Been looking through the Rim Jong Hyok indictment and maui ransomware affidavit. A couple of interesting things that I’ve found.

Rim Jong Hyok indictment: https://www.justice.gov/d9/2024-07/hyok_filed_indictment.pdf
Maui affidavit: https://s3.documentcloud.org/documents/25002601/maui-ransomware.pdf

The email whas1985@yahoo.com has apparently been in a number of database leaks over the years including nitrocloud and 000webhost. Looks like they used the same password globalhades19930709 for everything. Interesting is that some of the leaks date back to 2017

The only other thing that I’ve come across so far is that one of the emails listed in the maui affidavit reneefletcher1988@gmail.com apparently registered the domain capitalsloan.com in 2020 and is still active today

Can’t find much other information right now. Could be compromised accounts, could be accounts that were setup years ago by Rim Jong Hyok or someone related.

From the emails in the Maui ransomware report, the following emails have accounts on other services:

asitdolui6666@gmail.com – Firefox.com
nirmhanpandiri@gmail.com – twitter account. shows up on a few lists when searching
nicolas6999999@gmail.com – freelancer.com
whas1985@yahoo.com – zoho
reneeafletcher@mail.com – freelancer.com, twitter.com

The freelancer.com accounts probably make sense.

https://mail.silibank.net is resolving to an Exchange server. It’s not silibank.net.kp but interesting to see something so close resolving.

Found some manuals from PEFIS. Two of them include documentation for software that provides an interface to the FK6xx series fingerprint time attendance terminals. The other provides instructions for the Time Man III fingerprint recognition system.

While both of the FK manuals are written for the FK6xx software, it looks like FKAttend is designed to be used to manage the data collected by fingerprint sensors, while FKRealSvr could be used as an enhancement by providing live data and real-time monitoring.

FKAttend: https://nkinternet.com/wp-content/uploads/2024/06/fkattend_manual.pdf
FKRealSvr: https://nkinternet.com/wp-content/uploads/2024/06/fkrealsvr_manual.pdf
TM3: https://nkinternet.com/wp-content/uploads/2024/06/tm3-menual.pdf

Archive.org link to PEFIS if you want to read through their website: https://web.archive.org/web/20180804072505/http://pefis.cn/

Someone shared with me a couple of files that are from the Amnokgang Technology Development Company. You can read more about Amnokgang here: https://www.nonproliferation.org/wp-content/uploads/2018/05/op36-the-shadow-sector.pdf

While the files are interesting I always love a good error message. So if you see Don’t joke on me. as an error message in your software it probably means that company is working with North Korea.

Cleaning up years of old screenshots and files and came across this screenshot for pust.kr (Pyongyang University of Science and Technology). The domain currently doesn’t resolve but back in 2016 when the site was in the middle of an upgrade it had this message:

Found a couple of resumes online from the Pyongyang Gwangmyeon Information Technology Corporation. Interesting thing is that it doesn’t have names or past employment. Seems to be mostly focused on technical skills and capabilities. Appears to be targeting Russian corporations looking for DPRK workers. Interesting skills in the resumes:

1. Reverse engineering
2. Development experience across Windows, Linux, and embedded systems
3. Programming languages including C/C++, PHP, Python, Java, and web
4. Secure communications protocols like SSL and TLS are called out
5. Database admin specifically mentioning oracle, MySQL and PostgreSQL

Contact information from the resumes:

• Company Name: Kwangmen Information Technology Corporation, Pyongyang
• Email: knic.re.dept@silibank.net.kp
• Phone Number: 0085-02-18111 Ext. 8024
• Fax: 0085-02-381-4410
• Address: Haebangsan-dong, Central District, Pyongyang, DPRK

Resumes:

https://nkinternet.com/wp-content/uploads/2024/05/kndr_rezume_1.doc

https://nkinternet.com/wp-content/uploads/2024/05/kndr_potencial.doc

Looks like at one point North Korea was helping Russia develop it’s own version of the kwangmyong: https://hanber-livejournal-com.translate.goog/2420206.html?_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc

Someone shared some notes with me about a Cisco router in 175.45.178.0/24 that was allowing unauthenticated telnet connections:

1. Multiple Subnets and Network Segmentation: The switch manages traffic across several IP address ranges (172.16.x.x, 172.25.x.x, 175.45.x.x, 192.168.x.x), indicating a complex network setup with multiple segments. This suggests a structured approach to organizing network resources, possibly reflecting different operational areas or security levels within the network.
2. External Connectivity and Gateway Configuration: The default gateway is set to 172.25.1.25, acting as the primary exit point for traffic intending to reach the internet or an external network. This could indicate where to focus efforts on understanding how traffic flows out of this network and potentially how it’s managed or monitored.
3. Static Routing to Specific IPs: The presence of static routes, especially those directing traffic to specific IP addresses outside the local subnets (175.45.178.163/32, 175.45.178.164/32, 175.45.178.165/32 via 192.168.10.10), could hint at designated paths for certain types of communications or connections to specific external services or networks. This might offer clues about strategic external connections or the organization of the network’s external communications.
4. ARP Table Entries: The Address Resolution Protocol (ARP) table entries reveal devices that have been communicating through the switch, providing MAC addresses and corresponding IP addresses. Notably, there’s a mix of local and potentially external IP addresses, giving a snapshot of active devices or servers. This information could be valuable for mapping the network or identifying critical devices within it.
5. Access Control Lists (ACLs): The existence of an ACL that permits UDP traffic universally might be indicative of specific applications or services that are prioritized within the network, such as streaming or VoIP services. Understanding the role of UDP in this network might reveal operational priorities or specific applications in use.
6. VLAN Configuration: The detailed VLAN setup shows the network’s logical segmentation, which could correspond to different departments, security zones, or types of traffic. This level of detail provides a clearer picture of the network’s internal organization and possibly its scale and complexity.
7. Device and Software Information: Device is a Cisco Catalyst 3560V2 running IOS version 12.2(58)SE2

Forgot to post these a while back but some screenshots of the Red Star 4.0 management interface.

Looks like as of 5:26 AM ET this morning 175.45.177.0/24 was withdrawn and no longer visible. As of yesterday this is what I was showing was in that range

kcna.kp – 175.45.177.1

3 nginx servers at 175.45.177.9, 175.45.177.10, and 175.45.177.11

2 star ftp servers 175.45.177.41 and 175.45.177.42

Putting some of these back now that the story has been published. This was some info on the exposed server

config/config.php is exposed but the files can’t be accessed.

Working backwards it appears the domain cloud.star.net.kp is pointing to the IP but at this time isn’t resolving, at least for me.