpopup.pe[.]kr and xpopup.com . xpopup.pe[.]kr is\r\nregistered to IP address 115.68.95[.]128 and xpopup[.]com is registered to IP address 119.205.197[.]111 . Related\r\nfile names and hashes are listed in table 1.\r\nTable 1: Malicious file names and hashes spread by xpopup domains\r\nFile Name MD5 Hash\r\nxpopup.rar 1f239db751ce9a374eb9f908c74a31c9\r\nX-PopUp.exe 6fb13b1b4b42bac05a2ba629f04e3d03\r\nX-PopUp.exe cf8ba073db7f4023af2b13dd75565f3d\r\nxpopup.exe 4e71d52fc39f89204a734b19db1330d3\r\nx-PopUp.exe 43d4994635f72852f719abb604c4a8a1\r\nxpopup.exe 5ae71e8440bf33b46554ce7a7f3de666\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a\r\nPage 2 of 13\n\nMove Laterally and Discovery [TA0007 , TA0008 ]. After initial access, DPRK cyber actors use staged\r\npayloads with customized malware to perform reconnaissance activities, upload and download additional files and\r\nexecutables, and execute shell commands [T1083 , T1021 ]. The staged malware is also responsible for\r\ncollecting victim information and sending it to the remote host controlled by the actors [TA0010 ].\r\nEmploy Various Ransomware Tools [TA0040 ]. Actors have used privately developed ransomware, such as\r\nMaui and H0lyGh0st [T1486 ]. Actors have also been observed using or possessing publically available tools for\r\nencryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little\r\nRansomware, NxRansomware, Ryuk, and YourRansom [T1486 ]. In some cases, DPRK actors have portrayed\r\nthemselves as other ransomware groups, such as the REvil ransomware group. For IOCs associated with Maui and\r\nH0lyGh0st ransomware usage, please see Appendix B.\r\nDemand Ransom in Cryptocurrency. DPRK cyber actors have been observed setting ransoms in bitcoin [T1486\r\n].\r\nActors are known to communicate with victims via Proton Mail email accounts. For private companies in the\r\nhealthcare sector, actors may threaten to expose a company’s proprietary data to competitors if ransoms are not\r\npaid. Bitcoin wallet addresses possibly used by DPRK cyber actors include:\r\n1MTHBCrBKYEthfa16zo9kabt4f9jMJz8Rm\r\nbc1q80vc4yjgg6umedkut3e9mhehxl4q4dcjjyzh59\r\n1J8spy62o7z2AjQxoUpiCGnBh5cRWKVWJC\r\n16ENLdHbnmDcEV8iqN4vuyZHa7sSdYRh76\r\nbc1q3wzxvu8yhs8h7mlkmf7277wyklkah9k4sm9anu\r\nbc1q8xyt4jxhw7mgqpwd6qfdjyxgvjeuz57jxrvgk9\r\n1NqihEqYaQaWiZkPVdSMiTbt7dTy1LMxgX\r\nbc1qxrpevck3pq1yzrx2pq2rkvkvy0jnm56nzjv6pw\r\n14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk\r\n1KCwfCUgnSy3pzNX7U1i5NwFzRtth4bRBc\r\n16sYqXancDDiijcuruZecCkdBDwDf4vSEC\r\n1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP\r\nLZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135\r\n1KmWW6LgdgykBBrSXrFu9kdoHz95Fe9kQF\r\n1FX4W9rrG4F3Uc7gJ18GCwGab8XuW8Ajy2\r\nbc1qlqgu2l2kms5338zuc95kxavctzyy0v705tpvyc\r\nbc1qy6su7vrh7ts5ng2628escmhr98msmzg62ez2sp\r\nbc1q8t69gpxsezdcr8w6tfzp3jeptq4tcp2g9d0mwy\r\nbc1q9h7yj79sqm4t536q0fdn7n4y2atsvvl22m28ep\r\nbc1qj6y72rk039mqpgtcy7mwjd3eum6cx6027ndgmd\r\nbc1qcp557vltuu3qc6pk3ld0ayagrxuf2thp3pjzpe\r\nbc1ql8wsflrjf9zlusauynzjm83mupq6c9jz9vnqxg\r\nbc1qx60ec3nfd5yhsyyxkzkpts54w970yxj84zrdck\r\nbc1qunqnjdlvqkjuhtclfp8kzkjpvdz9qnk898xczp\r\nbc1q6024d73h48fnhwswhwt3hqz2lzw6x99q0nulm4\r\nbc1qwdvexlyvg3mqvqw7g6l09qup0qew80wjj9jh7x\r\nbc1qavrtge4p7dmcrnvhlvuhaarx8rek76wxyk7dgg\r\nbc1qagaayd57vr25dlqgk7f00nhz9qepqgnlnt4upu\r\nbc1quvnaxnpqlzq3mdhfddh35j7e7ufxh3gpc56hca\r\nbc1qu0pvfmtxawm8s99lcjvxapungtsmkvwyvak6cs\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a\r\nPage 3 of 