Cryptocurrency Fraud
,
Cybercrime
,
Endpoint Security
Supply Chain Attacks: Hackers Target Zero-Days in Widely Used Software, Alert Warns
North Korean state-affiliated hackers are continuing to exploit zero-days in popular software applications as part of global supply chain attack campaigns for espionage and financial theft purposes, British and South Korean cyber agencies warned in an alert on Thursday.
See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases
In a joint alert, Britain’s National Cyber Security Centre and South Korea’s National Intelligence Service warned Pyongyang-affiliated hackers are targeting victims by exploiting vulnerabilities in their third-party software applications and supply chains.
These campaigns further the North Korean regime’s priorities of “revenue generation, espionage and the theft of advanced technologies,” officials said.
“In an increasingly digital and interconnected world, software supply chain attacks can have profound, far-reaching consequences for impacted organizations,” said Paul Chichester, NCSC’s director of operations.
The report did not name any specific advanced persistent groups tied to these campaigns, although does cite the recent attack against financial trading software developer 3CX as example of these large-scale supply chain attacks. The Cyprus-based software vendor, whose customers include Toyota, Coca-Cola and Air France, in late March reported that hackers infiltrated its Windows and macOS source code.
In a subsequent report analyzing the campaign, security firm SentinelOne said attackers conducted a year-long reconnaissance of 3CX’s network before deploying information-stealing malware called SmoothOperator (see: 3CX Desktop Client Under Supply Chain Attack).
Incident response group Mandiant, part of Google Cloud, attributed the 3CX campaign to a North Korean group it tracks as UNC4736, while threat intelligence firm CrowdStrike tracks the group using the codename “Labyrinth Chollima,” and says it’s more generally known as Lazarus Group.
Lazarus is one of the most prolific North Korean state-sponsored hacking teams, and regularly tied to attacks designed to finance the country’s nuclear weapons and missile programs. In 2022 alone, experts said Pyongyang-aligned hackers stole at least $1.7 billion worth of digital assets via various hacking campaigns (see: Banner Year for North Korean Cryptocurrency Hacking).
Target: MagicLine4NX Flaw
Another example of a North Korean supply chain attack cited in the joint report involved an unidentified South Korean media organization. According to the alert, in March, hackers successfully infiltrated the media outlet’s website and deployed a malicious script, disguised as a news article. When users viewed the article, the script exploited a vulnerability in the MagicLine4NX security authentication program, if installed on the system, to compromise the computer and remotely control it using a botnet command-and-control network.
Attackers used their access to install additional malware and exfiltrate data. Officials said the attack was discovered and blunted in part because a victim organization discovered internal endpoints communicating with the external command-and-control server, according to the alert. The report doesn’t attribute that attack to any specific North Korean hacking team.
Experts say the country’s APT groups regularly refine their tactics and techniques, which when combined with supply chain attacks makes them especially formidable. “It can be hard to detect these attacks as the actors are using legitimate software and hardware,” the joint alert warns. “With the level of the threat likely to increase, organizations should establish and put in place relevant security measures to safely manage the security of the products and to build resilience to attacks.”
Among the defenses the agencies recommend: running supply chain cybersecurity awareness and training, identifying and designing mitigations for top risks, rapidly installing the latest security updates, monitoring network traffic for suspicious activity as well as using two-factor authentication to block logins from unauthorized users, even if they possess valid access credentials.