BleepingComputer reports that North Korean advanced persistent threat operations Kimsuky, also known as APT43, and Andariel, also known as APT45, were noted by South Korea's National Cyber Security Center to have exploited VPN software update vulnerabilities to facilitate network compromise and malware attacks that sought to exfiltrate South Korean trade secrets.
Such exploitation was evident in a January attack by Kimsuky against a South Korean construction trade entity's website that lured employees into installing trojanized security software with a valid digital certificate, which when executed launched malware that not only stole browser-stored data but also took screenshots. Construction firms, local governments, and public organizations across South Korea were impacted by the campaign, which was reported by the AhnLab Security Intelligence Center. On the other hand, Andariel used a VPN software communication protocol flaw to disseminate the DoraRAT malware in attacks against machinery and construction firms in April. "The Information Community attributes these hacking activities to the Kimsuky and Andariel hacking organizations under the North Korean Reconnaissance General Bureau, noting the unprecedented nature of both organizations targeting the same sector simultaneously for specific policy objectives," said the NCSC.