13\n\nbc1qg3zlxxhhcvt6hkuhmqml8y9pas76cajcu9ltdl\r\nbc1qn7a3g23nzpuytchyyteyhkcse84cnylznl3j32\r\nbc1qhfmqstxp3yp9muvuz29wk77vjtdyrkff4nrxpu\r\nbc1qnh8scrvuqvlzmzgw7eesyrmtes9c5m78duetf3\r\nbc1q7qry3lsrphmnw3exs7tkwzpvzjcxs942aq8n0y\r\nbc1qcmlcxfsy0zlqhh72jvvc4rh7hvwhx6scp27na0\r\nbc1q498fn0gauj2kkjsg35mlwk2cnxhaqlj7hkh8xy\r\nbc1qnz4udqkumjghnm2a3zt0w3ep8fwdcyv3krr3jq\r\nbc1qk0saaw7p0wrwla6u7tfjlxrutlgrwnudzx9tyw\r\nbc1qyue2pgjk09ps7qvfs559k8kee3jkcw4p4vdp57\r\nbc1q6qfkt06xmrpclht3acmq00p7zyy0ejydu89zwv\r\nbc1qmge6a7sp659exnx78zhm9zgrw88n6un0rl9trs\r\nbc1qcywkd7zqlwmjy36c46dpf8cq6ts6wgkjx0u7cn\r\nMITIGATIONS\r\nNote: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and\r\nthe U.S. National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and\r\nprotections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing\r\ncybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques,\r\nand procedures. For more information on the CPGs, including additional recommended baseline protections, see\r\ncisa.gov/cpg.\r\nThe authoring agencies urge HPH organizations to:\r\nLimit access to data by authenticating and encrypting connections (e.g., using public key infrastructure certificates\r\nin virtual private network (VPN) and transport layer security (TLS) connections) with network services, Internet\r\nof Things (IoT) medical devices, and the electronic health record system [CPG 3.3].\r\nImplement the principle of least privilege by using standard user accounts on internal systems instead of\r\nadministrative accounts [CPG 1.5], which grant excessive system administration privileges.\r\nTurn off weak or unnecessary network device management interfaces, such as Telnet, SSH, Winbox, and HTTP\r\nfor wide area networks (WANs) and secure with strong passwords and encryption when enabled.\r\nProtect stored data by masking the permanent account number (PAN) when displayed and rendering it unreadable\r\nwhen stored—through cryptography, for example.\r\nSecure the collection, storage, and processing practices for personally identifiable information (PII)/protected\r\nhealth information (PHI), per regulations such as the Health Insurance Portability and Accountability Act of 1996\r\n(HIPAA). Implementing HIPAA security measures could prevent the introduction of malware to the system [CPG\r\n3.4].\r\nSecure PII/ PHI at collection points and encrypt the data at rest and in transit using technologies, such as\r\nTLS. Only store personal patient data on internal systems that are protected by firewalls, and ensure\r\nextensive backups are available.\r\nCreate and regularly review internal policies that regulate the collection, storage, access, and monitoring of\r\nPII/PHI.\r\nImplement and enforce multi-layer network segmentation with the most critical communications and data resting\r\non the most secure and reliable layer [CPG 8.1].\r\nUse monitoring tools to observe whether IoT devices are behaving erratically due to a compromise [CPG 3.1].\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a\r\nPage 4 of 13\n\nIn addition, the authoring agencies urge all organizations, including HPH Sector organizations, to apply the following\r\nrecommendations to prepare for and mitigate ransomware incidents:\r\nMaintain isolated backups of data, and regularly test backup and restoration [CPG 7.3]. These practices\r\nsafeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware\r\nincident and protect against data losses.\r\nEnsure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire\r\norganization’s data infrastructure.\r\nCreate, maintain, and exercise a basic cyber incident response plan and associated communications plan\r\nthat includes response procedures for a ransomware incident [CPG 7.1, 7.2].