The UK National Cyber Security Centre (NCSC) and Korea’s National Intelligence Service (NIS) have issued a fresh warning on Democratic People’s Republic of Korea (DPRK) state-sponsored hackers targeting government, financial, and defense organizations via software supply chain attacks.
As part of the observed supply chain attacks, the DPRK threat actors employed zero-day and n-day vulnerabilities, and exploited multiple flaws in series “to precisely attack a specific target”, NCSC and NIS note in the alert.
In an attack carried out in March 2023, the hackers exploited a bug in the MagicLine4NX security authentication software for initial access and a zero-day issue in a network-linked system for lateral movement.
The attack started with the compromise of a media outlet to inject a malicious script in an article, which would activate only for specific IP addresses, creating a watering hole.
When the intended victim accessed the article from a machine running the vulnerable software, the malicious code executed and the threat actors gained remote control over the system. Next, the attackers exploited a network-linked system vulnerability and infected business-side systems, to steal information.
The malicious code was blocked before it could infect an external server to connect to the command-and-control (C&C) server, which prevented data exfiltration.
“The cyber actors initially employed a watering-hole attack to secure target groups, and conducted additional attacks on specific targets. The compromise of one supply chain led to the infection of another supply chain, which was a targeted attack against a specific target,” NCSC and NIS point out.
The two government agencies note that DPRK threat actors were also involved in the 3CX supply chain attack, where malicious code was added to an executable file that shipped with the signed installer of the 3CX desktop application, which was distributed via legitimate channels.
Following the execution of the 3CX software, the malicious code slept for seven days, after which it loaded an encrypted payload, which reached out to C&C domains to fetch the next stage, an information stealer that exfiltrated system data, 3CX account information, and browser history.
“The negative impact was limited because the malicious update was quickly detected by endpoint detection and response solutions. This advisory encourages organizations to follow the advice published by the vendor to uninstall the software if you are running an affected version,” NCSC and NIS say.
To mitigate supply chain attacks, organizations are advised to raise their awareness of supply chain cybersecurity and train their employees on the matter, identify threats to their supply chains, install security updates, employ multi-factor authentication, and monitor network traffic for abnormal behavior.
“Supply chain attacks are a highly effective means of compromising numerous well-protected, high-profile targets. Several elements of the supply chain have proved susceptible to compromise, including software vendors, managed service providers and cloud providers. From here, an actor can indiscriminately target a number of organizations and users, and their attacks can be expanded or shifted to a ransomware attack to demand money or cause a system disruption,” the alert reads.
Related: CISA Offering Free Cybersecurity Services to Non-Federal Critical Infrastructure Entities
Related: CISA Unveils Cybersecurity Strategic Plan for Next 3 Years
Related: US Gov Warns of Foreign Intelligence Cyberattacks Against US Space Industry