A recent cyber attack has revealed the sophisticated tactics used by Diamond Sleet, a state-sponsored group from North Korea, to compromise organizations through the software supply chain [2].
Description
Diamond Sleet targeted downstream customers by distributing a trojanized version of a legitimate application developed by CyberLink [1] [3], a Taiwanese multimedia software developer [1] [2] [3] [4] [5]. They breached CyberLink’s systems and modified the installer file to include malicious code. The compromised installer [3] [4] [7], which appeared genuine and was signed with a valid CyberLink certificate [7], infected over 100 devices worldwide [4] [6], impacting countries such as Japan [5] [6], Taiwan [1] [2] [3] [4] [5] [6] [8], Canada [1] [4] [5] [6], and the United States [4] [5] [6].
The malware, known as LambLoad [1] [3] [4] [5] [7] [8], acts as a downloader and loader [4] [7], specifically targeting corporate environments without certain security software [7]. Microsoft has observed Diamond Sleet using trojanized open-source and proprietary software [1], but did not detect any hands-on-keyboard activity following the distribution of the tampered installer [1]. While no direct malicious activity has been observed [7], there is concern about the potential for data exfiltration and further attacks [7].
In response to this attack, South Korea and the UK have issued an advisory warning about the growing sophistication and frequency of software supply chain attacks conducted by North Korean threat actors [1]. Microsoft has taken steps to protect its customers [7] [8], including notifying affected users and removing the second-stage payload [7]. The attack was first detected on October 20, 2023 [5], and Microsoft has attributed it to Diamond Sleet with high confidence [4] [5]. The group used a legitimate code signing certificate issued to CyberLink to sign the malicious executable [5]. Microsoft has added this certificate to its disallowed list to protect customers [5].
The trojanized software and related payloads are tracked as LambLoad [5], a malware downloader and loader [4] [5] [7]. LambLoad targets systems without certain security software [5] [7]. If the conditions are met [5], the malware connects to command-and-control servers to retrieve a second-stage payload disguised as a PNG file [5]. This attack method is commonly used by Lazarus [5], another North Korean threat actor [1] [5] [7]. Microsoft has informed CyberLink and affected customers [4] [5], and the second-stage payload has been removed from GitHub [5]. Microsoft Defender for Endpoint is actively detecting this activity and providing updates as the investigation progresses [8].
Mitigations recommended by Microsoft include using Microsoft Defender Antivirus [8], enabling network protection [8], and conducting thorough investigations on impacted devices [8]. The use of a legitimate code signing certificate adds sophistication to the attack [4], emphasizing the need for enhanced cybersecurity measures and protection of software supply chains [4].
Conclusion
This cyber attack has had significant impacts, with over 100 devices infected worldwide. The potential for data exfiltration and further attacks raises concerns about the security of organizations. South Korea and the UK have issued advisories to warn about the growing threat of software supply chain attacks conducted by North Korean threat actors [1]. Microsoft has taken steps to protect its customers and has attributed the attack to Diamond Sleet. Mitigations [8], such as using Microsoft Defender Antivirus and enabling network protection [8], are recommended to enhance cybersecurity measures [4]. The use of a legitimate code signing certificate highlights the need for increased protection of software supply chains in the future.
References
[1] https://thehackernews.com/2023/11/north-korean-hackers-distribute.html
[2] https://gillettnews.com/news/software-supply-chain-attack-insights-into-a-sophisticated-cyber-threat/252745/
[3] https://cyber.vumetric.com/security-news/2023/11/23/n-korean-hackers-distribute-trojanized-cyberlink-software-in-supply-chain-attack/
[4] https://cybermaterial.com/diamond-sleet-cyberattack-on-cyberlink/
[5] https://www.redpacketsecurity.com/microsoft-lazarus-hackers-breach-cyberlink-in-supply-chain-attack/
[6] https://cybersecuritynews.com/north-korean-hackers-cyberlink/
[7] https://siliconangle.com/2023/11/22/cyberlink-targeted-supply-chain-attack-infamous-lazarus-hacking-group/
[8] https://www.techtimes.com/articles/299009/20231123/microsoft-north-korean-hackers-cyberlink-distribute-trojanized-installer-file.htm