\r\nOrganizations should also ensure their incident response and communications plans include data breach\r\nincidents response and notification procedures. Ensure the notification procedures adhere to applicable\r\nlaws.\r\nSee the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide\r\nand CISA Fact Sheet Protecting Sensitive and Personal Information from Ransomware-Caused Data\r\nBreaches for information on creating a ransomware response checklist and planning and responding to\r\nransomware-caused data breaches.\r\nInstall updates for operating systems, software, and firmware as soon as they are released [CPG 5.1]. Timely\r\npatching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to\r\ncybersecurity threats. Regularly check for software updates and end-of-life notifications and prioritize patching\r\nknown exploited vulnerabilities. Consider leveraging a centralized patch management system to automate and\r\nexpedite the process.\r\nIf you use Remote Desktop Protocol (RDP), or other potentially risky services, secure and monitor them\r\nclosely [CPG 5.4].\r\nLimit access to resources over internal networks, especially by restricting RDP and using virtual desktop\r\ninfrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating\r\nsources, and require phishing-resistant multifactor authentication (MFA) to mitigate credential theft and\r\nreuse [CPG 1.3]. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other\r\nmeans to authenticate and secure the connection before allowing RDP to connect to internal devices.\r\nMonitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block\r\nbrute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports [CPG 1.1,\r\n3.1].\r\nEnsure devices are properly configured and that security features are enabled. Disable ports and protocols\r\nnot in use for a business purpose (e.g., RDP Transmission Control Protocol port 3389).\r\nRestrict the Server Message Block (SMB) protocol within the network to only access necessary servers and\r\nremove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate\r\nmalware across organizations.\r\nReview the security posture of third-party vendors and those interconnected with your organization. Ensure\r\nall connections between third-party vendors and outside software or hardware are monitored and reviewed\r\nfor suspicious activity [CPG 5.6, 6.2].\r\nImplement application control policies that only allow systems to execute known and permitted programs\r\n[CPG 2.1].\r\nOpen document readers in protected viewing modes to help prevent active content from running.\r\nImplement a user training program and phishing exercises [CPG 4.3] to raise awareness among users about\r\nthe risks of visiting websites, clicking on links, and opening attachments. Reinforce the appropriate user response\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a\r\nPage 5 of 13\n\nto phishing and spearphishing emails.\r\nRequire phishing-resistant MFA for as many services as possible [CPG 1.3]—particularly for webmail, VPNs,\r\naccounts that access critical systems, and privileged accounts that manage backups.\r\nUse strong passwords [CPG 1.4] and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and\r\nProtecting Passwords and National Institute of Standards and Technology (NIST) Special Publication 800-63B:\r\nDigital Identity Guidelines for more information.\r\nRequire administrator credentials to install software [CPG 1.5].\r\nAudit user accounts with administrative or elevated privileges [CPG 1.5] and configure access controls with\r\nleast privilege in mind.\r\nInstall and regularly update antivirus and antimalware software on all hosts.