North Korea-backed threat actors [2] [3] [5] [8], known as Diamond Sleet or ZINC [5] [7], have been increasingly conducting software supply chain attacks [2], targeting organizations globally [2] [4] [8]. These attacks have caught the attention of cybersecurity agencies such as the UK’s National Cyber Security Centre (NCSC) and the South Korean National Intelligence Service (NIS). In a joint advisory [1] [2] [4] [6], the NCSC and NIS warn organizations about the rising threat posed by these attacks and urge them to enhance their security measures to prevent breaches.
Description
The attackers, Diamond Sleet or ZINC [5], specialize in espionage [5], data theft [5], financial gain [5], and network disruption [5]. They have been leveraging unknown vulnerabilities and exploits in third-party software supply chains to gain access to systems [6]. One example of their sophisticated attack involves tampering with a legitimate application developed by CyberLink, a Taiwanese multimedia software developer [7] [8]. They distribute a trojanized version of the application that contains a concealed second-stage payload. This trojanized file, signed with a valid CyberLink certificate [3] [5], has infiltrated over 100 devices worldwide [5], affecting countries such as Japan [5], Taiwan [5] [7] [8], Canada [5], and the United States [5]. The attackers strategically position the trojanized file within CyberLink’s update infrastructure to evade detection.
In response to the compromise [5], Microsoft swiftly notified CyberLink, alerted affected customers [5], reported the attack to GitHub [5], blocked the certificate [5], and categorized the threat as Diamond Sleet within Microsoft Defender for Endpoint [5]. To protect organizations against this threat [5], Microsoft recommends employing Microsoft Defender Antivirus with cloud-delivered protection [5], activating network protection [5], enabling automated investigation and remediation [5], swiftly addressing malicious activity [5], and implementing attack surface reduction rules [5]. They also offer a decryption script for independent analysis of Diamond Sleet’s malware [5]. Microsoft Defender Antivirus and Microsoft Defender for Endpoint continuously monitor and detect threat components associated with Diamond Sleet’s arsenal to ensure organizations remain protected [5].
The joint advisory specifically mentions incidents involving Lazarus hackers, such as the exploitation of vulnerabilities in the MagicLine4NX authentication app and a double supply chain attack on customers of 3CX [2]. It also provides a list of mitigations for end-user security teams to implement [2]. The advisory predicts that these attacks will continue to rise [6], emphasizing the need for organizations to take steps to protect themselves [6]. This advisory is significant as it is the first of its kind issued solely by the NCSC, without partnership from other Five Eyes agencies [1] [6]. It coincides with the state visit to the UK by South Korean President Yoon Suk Yeol [1].
Researchers at Microsoft Threat Intelligence have also uncovered a supply chain attack by a North Korean threat actor known as Lazarus [3]. The attack involves a modified installer for a CyberLink application [3] [7], which is used to distribute malware [3]. The compromised installer appears legitimate and is signed with a valid CyberLink certificate [3], but it contains malicious code that downloads and executes a secondary payload [3]. The malware, called LambLoad [3], acts as both a downloader and a loader [3]. It targets corporate environments without security software from companies like FireEye [3], CrowdStrike [3], and Tanium [3]. The attack has affected over 100 devices in multiple countries [3]. While no direct activity has been observed post-compromise [3], the potential for data exfiltration and further attacks remains a concern [3]. Microsoft has taken steps to protect its customers [3], including notifying affected users and removing the second-stage payload [3]. The Lazarus Group [3], responsible for the WannaCry ransomware in 2017 [3], has a history of targeting victims and was also linked to a cryptocurrency theft [3].
Conclusion
These software supply chain attacks conducted by North Korea-backed threat actors pose a significant threat to organizations globally. The increasing sophistication and volume of these attacks have prompted cybersecurity agencies to issue warnings and urge organizations to enhance their security measures. Microsoft has taken swift action to protect its customers and offers recommendations for organizations to defend against these attacks. The joint advisory also highlights the rise of Lazarus hackers and provides mitigations for end-user security teams. As these attacks continue to evolve, organizations must remain vigilant and take proactive steps to protect themselves from potential breaches and data exfiltration.
References
[1] https://guernseypress.com/news/uk-news/2023/11/23/uk-and-south-korea-issue-warning-over-north-korea-linked-cyber-attacks/
[2] https://www.computerweekly.com/news/366560832/North-Korean-APTs-go-all-in-on-supply-chain-attacks-warns-NCSC
[3] https://siliconangle.com/2023/11/22/cyberlink-targeted-supply-chain-attack-infamous-lazarus-hacking-group/
[4] https://www.infosecurity-magazine.com/news/north-korean-supply-chain-booming/
[5] https://cybersecuritynews.com/north-korean-hackers-cyberlink/
[6] https://www.standard.co.uk/news/tech/south-korea-north-korea-eyes-gchq-canada-b1122291.html
[7] https://cyber.vumetric.com/security-news/2023/11/23/n-korean-hackers-distribute-trojanized-cyberlink-software-in-supply-chain-attack/
[8] https://thehackernews.com/2023/11/north-korean-hackers-distribute.html