Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

UK, Korea Warn of DPRK Supply Chain Attacks Involving Zero-Day Flaws

UK and Korea say DPRK state-sponsored hackers targeted governments, defense organizations via supply chain attacks.

The UK National Cyber Security Centre (NCSC) and Korea’s National Intelligence Service (NIS) have issued a fresh warning on Democratic People’s Republic of Korea (DPRK) state-sponsored hackers targeting government, financial, and defense organizations via software supply chain attacks.

As part of the observed supply chain attacks, the DPRK threat actors employed zero-day and n-day vulnerabilities, and exploited multiple flaws in series “to precisely attack a specific target”, NCSC and NIS note in the alert.

In an attack carried out in March 2023, the hackers exploited a bug in the MagicLine4NX security authentication software for initial access and a zero-day issue in a network-linked system for lateral movement.

The attack started with the compromise of a media outlet to inject a malicious script in an article, which would activate only for specific IP addresses, creating a watering hole.

When the intended victim accessed the article from a machine running the vulnerable software, the malicious code executed and the threat actors gained remote control over the system. Next, the attackers exploited a network-linked system vulnerability and infected business-side systems, to steal information.

The malicious code was blocked before it could infect an external server to connect to the command-and-control (C&C) server, which prevented data exfiltration.

“The cyber actors initially employed a watering-hole attack to secure target groups, and conducted additional attacks on specific targets. The compromise of one supply chain led to the infection of another supply chain, which was a targeted attack against a specific target,” NCSC and NIS point out.

The two government agencies note that DPRK threat actors were also involved in the 3CX supply chain attack, where malicious code was added to an executable file that shipped with the signed installer of the 3CX desktop application, which was distributed via legitimate channels.

Advertisement. Scroll to continue reading.

Following the execution of the 3CX software, the malicious code slept for seven days, after which it loaded an encrypted payload, which reached out to C&C domains to fetch the next stage, an information stealer that exfiltrated system data, 3CX account information, and browser history.

“The negative impact was limited because the malicious update was quickly detected by endpoint detection and response solutions. This advisory encourages organizations to follow the advice published by the vendor to uninstall the software if you are running an affected version,” NCSC and NIS say.

To mitigate supply chain attacks, organizations are advised to raise their awareness of supply chain cybersecurity and train their employees on the matter, identify threats to their supply chains, install security updates, employ multi-factor authentication, and monitor network traffic for abnormal behavior.

“Supply chain attacks are a highly effective means of compromising numerous well-protected, high-profile targets. Several elements of the supply chain have proved susceptible to compromise, including software vendors, managed service providers and cloud providers. From here, an actor can indiscriminately target a number of organizations and users, and their attacks can be expanded or shifted to a ransomware attack to demand money or cause a system disruption,” the alert reads.

Related: CISA Offering Free Cybersecurity Services to Non-Federal Critical Infrastructure Entities

Related: CISA Unveils Cybersecurity Strategic Plan for Next 3 Years

Related: US Gov Warns of Foreign Intelligence Cyberattacks Against US Space Industry

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Funding/M&A

Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.

Cyberwarfare

US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.

Government

Companies have announced securing billions of dollars in cybersecurity-related contracts with the United States government in 2022.

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Government

CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.

Cloud Security

Redmond is accused of “negligent cybersecurity practices” that enabled a successful Chinese hack of the United States government.

Government

TSA instructs airport and aircraft operators to improve their cybersecurity resilience and prevent infrastructure disruption and degradation.