\r\nOnly use secure networks. Consider installing and using a VPN.\r\nConsider adding an email banner to messages coming from outside your organizations [CPG 8.3] indicating\r\nthat they are higher risk messages.\r\nConsider participating in CISA’s no-cost Automated Indicator Sharing (AIS) program to receive real-time\r\nexchange of machine-readable cyber threat indicators and defensive measures.\r\nIf a ransomware incident occurs at your organization:\r\nFollow your organization’s ransomware response checklist.\r\nScan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This\r\nshould be performed using an isolated, trusted system to avoid exposing backups to potential compromise.\r\nU.S. organizations: Follow the notification requirements as outlined in your cyber incident response plan. Report\r\nincidents to appropriate authorities; in the U.S., this would include the FBI at a local FBI Field Office, CISA at\r\ncisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.\r\nSouth Korean organizations: Please report incidents to NIS, KISA (Korea Internet \u0026 Security Agency), and\r\nKNPA (Korean National Police Agency).\r\nNIS (National Intelligence Service)\r\nTelephone : 111\r\nhttps://www.nis.go.kr\r\nKISA (Korea Internet \u0026 Security Agency)\r\nTelephone : 118 (Consult Service)\r\nhttps://www.boho.or.kr/consult/ransomware.do\r\nKNPA (Korean National Police Agency)\r\nElectronic Cybercrime Report \u0026 Management System: https://ecrm.police.go.kr/minwon/main\r\nApply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to\r\nUncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of\r\nAustralia, Canada, New Zealand, and the United Kingdom.\r\nRESOURCES\r\nStairwell provided a YARA rule to identify Maui ransomware, and a Proof of Concept public RSA key extractor at the\r\nfollowing link:\r\nhttps://www.stairwell.com/news/threat-research-report-maui-ransomware/\r\nREQUEST FOR INFORMATION\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a\r\nPage 6 of 13\n\nThe FBI is seeking any information that can be shared, to include boundary logs showing communication to and from\r\nforeign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files. As stated\r\nabove, the authoring agencies discourage paying ransoms. Payment does not guarantee files will be recovered and may\r\nembolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of\r\nransomware, and/or fund illicit activities. However, the agencies understand that when victims are faced with an inability\r\nto function, all options are evaluated to protect shareholders, employees, and customers.\r\nRegardless of whether you or your organization decide to pay a ransom, the authoring agencies urge you to promptly\r\nreport ransomware incidents using the contact information above.\r\nACKNOWLEDGEMENTS\r\nNSA, FBI, CISA, and HHS would like to thank ROK NIS and DSA for their contributions to this CSA.\r\nDisclaimer of endorsement\r\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees.\r\nReference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or\r\notherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government,\r\nand this guidance shall not be used for advertising or product endorsement purposes.\r\nTrademark recognition\r\nMicrosoft Threat Intelligence Center is a registered trademark of Microsoft Corporation. Apache®, Sonicwall, and\r\nApache Log4j are trademarks of Apache Software Foundation. TerraMaster Operating System is a registered trademark\r\nof Octagon Systems.