North Korean Software Supply Chain Threat is Booming, UK and South Korea Warn

Written by

Software supply chain attacks conducted by North Korean hackers have skyrocketed over the past few years, according to UK and South Korean government agencies.

The MagicLine4NX and 3CX compromises, which both started in March 2023, are two of the most recent examples.

To raise public awareness and help prevent compromise, the UK’s National Cyber Security Centre (NCSC) and South Korea’s National Intelligence Service (NIS) issued a joint advisory on November 23 describing some of North Korean hackers’ tactics, techniques and procedures (TTPs).

According to NCSC and NIS, these threat actors have been observed exploiting zero-day vulnerabilities in third-party software commonly used by government agencies, financial institutions and defense organizations globally.

They have also been relying on newly published vulnerabilities and tools, as well as exploiting multiple vulnerabilities in series, to precisely attack a specific target.

How were the MagicLine4NX and 3CX Hacks Deployed?

The joint advisory also detailed the TTPs used in the most recent software supply chain attacks, the MagicLine4NX and 3CX compromises.

The first attack refers to the MagicLine4NX security authentication program. In March 2023, threat actors compromised the website of a media outlet, deployed malicious scripts into an article and created a watering hole.

This allowed them to gain unauthorized access to the intranet of a target organization through one of this target’s internet-connected computers using zero-day vulnerabilities in the MagicLine4NX software.

Once malicious code was installed it was possible to exfiltrate initial beacon data and download and execute encrypted payloads.

“The malicious code then attempted to move from the internal server of the network-linked solution to the external server to send the initial beacon to the command and control (C2) server but was blocked by the security policy of the solution. If it hadn’t been blocked, large amounts of information stored in the internal network could have been leaked,” reads the advisory.

Attack flow of the MagicLine4NX attack. Source: NCSC
Attack flow of the MagicLine4NX attack. Source: NCSC

That same month, two cybersecurity firms, SentinelOne and Sophos, reported that the Desktop App software distributed by 3CX had been compromised and contained malware affecting both macOS and Windows operating systems – this was later confirmed by 3CX.

Read more: North Korean Hackers Use Trojanized 3CX DesktopApp in Supply Chain Attacks

The cybercriminals added malicious code to an executable file shipped within a signed installer for 3CX software.

The payload delivered with the malicious code then deployed a browser stealer, extracting and exfiltrating basic victim system data, victim 3CX account information and browser history from the Brave, Chrome, Edge and Firefox browsers.

Attack flow of the 3CX attack. Source: NCSC
Attack flow of the 3CX attack. Source: NCSC

How to Mitigate a Software Supply Chain Attack

The NCSC and the NIS consider these supply chain attacks align and considerably assist with the fulfillment of wider North Korean state priorities, including revenue generation, espionage, and the theft of advanced technologies.

The agencies provided a list of security measures organizations should take to mitigate the threat of software supply chain attacks.

Some of the management security measures include:

  • Raising your organization’s awareness of supply chain cyber security and promoting understanding of the issue.
  • Providing cybersecurity training on a regular basis to help members of your organization spot malicious tactics and attacks and report them.
  • Identifying threats to your organization’s supply chain.
  • Determining threat priorities and assessing impacts when malicious cyber activity occurs, in order to eliminate the blind spot.
  • Checking the access point to critical data and identifying members and supply entities with the authority to access to minimize access privileges.

Some of the technical security actions NCSC and NIS believe organizations should take include:

  • Making sure you install security updates to maintain the most recent version of software, operating systems and anti-virus, to mitigate threats from known vulnerabilities.
  • Adopting two-factor authentication (2FA) for the administration and operation login policies, to prevent unauthorized logins from unauthorized users.
  • Monitoring network infrastructure so that traffic from supply chain software applications is trusted but any anomalous traffic can be detected.

In a public statement, Paul Chichester, NCSC Director of Operations, said: “We strongly encourage organizations to follow the mitigative actions in the advisory to improve their resilience to supply chain attacks and reduce the risk of compromise.”

The publication of the joint advisory follows the announcement, on November 22, of a new Strategic Cyber Partnership between the UK and the Republic of Korea, which sees the two nations commit to working together to tackle common cyber threats.

What’s hot on Infosecurity Magazine?