In an advisory today Germany's federal intelligence agency and South Korea's National Intelligence Service warn of an ongoing cyber-espionage operation targeting the global defense sector on behalf of the North Korean government.
The attacks aim to steal advanced military technology information and help North Korea modernize conventional arms as well as develop new military capabilities.
Today's joint cybersecurity advisory highlights two cases attributed to North Korean actors, one of them the Lazarus group, to provide the tactics, techniques, and procedures used by the attackers.
The intruder followed an attack chain that included stealing SSH credentials, abusing legitimate tools, moving laterally on the network, and trying to remain hidden on the infrastructure.
Breached the web server maintenance company, stole SSH credentials, and accessed the research center's Linux webserver.
Conducted lateral movement: established SSH to other servers, used tcpdump for packet collection, and stole employee account credentials.
Impersonated a security manager using stolen account info and attempted to distribute a malicious patch file via PMS, but was blocked by the genuine manager.
By first compromising the IT services provider, the North Korean threat actor was able to infiltrate an organization that maintains a good security posture, taking advantage of the relationship between the two to carry out covert attacks in small, careful steps.
The bulletin suggests several security measures against these attacks, including limiting IT service providers' access to systems necessary for remote maintenance, closely monitoring access logs to detect unauthorized access events, using multi-factor authentication on all accounts, and adopting strict user authentication policies for the patch management system.
ESET highlighted a similar incident in September 2023, where Lazarus targeted an employee of an aerospace company in Spain to infect systems with the 'LightlessCan' backdoor.
The security bulletin highlights a case where Lazarus creates an account on an online job portal using fake or stolen personal data of an existing person and curates it over time so that it is networked with the right people for the social engineering goals in the campaign.
Next, the threat actor uses that account to approach people working for defense organizations and connects with them to start a conversation in English, slowly building a connection over multiple days, weeks, or even months.
After gaining the victim's trust, the threat actor offers them a job and suggests an external communication channel where it can share a malicious PDF file that is described as a document with details about the offer.
In some cases, Lazarus sends a ZIP file that contains a malicious VPN client, which they use to access the victim's employer network.
Adopting the principle of least privilege and restricting employee access only to the systems they need should be the start for a good security posture.
Adding strong authentication mechanisms and procedures for the patch management system and maintaining audit logs that include user access should improve the security stance.
For social engineering attacks, the two agencies recommend training employees on common tactics.
North Korean hackers now launder stolen crypto via YoMix tumbler.
Chinese hackers infect Dutch military network with malware.
Blackwood hackers hijack WPS Office update to install malware.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 19 Feb 2024 20:30:11 +0000