\r\nPurpose\r\nThis document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to\r\nidentify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information\r\nmay be shared broadly to reach all appropriate stakeholders.\r\nAppendix A: CVE Details\r\nCVE-2021-44228     CVSS 3.0: 10 (Critical)\r\nVulnerability Description\r\nApache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in\r\nconfiguration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related\r\nendpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded\r\nfrom LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled\r\nby default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely\r\nremoved. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache\r\nLogging Services projects.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a\r\nPage 7 of 13\n\nCVE-2021-44228     CVSS 3.0: 10 (Critical)\r\nRecommended Mitigations\r\nApply patches provided by vendor and perform required system updates.\r\nDetection Methods\r\nSee vendors’ Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2 Vulnerability .\r\nVulnerable Technologies and Versions\r\nThere are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, please\r\ncheck https://nvd.nist.gov/vuln/detail/CVE-2021-44228.\r\nSee https://nvd.nist.gov/vuln/detail/CVE-2021-44228 for more information.\r\nCVE-2021-20038     CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description\r\nA Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment\r\nvariables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance.\r\nThis vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv,\r\n10.2.1.2-24sv and earlier versions.\r\nRecommended Mitigations\r\nApply all appropriate vendor updates\r\nUpgrade to:\r\nSMA 100 Series - (SMA 200, 210, 400, 410, 500v (ESX, Hyper-V, KVM, AWS, Azure):\r\nSonicWall SMA100 build versions 10.2.0.9-41sv or later\r\nSonicWall SMA100 build versions 10.2.1.3-27sv or later\r\nSystem administrators should refer to the SonicWall Security Advisories in the reference section to determine\r\naffected applications/systems and appropriate fix actions.\r\nSupport for 9.0.0 firmware ended on 10/31/2021. Customers still using that firmware are requested to upgrade to the\r\nlatest 10.2.x versions.\r\nVulnerable Technologies and Versions\r\nSonicwall Sma 200 Firmware 10.2.0.8-37Sv\r\nSonicwall Sma 200 Firmware 10.2.1.1-19Sv\r\nSonicwall Sma 200 Firmware 10.2.1.2-24Sv\r\nSonicwall Sma 210 Firmware 10.2.0.8-37Sv\r\nSonicwall Sma 210 Firmware 10.2.1.1-19Sv\r\nSonicwall Sma 210 Firmware 10.2.1.2-24Sv\r\nSonicwall Sma 410 Firmware 10.2.0.8-37Sv\r\nSonicwall Sma 410 Firmware 10.2.1.1-19Sv\r\nSonicwall Sma 410 Firmware 10.2.1.2-24Sv\r\nSonicwall Sma 400 Firmware 10.2.0.8-37Sv\r\nSonicwall Sma 400 Firmware 10.2.1.1-19Sv\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a\r\nPage 8 of 13\n\nCVE-2021-20038     CVSS 3.0: 9.8 (Critical)\r\nSonicwall Sma 400 Firmware 10.2.1.2-24Sv\r\nSonicwall Sma 500V Firmware 10.2.0.8-37Sv\r\nSonicwall Sma 500V Firmware 10.2.1.1-19Sv\r\nSonicwall Sma 500V Firmware 10.2.1.2-24Sv\r\nSee https://nvd.nist.gov/vuln/detail/CVE-2021-20038 for more information.\r\nCVE-2022-24990    CVSS 3.x: N/A\r\nVulnerability Description\r\nThe TerraMaster OS Unauthenticated Remote Command Execution via PHP Object Instantiation Vulnerability is\r\ncharacterized by scanning activity targeting a flaw in the script enabling a remote adversary to execute commands on\r\nthe target endpoint. The vulnerability is created by improper input validation of the webNasIPS component in the\r\napi.php script and resides on the TNAS device appliances' operating system where users manage storage, backup\r\ndata, and configure applications. By exploiting the script flaw a remote unauthenticated attacker can pass specially\r\ncrafted data to the application and execute arbitrary commands on the target system. This may result in complete\r\ncompromise of the target system, including the exfiltration of information. TNAS devices can be chained to acquire\r\nunauthenticated remote code execution with highest privileges.