«
»

North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts

So let’s do a bit of quick education before we get to the story.

DMARC: Domain-based Message Authentication, Reporting and Conformance is an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. 

With that out of the way, this story will now make a bit more sense. The NSA has put out a statement about North Koreans who are using weak security policies related to DMARC to facilitate their efforts to spearfish targets in the US and beyond:

The DPRK leverages these spearphishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting DPRK interests by gaining illicit access to targets’ private documents, research, and communications.

“Spearphishing continues to be a mainstay of the DPRK cyber program and this CSA provides new insights and mitigations to counter their tradecraft,” said NSA Cybersecurity Director Dave Luber. 

The report contains background on the DPRK’s cyber program and past information-gathering examples, an explanation of how a strong Domain-based Message Authentication Reporting and Conformance (DMARC) policy can help block DPRK actors, red flag indicators of malicious activity, two sample emails used by DPRK cyber actors, and mitigation measures.

Al Iverson, Industry Research and Community Engagement Lead for Valimail had this comment: 

“North Korea found a way to exploit something that security and deliverability experts have been worried about over these past few months; there’s a whole bunch of domain owners out there who are not necessarily security savvy, and perhaps focused more on email marketing efforts. Those domain owners (and there are more than a million of them out there) were quick to implement a bare minimum DMARC policy to comply with new mailbox provider sender requirements. What they didn’t realize, is that this can leave the domain unprotected against phishing and spoofing. 

People must protect their domain by fully implementing DMARC properly to ensure that bad guys find no phishing or spoofing success when they work their way down the list of domains… to yours.

The NSA, the FBI and the U.S. Department of State have identified this as an issue already and Valimail is fully aligned with the advisory they issued at the end of the week.”

If I were the person in charge of email in an organization, I’d be reading this report, and then get about figuring out how to not be the North Korean’s next victim. Because clearly this is a today problem and not something that you can get to whenever.

This entry was posted on May 7, 2024 at 2:00 pm and is filed under Commentary with tags . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts”

  1. North Korea Exploiting Weak/Missing DMARC Policies - Valimail Says:
    May 8, 2024 at 12:00 pm

    […] doesn’t relate to your field of business, remember that if you’re similarly vulnerable, other bad actors with other targets are likely to come along and look to obtain access (and cause damage) to your […]

    Reply
  2. My Journey To Implement DMARC On My Domains Had A Few Speedbumps Along The Way | The IT Nerd Says:
    June 3, 2024 at 2:57 pm

    […] that I could be spoofed by a threat actor. Which was of course a bad thing. The second thing was this report from Valimail about a North Korean spoofing attack where the North Koreans were taking advantage of people in my situation. That really got me to move […]

    Reply

Leave a Reply

Discover more from The IT Nerd

Subscribe now to keep reading and get access to the full archive.

Continue reading