Software supply chain attacks conducted by North Korean hackers have skyrocketed over the past few years, according to UK and South Korean government agencies.
The MagicLine4NX and 3CX compromises, which both started in March 2023, are two of the most recent examples.
To raise public awareness and help prevent compromise, the UK’s National Cyber Security Centre (NCSC) and South Korea’s National Intelligence Service (NIS) issued a joint advisory on November 23 describing some of North Korean hackers’ tactics, techniques and procedures (TTPs).
According to NCSC and NIS, these threat actors have been observed exploiting zero-day vulnerabilities in third-party software commonly used by government agencies, financial institutions and defense organizations globally.
They have also been relying on newly published vulnerabilities and tools, as well as exploiting multiple vulnerabilities in series, to precisely attack a specific target.
How were the MagicLine4NX and 3CX Hacks Deployed?
The joint advisory also detailed the TTPs used in the most recent software supply chain attacks, the MagicLine4NX and 3CX compromises.
The first attack refers to the MagicLine4NX security authentication program. In March 2023, threat actors compromised the website of a media outlet, deployed malicious scripts into an article and created a watering hole.
This allowed them to gain unauthorized access to the intranet of a target organization through one of this target’s internet-connected computers using zero-day vulnerabilities in the MagicLine4NX software.
Once malicious code was installed it was possible to exfiltrate initial beacon data and download and execute encrypted payloads.
“The malicious code then attempted to move from the internal server of the network-linked solution to the external server to send the initial beacon to the command and control (C2) server but was blocked by the security policy of the solution. If it hadn’t been blocked, large amounts of information stored in the internal network could have been leaked,” reads the advisory.
No tags.