\r\nRecommended Mitigations\r\nInstall relevant vendor patches. This vulnerability was patched in TOS version 4.2.30\r\nVulnerable Technologies and Versions\r\nTOS v 4.2.29\r\nSee https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ and https://forum.terra-master.com/en/viewtopic.php?t=3030 for more\r\ninformation.\r\nAppendix B: Indicators of Compromise (IOCs)\r\nThe IOC section includes hashes and IP addresses for the Maui and H0lyGh0st ransomware variants—as well as custom\r\nmalware implants assumedly developed by DPRK cyber actors, such as remote access trojans (RATs), loaders, and other\r\ntools—that enable subsequent deployment of ransomware. For additional Maui IOCs, see joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.\r\nTable 2 lists MD5 and SHA256 hashes associated with malware implants, RATs, and other tools used by DPRK cyber\r\nactors, including tools that drop Maui ransomware files.\r\nTable 2: File names and hashes of malicious implants, RATs, and tools\r\nMD5Hash SHA256Hash\r\n079b4588eaa99a1e802adf5e0b26d8aa f67ee77d6129bd1bcd5d856c0fc5314169b946d32b8abaa4e680bb98130b38e7\r\n0e9e256d8173854a7bc26982b1dde783 --\r\n12c15a477e1a96120c09a860c9d479b3 6263e421e397db821669420489d2d3084f408671524fd4e1e23165a16dda2225\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a\r\nPage 9 of 13\n\nMD5Hash SHA256Hash\r\n131fc4375971af391b459de33f81c253 --\r\n17c46ed7b80c2e4dbea6d0e88ea0827c b9af4660da00c7fa975910d0a19fda072031c15fad1eef935a609842c51b7f7d\r\n1875f6a68f70bee316c8a6eda9ebf8de 672ec8899b8ee513dbfc4590440a61023846ddc2ca94c88ae637144305c497e7\r\n1a74c8d8b74ca2411c1d3d22373a6769 ba8f9e7afe5f78494c111971c39a89111ef9262bf23e8a764c6f65c818837a44\r\n1f6d9f8fbdbbd4e6ed8cd73b9e95a928 4f089afa51fd0c1b2a39cc11cedb3a4a326111837a5408379384be6fe846e016\r\n2d02f5499d35a8dffb4c8bc0b7fec5c2 830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570\r\n2e18350194e59bc6a2a3f6d59da11bd8 655aa64860f1655081489cf85b77f72a49de846a99dd122093db4018434b83ae\r\n3bd22e0ac965ebb6a18bb71ba39e96dc 6b7f566889b80d1dba4f92d5e2fb2f5ef24f57fcfd56bb594978dffe9edbb9eb\r\n40f21743f9cb927b2c84ecdb7dfb14a6 5081f54761947bc9ce4aa2a259a0bd60b4ec03d32605f8e3635c4d4edaf48894\r\n4118d9adce7350c3eedeb056a3335346 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e\r\n43e756d80225bdf1200bc34eef5adca8 afb2d4d88f59e528f0e388705113ae54b7b97db4f03a35ae43cc386a48f263a0\r\n47791bf9e017e3001ddc68a7351ca2d6 863b707873f7d653911e46885e261380b410bb3bf6b158daefb47562e93cb657\r\n505262547f8879249794fc31eea41fc6 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c\r\n5130888a0ad3d64ad33c65de696d3fa2 c92c1f3e77a1876086ce530e87aa9c1f9cbc5e93c5e755b29cad10a2f3991435\r\n58ad3103295afcc22bde8d81e77c282f 18b75949e03f8dcad513426f1f9f3ca209d779c24cd4e941d935633b1bec00cb\r\n5be1e382cd9730fbe386b69bd8045ee7 5ad106e333de056eac78403b033b89c58b4c4bdda12e2f774625d47ccfd3d3ae\r\n5c6f9c83426c6d33ff2d4e72c039b747 a3b7e88d998078cfd8cdf37fa5454c45f6cbd65f4595fb94b2e9c85fe767ad47\r\n640e70b0230dc026eff922fb1e44c2ea 6319102bac226dfc117c3c9e620cd99c7eafbf3874832f2ce085850aa042f19c\r\n67f4dad1a94ed8a47283c2c0c05a7594 3fe624c33790b409421f4fa2bb8abfd701df2231a959493c33187ed34bec0ae7\r\n70652edadedbacfd30d33a826853467d 