Lazarus Group Exploits Zero-Day in MagicLine4NX

By | 2023-11-27

The National Cyber Security Centre (NCSC) and Korea’s National Intelligence Service (NIS) jointly warned about the North Korea-linked Lazarus hacking group exploiting a zero-day vulnerability in the MagicLine4NX software, developed by South Korean company Dream Security. This joint certificate program, facilitating logins and digital transactions, has become a target for supply-chain attacks.

The attackers utilized the zero-day vulnerability to compromise security authentication and network-linked systems, gaining unauthorized access to the intranet of a target organization. The report reveals a sophisticated attack chain initiated with a watering hole attack, compromising a media outlet’s website. Malicious scripts deployed in a specific article targeted users employing the MagicLine4NX authentication software, granting complete control to the threat actors.

The state-sponsored hackers, primarily targeting South Korean entities, then accessed an internet-side server, spreading malicious code through the network-linked system. The attack aimed to infiltrate business-side servers for data theft. Although the security policy of the solution blocked further data leakage, the potential impact could have been severe.

The report underscores the Lazarus group’s focus on supply-chain attacks, citing a previous incident in March 2023 involving the Labyrinth Chollima APT targeting VoIP software maker 3CX. Additionally, recent observations by SentinelOne revealed behavioral detections of 3CXDesktopApp, indicating a supply chain attack impacting multiple cybersecurity vendors’ products.

Microsoft Threat Intelligence researchers also disclosed a supply chain attack by the North Korea-linked APT Diamond Sleet (ZINC), involving a trojanized variant of a CyberLink software. The attackers signed the malicious code with a valid certificate issued to CyberLink Corp., impacting over 100 devices across multiple countries.

Recommendations

  1. Regularly update and patch software to address known vulnerabilities.
  2. Monitor for behavioral anomalies and suspicious activity on networks and systems.
  3. Educate users on the risks of visiting compromised websites and the importance of updating software.
  4. Implement network segmentation to limit lateral movement in case of a breach.
  5. Conduct thorough security audits and assessments to identify and address vulnerabilities.
  6. Employ advanced threat detection and response solutions to identify and mitigate supply chain attacks.
  7. Collaborate with cybersecurity vendors and organizations to share threat intelligence and enhance collective defense.
Author: dwirch

Derek Wirch is a seasoned IT professional with an impressive career dating back to 1986. He brings a wealth of knowledge and hands-on experience that is invaluable to those embarking on their journey in the tech industry.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.