The cybersecurity agencies in the UK and South Korea are warning of the growing threat of North Korea-linked threat groups using zero-day and third-party exploits to launch software supply-chain attacks.
The hackers are targeting products that are widely used by government organizations, financial institutions, and defense industry companies around the world, the UK’s National Cyber Security Centre and South Korea’s National Intelligence Service wrote in a recent advisory.
The 13-page document outlines the various tactics, techniques, and procedures (TTPs) used by the North Korea-backed groups and preventative measures organizations can take to defend against them.
“In recent years, supply chain attacks from DPRK [Democratic People’s Republic of Korea] state-linked cyber actors have steadily increased in volume and have become more sophisticated,” the agencies wrote. “The malicious actors utilise tactics including zero-day attacks and multiple exploits to attack software supply chain products, used by a number of international organisations.”
The advisory came two days after the two nations signed a strategic partnership agreement to work together to combat cyberthreats that are common between them. That includes building up capabilities to enforce sanctions against North Korea and preventing its ongoing development of illegal weapons.
The warning also came a day after Microsoft Threat Intelligence unit outlined a recent supply-chain attack launched by the North Korea-based Diamond Sleek group leveraging a malicious variant of a legitimate product from CyberLink that has infected more than 100 devices in countries like the United States, Canada, Taiwan, and Japan.
North Korea is routinely listed – along with Russia, China, and Iran – as among the top hubs of state-sponsored cyberattacks, with campaigns run by gangs like the notorious Lazarus Group and BlueNoroff, a subset of Lazarus. The country’s cyberthreat efforts also includes other scams, including schemes to plant North Korean IT workers in organizations around the world to steal money and information.
Invariably, the primary goal of these efforts is to generate money and capture information to benefit the rogue country’s ballistic and nuclear weapons programs. That includes the software supply-chain campaigns, which calls for injecting malicious code into products that are then distributed to users downstream.
“Several elements of the supply chain have proved susceptible to compromise, including software vendors, managed service providers and cloud providers,” the UK and South Korean agencies wrote. “From here, an actor can indiscriminately target a number of organisations and users, and their attacks can be expanded or shifted to a ransomware attack to demand money or cause a system disruption.”
The North Korean bad actors are using zero-day exploits, newly published vulnerabilities and tools, and multiple exploited vulnerabilities in a series to attack specific targets, they wrote. The agencies noted an attack in March in which the bad actors used vulnerabilities of security authentication program and network-linked systems in a series to access the intranet of a targeted company.
They used a flaw in MagicLine4NX’s security authentication program for the initial access into the victim’s computer and then exploited a zero-day bug in the network-linked system to move laterally and get access to information.
“The compromise of one supply chain led to the infection of another supply chain, which was a targeted attack against a specific target,” the agencies wrote.
They noted another campaign in March that compromised the Desktop App software from 3CX with malware that affected macOS and Windows devices. The threat group added malicious code to an executable filed that shipped in a signed installer for the software and distributed via legitimate channels.
The group also used the GitHub repository in its campaign.
“When the 3CX software was run, the malicious code would sleep in the background for at least 7 days and the 3CX software would continue to run as normal,” the agencies wrote. “After the sleep period, the malicious code loaded an encrypted payload which is appended to a DLL also packaged within the 3CX software.”
The payload was a browser stealer that would exfiltrate such information as system data, account information, and browser history from systems using Chrome, Edge, Firefox, and Brave.
The only observed onward stage was a browser stealer, which would extract and exfiltrate basic victim system data, victim 3CX account information and browser history from the Brave, Chrome, Edge and Firefox browsers.
In its report, Microsoft said that the advanced persistent threat (APT) group Diamond Sleet – also a subset of Lazarus – used a legitimate CyberLink application installer that the group has modified to include malicious code that downloads, decrypts, and loads another payload. CyberLink is a Taiwanese company that develops multimedia software.
Microsoft first detected the campaign in October.
“The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised by Diamond Sleet,” the giant IT vendor wrote. “More recently, Microsoft has observed Diamond Sleet utilizing trojanized open-source and proprietary software to target organizations in information technology, defense, and media.”
The bad actors used a legitimate code-signing certificate issued to CyberLink to sign the malicious executable. Microsoft said the certificate was added to its list of disallowed certificates to keep other organizations from using it.
Microsoft wrote that is has yet to see hands-on-keyboard” activity after the malware compromises a system, but noted that Diamond Sleet – which has been around since at least 2013 – typically exfiltrates sensitive information, compromises software build environments, moves downstream to exploit other victims, and establishes persistent access in their victims’ IT environments.
Recent Articles By Author