196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06eba\r\n739812e2ae1327a94e441719b885bd19 6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67\r\n76c3d2092737d964dfd627f1ced0af80 bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1\r\n802e7d6e80d7a60e17f9ffbd62fcbbeb 87bdb1de1dd6b0b75879d8b8aef80b562ec4fad365d7abbc629bcfc1d386afa6\r\n827103a6b6185191fd5618b7e82da292 --\r\n830bc975a04ab0f62bfedf27f7aca673 --\r\n85995257ac07ae5a6b4a86758a2283d7 --\r\n85f6e3e3f0bdd0c1b3084fc86ee59d19 f1576627e8130e6d5fde0dbe3dffcc8bc9eef1203d15fcf09cd877ced1ccc72a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a\r\nPage 10 of 13\n\nMD5Hash SHA256Hash\r\n87a6bda486554ab16c82bdfb12452e8b 980bb08ef3e8afcb8c0c1a879ec11c41b29fd30ac65436495e69de79c555b2be\r\n891db50188a90ddacfaf7567d2d0355d 0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207\r\n894de380a249e677be2acb8fbdfba2ef --\r\n8b395cc6ecdec0900facf6e93ec48fbb --\r\n92a6c017830cda80133bf97eb77d3292 d1aba3f95f11fc6e5fec7694d188919555b7ff097500e811ff4a5319f8f230be\r\n9b0e7c460a80f740d455a7521f0eada1 45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78\r\n9b9d4cb1f681f19417e541178d8c75d7 f5f6e538001803b0aa008422caf2c3c2a79b2eeee9ddc7feda710e4aba96fea4\r\na1f9e9f5061313325a275d448d4ddd59 dfdd72c9ce1212f9d9455e2bca5a327c88d2d424ea5c086725897c83afc3d42d\r\na452a5f693036320b580d28ee55ae2a3 99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f\r\na6e1efd70a077be032f052bb75544358 3b9fe1713f638f85f20ea56fd09d20a96cd6d288732b04b073248b56cdaef878\r\nad4eababfe125110299e5a24be84472e a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaa\r\nb1c1d28dc7da1d58abab73fa98f60a83 38491f48d0cbaab7305b5ddca64ba41a2beb89d81d5fb920e67d0c7334c89131\r\nb6f91a965b8404d1a276e43e61319931 --\r\nbdece9758bf34fcad9cba1394519019b 9d6de05f9a3e62044ad9ae66111308ccb9ed2ee46a3ea37d85afa92e314e7127\r\nc3850f4cc12717c2b54753f8ca5d5e0e 99b448e91669b92c2cc3417a4d9711209509274dab5d7582baacfab5028a818c\r\nc50b839f2fc3ce5a385b9ae1c05def3a 458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456\r\ncf236bf5b41d26967b1ce04ebbdb4041 60425a4d5ee04c8ae09bfe28ca33bf9e76a43f69548b2704956d0875a0f25145\r\nd0e203e8845bf282475a8f816340f2e8 f6375c5276d1178a2a0fe1a16c5668ce523e2f846c073bf75bb2558fdec06531\r\nddb1f970371fa32faae61fc5b8423d4b dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469\r\nf2f787868a3064407d79173ac5fc0864 92adc5ea29491d9245876ba0b2957393633c9998eb47b3ae1344c13a44cd59ae\r\nfda3a19afa85912f6dc8452675245d6b 56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19\r\n-- 0054147db54544d77a9efd9baf5ec96a80b430e170d6e7c22fcf75261e9a3a71\r\n-- 151ab3e05a23e9ccd03a6c49830dabb9e9281faf279c31ae40b13e6971dd2fb8\r\n-- 1c926fb3bd99f4a586ed476e4683163892f3958581bf8c24235cd2a415513b7f\r\n-- 1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392\r\n-- f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb\r\n-- 23eff00dde0ee27dabad28c1f4ffb8b09e876f1e1a77c1e6fb735ab517d79b76\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a\r\nPage 11 of 13\n\nMD5Hash SHA256Hash\r\n-- 586f30907c3849c363145bfdcdabe3e2e4688cbd5688ff968e984b201b474730\r\n-- 8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5\r\n-- 90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4\r\n-- c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f\r\n-- ca932ccaa30955f2fffb1122234fb1524f7de3a8e0044de1ed4fe05cab8702a5\r\n-- f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332\r\n-- f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4\r\nTable 3 lists MD5 and SHA256 hashes are associated with Maui Ransomware files.