November 24, 2023 at 01:20PM
The National Cyber Security Centre (NCSC) and Korea’s National Intelligence Service (NIS) have warned that the North Korean Lazarus hacking group has been breaching companies using a zero-day vulnerability in the MagicLine4NX software. The group primarily targets South Korean institutions and is known for utilizing supply-chain attacks and zero-day vulnerabilities to conduct cyber espionage, financial fraud, and cryptocurrency theft. The revenue generated from these operations is believed to support North Korean national-level priorities and objectives, including cyber operations against the United States and South Korea governments.
Summary:
In a joint cybersecurity advisory, the National Cyber Security Centre (NCSC) and Korea’s National Intelligence Service (NIS) have warned about the North Korean Lazarus hacking group conducting supply-chain attacks using a zero-day vulnerability in the MagicLine4NX software. MagicLine4NX is a security authentication software developed by South Korean company Dream Security and used for secure logins in organizations.
The advisory states that the Lazarus threat actors exploited a zero-day vulnerability in MagicLine4NX to breach primarily South Korean institutions. The attack began with compromising a media outlet’s website, where malicious scripts were embedded in an article, resulting in a ‘watering hole’ attack. When targeted IP ranges visited the compromised site, the scripts triggered the vulnerability in MagicLine4NX software. The attackers gained unauthorized access to the intranet of the target organization by exploiting a network-linked system’s vulnerability.
The compromised victim’s computer connected to the attackers’ command and control (C2) server, allowing access to an internet-side server. Information-stealing code was then spread to the business-side server through the data synchronization function, compromising PCs within the organization. The malicious code connected to two C2 servers, enabling reconnaissance, data exfiltration, payload execution, and lateral network movement.
This attack, codenamed ‘Dream Magic,’ has been attributed to Lazarus. The group is known for supply chain attacks and zero-day vulnerability exploitation. In another recent incident, the Lazarus group used a supply chain attack against VoIP software maker 3CX. Microsoft also disclosed a supply chain attack on CyberLink, involving the distribution of trojanized, digitally-signed installers infected with the ‘LambLoad’ malware.
The North Korean hackers employ these attacks for cyber espionage, financial fraud, and cryptocurrency theft. It has been assessed that the revenue generated from cryptocurrency operations assists in funding the country’s operations, including cyber operations targeting the United States and South Korea governments.