national PKI •Real-time transfers via web browsers •US crypto-export restrictions led to adoption ActiveX controls •Three mandatory plugins became widely adopted - SSL-like layer(with National PKI support) - Anti-Virus - Anti-Keylogger The dawn of internet banking 1999 2002 e-Government services launch Korean Financial ISAC established •Real-time issuance of public documents via web browsers •Based on ActiveX controls
•IT Asset Management •Anti-Virus •Patch Management •Data Loss Protection •Network Access Control 2009 2010 2011 Network separation regulations introduced for public sector NH Bank system destruction 2013 3.20 cyber terror(Dark Seoul) •Initial Access via ActiveX vulnerability •Mass Infection using on-premises central management systems Network separation mandated for financial sector First Contact First Destructive Attack Largest and Most Damaging Attack
2015 Financial Security Institute established Discussions begin for standards-based internet banking •Introduction of non-ActiveX plugins(executables) 2016 Initech(ActiveX supplier) breach 2017 Bithumb exchange heist Operation GoldenAxe 2018 •Targeted watering-hole attacks exploiting ActiveX controls First Ransomware First Major Financial Theft Global Debut First Major Cryptocurrency Theft First Supply-chain Attack
We trusted our (on-premises) central management systems • We trusted our suppliers • We believed that more security meant more safety • But that trust became the perfect entry point for attackers 5 Shortage of cybersecurity professionals Excessive security footprints Insecure suppliers Complex regulations Vulnerable ActiveX Vulnerable central management systems(on-prem)
Support modern browsers - Work on Windows, macOS, Linux • Typically install a local web server to communicate with the browser • A loose form of cloud-based central management system - Often lack automatic update controls 6 Plugin manager Anti-Virus PC telemetry agent PKI support module PKI support module PKI support module Reporting tool Legacy-style plugin download page
“C-Clean”service pilot starts •Coordinated removal of vulnerable plugins with AV vendors Academic research published •“Too Much of a Good Thing: (In-)Security of Mandatory Security Software for Financial Services in South Korea” -Highlighted plugin security issues -Discovered 19 critical vulnerabilities -Advocated transition to standards-based security BitoPro SBI Crypto https://www.usenix.org/conference/usenixsecurity25/presentation/yun https://www.krcert.or.kr/kr/bbs/view.do?bbsId=B0000133&menuNo=205020&nttId=71796 Largest Cryptocurrency Theft Phrack article published •“APT Down: The North Korea Files” “C-Clean”service starts https://krcert.or.kr/kr/bbs/view.do?bbsId=B0000133&pageIndex=1&nttId=71901&menuNo=205020
still trust our (on-premises & cloud-based) central management systems • We still trust our suppliers • We still believe that more security means more safety • And once again, trusted software has become a trojan horse 9 Vulnerable non-ActiveX Vulnerable central management systems(cloud- based) Shortage of cybersecurity professionals Excessive security footprints Insecure suppliers Complex regulations
be on-premises or cloud-based (SaaS) • Compliance often requires multiple agents per endpoint - Too many agents can degrade PC performance - EPP(AV), DRM, DLP, NAC - all running on my intranet PC 11
App, JumpCloud, NPM, PyPI • Suspected behind multiple virtual asset thefts • Recruitment-focused adversary operations - Contagious interview, IT worker - Emergence of a new “Famous Chollima” cluster • Heavy use of AI for persona creation, malware development, and realistic lures 15 https://lazarus.day/actors/
in financial services - Non-ActiveX plugins - Central management systems - Internet & mobile banking, HTS, etc. • Rewards up to $7,500 USD per vulnerability - Open to South Korean citizens only • Assign CVEs and operate as a CNA 17 https://www.fsec.or.kr/bbs/1013 Bug Bounty Submissions 0 100 200 300 400 2022 2023 2024 2025 341 292 120 61
DPRK-preferred TTPs • Discovered dozens of zero-days in trusted central management systems - Addressed through bug bounty and coordinated disclosure - Some published as CVEs 18 https://www.cve.org/CVERecord?id=CVE-2024-11071
to remove plugins are gaining traction — Finally! • Central management systems are essential but must be rigorously verified - Minimize the number of agents to reduce the trusted attack surface - Enforce realistic vendor security standards and supply-chain assurance - Use bug bounties and red teaming to proactively discover and patch flaws 19
jglyu
uvb_76
yuriemori
casek
you
kmiya84377
takeuchi_132917
yoshidashingo
ks91
ytaka23
tabatad
databricksjapan
egmc
.png){kind=avatar}
helenjbeal
destraynor
skipperchong
oripsolob
jlugia
trallard
gr2m
katiecoart
codingconduct
sergeychernyshev
ryanjones
ivargrimstad