\r\nTable 3: File names and hashes of Maui ransomware files\r\nMD5 Hash SHA256 Hash\r\n4118d9adce7350c3eedeb056a3335346 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e\r\n9b0e7c460a80f740d455a7521f0eada1 45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78\r\nfda3a19afa85912f6dc8452675245d6b 56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19\r\n2d02f5499d35a8dffb4c8bc0b7fec5c2 830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570\r\nc50b839f2fc3ce5a385b9ae1c05def3a 458d258005f39d72ce47c111a7d17e8c52fe5fc7dd98575771640d9009385456\r\na452a5f693036320b580d28ee55ae2a3 99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9f\r\na6e1efd70a077be032f052bb75544358 3b9fe1713f638f85f20ea56fd09d20a96cd6d288732b04b073248b56cdaef878\r\n802e7d6e80d7a60e17f9ffbd62fcbbeb 87bdb1de1dd6b0b75879d8b8aef80b562ec4fad365d7abbc629bcfc1d386afa6\r\n-- 0054147db54544d77a9efd9baf5ec96a80b430e170d6e7c22fcf75261e9a3a71\r\nTable 4 lists MD5 and SHA256 hashes associated with H0lyGh0st Ransomware files.\r\nSHA256 Hash\r\n99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd*\r\nF8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86*\r\nBea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af*\r\n6e20b73a6057f8ff75c49e1b7aef08abfcfe4e418e2c1307791036f081335c2d\r\nf4d10b08d7dacd8fe33a6b54a0416eecdaed92c69c933c4a5d3700b8f5100fad\r\n541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a\r\nPage 12 of 13\n\nSHA256 Hash\r\n2d978df8df0cf33830aba16c6322198e5889c67d49b40b1cb1eb236bd366826d\r\n414ed95d14964477bebf86dced0306714c497cde14dede67b0c1425ce451d3d7\r\nDf0c7bb88e3c67d849d78d13cee30671b39b300e0cda5550280350775d5762d8\r\nMD5 Hash\r\na2c2099d503fcc29478205f5aef0283b\r\n9c516e5b95a7e4169ecbd133ed4d205f\r\nd6a7b5db62bf7815a10a17cdf7ddbd4b\r\nc6949a99c60ef29d20ac8a9a3fb58ce5\r\n4b20641c759ed563757cdd95c651ee53\r\n25ee4001eb4e91f7ea0bc5d07f2a9744\r\n18126be163eb7df2194bb902c359ba8e\r\neaf6896b361121b2c315a35be837576d\r\ne4ee611533a28648a350f2dab85bb72a\r\ne268cb7ab778564e88d757db4152b9fa\r\n* from Microsoft blog post on h0lygh0st\r\nCONTACT INFORMATION\r\nNSA Client Requirements / General Cybersecurity Inquiries: CybersecurityReports@nsa.gov\r\nDefense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov\r\nTo report incidents and anomalous activity related to information found in this Joint Cybersecurity Advisory, contact\r\nCISA’s 24/7 Operations Center at contact@mail.cisa.dhs.gov or 1-844-729-2472 or your local FBI field office at\r\nwww.fbi.gov/contact-us/field. When available, please include the following information regarding the incident: date,\r\ntime, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the\r\nname of the submitting company or organization; and a designated point of contact.\r\nMedia Inquiries / Press Desk:\r\nNSA Media Relations, 443-634-0721, MediaRelations@nsa.gov\r\nCISA Media Relations, 703-235-2010, CISAMedia@cisa.dhs.gov\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a"
	],
	"report_names": [
		"aa23-040a"
	],
	"threat_actors": [
		{
			"id": "40ec2da8-7156-4bff-b878-41984eb70df4",
			"created_at": "2024-02-02T02:00:04.080917Z",
			"updated_at": "2026-04-10T02:00:03.555365Z",
			"deleted_at": null,
			"main_name": "Storm-0530",
			"aliases": [
				"DEV-0530",
				"H0lyGh0st"
			],
			"source_name": "MISPGALAXY:Storm-0530",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434529,
	"ts_updated_at": 1775791623,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aa0a42476a20300252c58e1ceebd320ca258d2e2.pdf",
		"text": "https://archive.orkl.eu/aa0a42476a20300252c58e1ceebd320ca258d2e2.txt",
		"img": "https://archive.orkl.eu/aa0a42476a20300252c58e1ceebd320ca258d2e2.jpg"
	}
}