North Korean Hacking Alert Sounded by UK and South Korea

North Korean state-affiliated hackers are continuing to exploit zero-days in popular software applications as part of global supply chain attack campaigns for espionage and financial theft purposes, British and South Korean cyber agencies warned in an alert on Thursday.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

In a joint alert, Britain’s National Cyber Security Centre and South Korea’s National Intelligence Service warned Pyongyang-affiliated hackers are targeting victims by exploiting vulnerabilities in their third-party software applications and supply chains.

These campaigns further the North Korean regime’s priorities of “revenue generation, espionage and the theft of advanced technologies,” officials said.

“In an increasingly digital and interconnected world, software supply chain attacks can have profound, far-reaching consequences for impacted organizations,” said Paul Chichester, NCSC’s director of operations.

The report did not name any specific advanced persistent groups tied to these campaigns, although does cite the recent attack against financial trading software developer 3CX as example of these large-scale supply chain attacks. The Cyprus-based software vendor, whose customers include Toyota, Coca-Cola and Air France, in late March reported that hackers infiltrated its Windows and macOS source code.

In a subsequent report analyzing the campaign, security firm SentinelOne said attackers conducted a year-long reconnaissance of 3CX’s network before deploying information-stealing malware called SmoothOperator (see: 3CX Desktop Client Under Supply Chain Attack).

Incident response group Mandiant, part of Google Cloud, attributed the 3CX campaign to a North Korean group it tracks as UNC4736, while threat intelligence firm CrowdStrike tracks the group using the codename “Labyrinth Chollima,” and says it’s more generally known as Lazarus Group.

Lazarus is one of the most prolific North Korean state-sponsored hacking teams, and regularly tied to attacks designed to finance the country’s nuclear weapons and missile programs. In 2022 alone, experts said Pyongyang-aligned hackers stole at least $1.7 billion worth of digital assets via various hacking campaigns (see: Banner Year for North Korean Cryptocurrency Hacking).

Target: MagicLine4NX Flaw

Another example of a North Korean supply chain attack cited in the joint report involved an unidentified South Korean media organization. According to the alert, in March, hackers successfully infiltrated the media outlet’s website and deployed a malicious script, disguised as a news article. When users viewed the article, the script exploited a vulnerability in the MagicLine4NX security authentication program, if installed on the system, to compromise the computer and remotely control it using a botnet command-and-control network.

Attackers used their access to install additional malware and exfiltrate data. Officials said the attack was discovered and blunted in part because a victim organization discovered internal endpoints communicating with the external command-and-control server, according to the alert. The report doesn’t attribute that attack to any specific North Korean hacking team.

Experts say the country’s APT groups regularly refine their tactics and techniques, which when combined with supply chain attacks makes them especially formidable. “It can be hard to detect these attacks as the actors are using legitimate software and hardware,” the joint alert warns. “With the level of the threat likely to increase, organizations should establish and put in place relevant security measures to safely manage the security of the products and to build resilience to attacks.”

Among the defenses the agencies recommend: running supply chain cybersecurity awareness and training, identifying and designing mitigations for top risks, rapidly installing the latest security updates, monitoring network traffic for suspicious activity as well as using two-factor authentication to block logins from unauthorized users, even if they possess valid access credentials.

CyberLink Breached

The release of the joint alert followed Microsoft this week reporting that a North Korean hacking group that it codenamed Diamond Sleet, also known as Lazarus, successfully breached software developed by Taiwanese multimedia firm CyberLink and used it to attacker users of the software.

The supply chain attack Microsoft traced involved a CyberLink installer, which continued to feature a legitimate code-signing certificate issued to the company, even after attackers altered it. Researchers have dubbed the altered version of CyberLink’s installer “LambLoad,” and said if it confirmed certain conditions on the endpoint – including no FireEye, CrowdStrike or Tanium security software running – it would connect with command-and-control servers to retrieve a second-stage payload, disguised as a .png file. Researchers said that likely led to attackers accessing the endpoint to exfiltrate data and move laterally across the victim’s network.

With reporting from ISMG’s Mihir Bagwe in Mumbai.