The NCSC and Korea's National Intelligence Service (NIS) have issued a joint report to warn organizations about new supply chain attacks that exploit a zero-day flaw in MagicLine4NX software. Codenamed Operation Dream Magic, these attacks are attributed to the North Korea-based Lazarus threat group.
According to the report, threat actors are leveraging the flaw to target organizations worldwide, primarily located in South Korea. The flaw impacts versions prior to 1.0.026 of MagicLine4NX.
Attack method
The attack commences with a watering hole technique, wherein the attackers compromise the website of a media outlet and deploy malicious scripts into an article. The scripts are designed to target visitors using certain IP ranges.
- When users using the vulnerable version of the software visit the articles on the compromised site, the malicious code gets executed on their systems, providing attackers with the ability to take over the systems.
- The function of the malicious code includes reconnaissance, data exfiltration, downloading and executing encrypted payloads from the C2, and lateral network movement.
- Subsequently, the attackers exploit the data synchronization function of the network-linked system to propagate the information-stealing code to the server on the business side, which leads to the compromise of PCs within the targeted organization.
Other notable supply chain attacks
Lazarus has consistently been relying on supply chain attacks and the exploitation of zero-day vulnerabilities as part of its cyber warfare tactics.
- Last week, the attackers leveraged a trojanized version of CyberLink software to push LambLoad malware in a supply chain attack targeting potential victims worldwide.
- Earlier in March, Labyrinth Chollima (a subgroup of Lazarus) launched a supply chain attack against multiple companies across the globe using a malicious version 3CX desktop app.
Other malicious activities noted
Apart from launching supply chain attacks, the hacking group has been associated with multiple cryptocurrency thefts. Lazarus was reported to have amassed over $290 million in stolen funds from five crypto heists carried out in a span of three months.
- $100 million stolen from users of Atomic Wallet on June 3,
- $37 million from CoinsPaid and $60 million from Alphapo on July 22,
- $41 million from Stake.com on September 04.
Conclusion
The report highlights that organizations using a vulnerable version of MagicLine4NX must update the software to the latest version to stay safe. Additionally, they must limit the control access to the administrator page of the network-linked system and identify any unauthorized services or communications.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/fce9_shutterstock_1868295205.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/91a0_shutterstock_1705361170.jpg)
