Kimsuky Exploits BlueKeep RDP Vulnerability to Launch Cyberattacks in South Korea and Japan

 

Cybersecurity researchers have uncovered a stealthy and high-risk cyberattack campaign orchestrated by the North Korean state-sponsored group Kimsuky, leveraging the infamous BlueKeep RDP vulnerability to breach systems in South Korea and Japan.

Tracked as Larva-24005 by the AhnLab Security Intelligence Center (ASEC), the campaign exploits a critical remote code execution (RCE) vulnerability in Microsoft’s Remote Desktop Services — a flaw officially designated as CVE-2019-0708, with a CVSS severity score of 9.8.

 

“In certain systems, initial access was gained by exploiting the BlueKeep RDP vulnerability,” ASEC reported. “Although an RDP vulnerability scanner was found on the compromised systems, there's no conclusive evidence confirming its active use.”

What is BlueKeep (CVE-2019-0708)?

BlueKeep is a wormable vulnerability in Microsoft’s RDP protocol that could allow unauthenticated remote attackers to execute arbitrary code, install malware, steal data, and gain administrator-level privileges. The vulnerability was patched in May 2019, but unpatched systems remain at severe risk.

To exploit BlueKeep, an attacker must send a specially crafted RDP request to the target machine’s Remote Desktop Service — a method that does not require valid login credentials.

Multi-Stage Intrusion Tactics by Kimsuky

Apart from BlueKeep, Kimsuky is also leveraging a second attack vector: malicious phishing emails containing files that exploit another well-known vulnerability — CVE-2017-11882, a Microsoft Equation Editor flaw with a CVSS score of 7.8.

Upon successful compromise, the attackers:

1. Deploy a dropper malware to install a surveillance tool named MySpy
2. Utilize RDPWrap to enable and manipulate RDP access
3. Modify system settings to maintain persistence
4. Execute keyloggers like KimaLogger and RandomQuery to harvest keystrokes and user credentials

Who Is Being Targeted?

This ongoing cyber espionage campaign has primarily focused on victims in South Korea’s software, energy, and financial sectors since October 2023. In addition to Japan, Kimsuky has reportedly targeted organizations in:

United States
China
Germany
Singapore
South Africa
Netherlands
Mexico
Vietnam
Belgium
United Kingdom
Canada
Thailand
Poland

Final Thoughts

This campaign underscores the urgent need for organizations to patch legacy systems, implement robust endpoint protection, and stay vigilant against state-backed cyber threats. The use of high-impact vulnerabilities like BlueKeep and CVE-2017-11882 highlights the evolving tactics used by nation-state actors to infiltrate critical infrastructure globally.