Exploiting Zero-Day Vulnerabilities: Lazarus Group’s Advanced Supply-Chain Cyberattacks

The UK’s National Cyber Security Centre (NCSC) and South Korea’s National Intelligence Service (NIS) have issued a critical warning about the North Korean Lazarus hacking group. This notorious group is reportedly conducting sophisticated supply-chain attacks by exploiting a zero-day vulnerability – A Buffer overflow vulnerability (CVE-2023-45797) in MagicLine4NX, a widely used security authentication software developed by South Korean firm Dream Security.

These attacks primarily target South Korean institutions and leverage the zero-day flaw to gain unauthorized access to internal networks. The advisory details that in March 2023, cyber actors successfully accessed the intranet of a target organization by exploiting vulnerabilities in both the MagicLine4NX program and a network-linked system.

The attack commenced with the compromise of a media website, embedding malicious scripts into an article, leading to a ‘watering hole’ attack. Victims from designated IP ranges, upon accessing the article, unknowingly triggered the vulnerability in MagicLine4NX, versions before 1.0.0.26.

This initiated a connection to the attacker’s command and control (C2) server, facilitating unauthorized access to an internet-connected server. The attackers then utilized a data synchronization function to disseminate information-stealing code to the internal business server, effectively breaching the organizational PCs.

The malware deployed includes capabilities for reconnaissance, data exfiltration, downloading, executing encrypted payloads, and lateral movement within the network. The attack, codenamed ‘Dream Magic’, is attributed to the Lazarus group and is thoroughly detailed in an AhnLab report (Korean).

Notably, Lazarus’s operations often involve complex supply-chain attacks and zero-day exploit utilization. In March 2023, the subgroup “Labyrinth Chollima” attacked VoIP software maker 3CX, compromising several global entities. Additionally, Microsoft recently uncovered a CyberLink supply-chain attack distributing trojanized installers by Lazarus to infect systems with ‘LambLoad’ malware.

These strategically targeted attacks, aimed at espionage, financial fraud, or cryptocurrency theft, are reportedly used to fund North Korea’s state operations. The Cybersecurity Advisory (CSA) highlights the significance of these operations in supporting DPRK’s national objectives, including cyber activities against US and South Korean government networks.