North Korean APTs go all in on supply chain attacks, warns NCSC

North Korea-backed threat actors are increasingly targeting software supply chains to attack organisations on a global basis, and becoming far more adept at doing so, the UK’s National Cyber Security Centre (NCSC) has warned in a joint advisory with South Korea’s National Intelligence Service (NIS).

This is the first time the NCSC has ever issued a joint advisory without the involvement of one of its partner Five Eyes cyber agencies, and reflects South Korea’s deep involvement in regional geopolitics and its unique perspective on its reclusive northern neighbour, with which it technically remains at war after 70 years.

In the bulletin, the NCSC and the NIS describe how North Korean advanced persistent threat (APT) actors – the likes of Lazarus being the most well-known – are now leveraging more zero-day vulnerabilities and exploits in third-party software to gain access to specific targets, or indiscriminate organisations, through their suppliers.

The agencies believe that by-and-large, these attacks still align – and help considerably – with North Korea’s wider priorities, that is to say, revenue generation for the perpetually cash-strapped, isolated regime, and theft of intellectual property (IP) and technology to which Pyongyang is denied access by legal means.

“In an increasingly digital and interconnected world, software supply chain attacks can have profound, far-reaching consequences for impacted organisations,” said NCSC operations director Paul Chichester.

“Today, with our partners in the Republic of Korea, we have issued a warning about the growing threat from DPRK state-linked cyber actors carrying out such attacks with increasing sophistication. We strongly encourage organisations to follow the mitigative actions in the advisory to improve their resilience to supply chain attacks and reduce the risk of compromise.”

In one incident dated to March 2023, a Lazarus hacker used vulnerabilities in the MagicLine4NX authentication app, developed by South Korea-based DreamSecurity. The gang first compromised the website of a media outlet where they created a so-called watering hole by deploying malicious scripts into a published article, which ran when someone opened and read the article online using a computer running a vulnerable version of MagicLine4NX.

The infected machines then connected to Lazarus’ command and control (C2) systems which took over the computer, after which the gang was able to access an internet-side server a network-linked system zero-day, and exploit the data synchronisation function of that system to spread malicious code to the business-side server, and exfiltrate the victims’ data.

Also in March of this year, North Korean threat actors linked to Lazarus were behind what is thought to be the world’s first double supply chain attack that affected customers of 3CX, a unified communications (UC) platform.

This compromise was found to have originated via a malware-laced installer for a discontinued futures trading platform which someone at 3CX had likely downloaded to their system without permission, 3CX having no business relationship with the platform’s developer, Trading Technologies.

It resulted in 3CX’s desktop application for both macOS and Windows systems being compromised after Lazarus gained access to 3CX’s build processes.

The observed onward stage in the Windows attack flow was the deployment of a browser stealer that exfiltrated basic system data, victim 3CX account information, and browsing histories from Brave, Chrome, Edge or Firefox if present. The macOS attack flow, which used a malware called Smooth Operator, saw 3CX account information taken from a configuration file on the compromised machine.

The NCSC and NIS are advising end-user security teams to implement a number of mitigations relating to the supply chain lifecycle, and management and technical security measures, to deter Lazarus and its ilk.

These measures include:

• Raising internal awareness of supply chain attacks and promoting employee understanding of them;
• Providing regular training to help employees spot potential issues;
• Auditing and identifying threats to the organisation’s supply chain, determining priorities, and assessing impacts when malicious activity occurs to eliminate blind spots;
• Checking access points to critical data and assessing who has the authority to access them – whether employees or suppliers – deploying principles of least privilege where appropriate;
• Keeping all software up to date and patched, including antivirus products;
• Adopting and enforcing mandatory two-factor authentication for admin and operation logins;
• Monitoring network infrastructure to determine what trusted traffic from supply chain software apps looks like, in order to detect anything anomalous.

There are also a range of further resources available from the NCSC, partner agencies including US government bodies, and standards organisations such as NIST.