In a collaborative effort, the National Cyber Security Centre (NCSC) and Korea’s National Intelligence Service (NIS) have issued a grave warning concerning the North Korea-linked Lazarus hacking group’s exploitation of a zero-day vulnerability within the widely-used MagicLine4NX software. This exploit has become a gateway for the group’s sophisticated supply-chain attacks, affecting numerous entities worldwide.
Vulnerability Exploited for Unauthorized Access
MagicLine4NX, developed by South Korean company Dream Security, is a joint certificate program crucial for secure logins and digital transactions. Exploiting this software’s vulnerability, cyber actors gained unauthorized access to target organizations’ intranets by breaching security authentication systems.
The joint advisory reported, “Cyber actors used the software vulnerabilities to gain unauthorized access to the intranet of a target organization. They exploited the MagicLine4NX security authentication program for initial intrusion and a zero-day vulnerability in network-linked systems to move laterally, accessing sensitive information.”
Intricate Attack Chain Unveiled
The attack’s intricate chain commenced with a watering hole attack—a strategy where hackers compromise websites frequented by specific users. In this instance, state-sponsored hackers infiltrated a media outlet’s website and embedded malicious scripts into an article, specifically targeting visitors using certain IP ranges.
Upon visitors utilizing the MagicLine4NX authentication software and accessing the compromised website, the embedded code executed, granting hackers complete control over the system.
ALSO READ: Victim Of A Cyber Attack? Now Dial 1930 & 155260 To Register Complaint And Get Your Money Back
The attackers then accessed an internet-side server from a network-connected PC by exploiting system vulnerabilities, subsequently spreading the malicious code to a business-side server via a network-linked system’s data synchronization function.
Threat Actors’ Persistent Efforts
Despite security measures, the threat actors attempted to infiltrate business PCs, aiming to extract sensitive information. The malware employed a connection to two C2 servers—one acting as a gateway within the network-linked system, and the other located externally on the internet.
The report stated, “The malicious code attempted to move data from the internal server to the external server but was thwarted by the security policy. Had it succeeded, substantial internal network information might have been compromised.”
Widespread Impact and Ongoing Attacks
Highlighting the severity of such attacks, the warning pointed out previous supply chain intrusions orchestrated by North Korea-linked APT groups. Recently, Labyrinth Chollima APT targeted VoIP software maker 3CX, causing cybersecurity vendors to detect the popular software as malware.
ALSO READ: From Fake Profiles to Real Justice: Uttarakhand STF Busts National Cyber Crime Ring – 913 Cases Across the Nation Unearthed
In a separate incident, Microsoft Threat Intelligence researchers exposed another supply chain attack by APT Diamond Sleet (ZINC), affecting over 100 devices across Japan, Taiwan, Canada, and the United States. Attackers used trojanized variants of legitimate software, signed with valid certificates, to circumvent security measures.
As cybersecurity agencies race to contain these threats, the escalating sophistication of these attacks highlights the pressing need for enhanced vigilance and robust security measures against supply-chain vulnerabilities.