The national cybersecurity organizations of the UK and the Republic of Korea have issued a joint advisory warning of an increased volume and sophistication of North Korean software supply chain attacks. "In an increasingly digital and interconnected world, software supply chain attacks can have profound, far-reaching consequences for impacted organizations," said Paul Chichester, director of operations at the NCSC. "Today, with our partners in the Republic of Korea, we have issued a warning about the growing threat from DPRK state-linked cyber actors carrying out such attacks with increasing sophistication." "We strongly encourage organizations to follow the mitigative actions in the advisory to improve their resilience to supply chain attacks and reduce the risk of compromise." The NCSC and NIS listed examples of zero-days and high-profile organizations exploited in attacks attributed to Lazarus, the group widely believed to be North Korea's state-sponsored offensive cyber unit. MagicLine4NX. In March 2023, Lazarus attackers launched a watering hole attack to target specific groups that had vulnerable versions of the MagicLine4NX security authentication software installed. It first compromised a media organization, poisoning a web page with malicious scripts which when visited by a user with a vulnerable MagicLine4NX installed would execute and provide attackers with remote control capabilities on the victim's machine via C2 infrastructure. "The malicious actors used highly sophisticated modus operandi by exploiting an undisclosed vulnerability of the network-linked system and a legitimate function for intrusion into the intranet," the advisory read. Diagram of the MagicLine4NX attack chain, courtesy of the NCSC and NIS - Click to enlarge. Ultimately, security policies blocked key activity attempted by the attackers, preventing a large-scale data theft incident. The attack itself was built on an earlier watering hole attack launched by Lazarus, then targeting the INISAFE web client with the methods used remaining unchanged in the follow-on MagicLine attacks. Despite it not achieving the success North Korea would have wanted, the incident still provides evidence of Kim Jong Un's ambition to target software supply chains with sophisticated methods. 3CX. The more widely publicized supply chain attack coming out of North Korea this year was that of 3CX's desktop app, one which was slowly attributed to Lazarus as time went on and more evidence was gathered in the weeks following its March disclosure. Adding to the theme of sophistication, the attack itself impacted both Windows and macOS versions of the 3CX application. Diagram of the 3CX attack chains on Windows and macOS, courtesy of the NCSC and NIS - Click to enlarge. The infection chain was similar in both the Windows and Mac versions. Both applications installed as they normally would if they hadn't been tampered with, and once installed they entered a sleep phase - seven days for Windows and between seven and 20 days on Mac - before transmitting data to the attackers. Windows attacks led to browser stealers installed, with basic system data, 3CX account information, and browser histories from Brave, Chrome, Edge, and Firefox sent back to Lazarus. The warning comes a day after Microsoft published its own report on yet another North Korean supply chain attack, this time on CyberLink's multimedia software. In a similar style to the attack on 3CX, Lazarus breached the Taiwanese tech company and tampered with its installer as recently as October 20. While running, the software scans the victim's system for evidence of CrowdStrike Falcon, FireEye, or Tanium EDR security solutions. Microsoft said it hasn't observed hands-on-keyboard activity as a result of this supply chain attack, but it pointed to the same typical motivations of the Lazarus group that the NCSC and NIS did, indicating its potential end-goals.
This Cyber News was published on www.theregister.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000