Threat Actor Higaisa

 






Overview

Threat actor Higaisa is suspected to have South Korean origins. They have repeatedly targeted government, public, and trade organizations of North Korea, along with China, Russia, Poland, and other nations. Although it was discovered in 2019, but have been in action since 2009 at least.

How does Higaisa works?

The initial access is achieved via spear phishing. They send emails containing malicious links to their targets. These links are laced with files disguised either as the documents of interest or as opinion forms allegedly coming from another organization. The victim ends up downloading the malicious link file or an executable (leading to a Cobalt Strike loader).

Protection

  • Owners of the network edge devices should ensure that management interfaces are not exposed to the public internet to reduce their attack surface.

  • Enforce strong multi-factor authentication (MFA) policies with the help of hardware security keys or Microsoft Authenticator. 

  • Reduce the attack surface by turning on the attack surface reduction rules to block or audit some observed activity associated with this threat.

  • Turn-on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools, techniques, and behaviors.

  • Run Endpoint Detection and Response (EDR) in block mode. In this way, Microsoft Defender for Endpoint can block malicious artifacts that are detected post-compromise.

Takeaway!

Higaisa is a highly skilled and dangerous threat actor motivated by financial gain and cyberespionage. However, it still relies on tried-and-true techniques to entrap a target. Hence, the security best practices can minimize and even stop the impact of Higaisa attack. 

























































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)