AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

CyberLink supply chain intrusion by North Korean hackers

CyberLink installer compromise: the sophisticated operation of the Lazarus group

North Korean hacker group Lazarus attacked Taiwan's CyberLink company, spreading malware through altered company software. Microsoft detected the attack and notified affected users.

This pill is also available in Italian language

North Korean cybercriminals from the Lazarus group have managed to infiltrate the Taiwanese company CyberLink, which specializes in multimedia software. This unauthorized access allowed them to alter a software installer with the goal of spreading malware through a supply chain attack. According to the Microsoft Threat Intelligence Center, the threat linked to the compromised CyberLink installer was detected as early as October 20, 2023. When analyzing this attack, an international scope was observed, with more than 100 devices infected between Japan, Taiwan, Canada and the United States United.

Identifying the Diamond Sleet group behind the attack

Microsoft has highly confidently identified the Diamond Sleet group, already known by various names including ZINC, Labyrinth Chollima and Lazarus, as the perpetrator of this insidious supply chain attack. These attackers made use of a genuine code signing certificate, originally issued to CyberLink, to validate the malicious executable. This certificate was promptly included in the list of unauthorized certificates by Microsoft to prevent further malicious use of the same.

Analysis of the LambLoad malware

Technical analysis of the Trojanized software led to the identification of LambLoad, a malware downloader and loader. This payload is programmed to activate only on systems not protected by FireEye, CrowdStrike, or Tanium security software. In the absence of these, the malicious code continues to execute without activating the included malicious code. Otherwise, the malware connects with one of three command and control servers to receive a second-level payload, disguised inside a file that looks like a PNG image, using the static User-Agent "Microsoft Internet Explorer".

The modus operandi and consequences of the Lazarus attack

The Lazarus group, known for using similar methods in attacking legitimate cryptocurrency software, has not yet been observed by Microsoft in "direct keyboard activity" following LambLoad malware infections. However, the group has a track record of malicious activity, including stealing sensitive data, infiltrating software development environments, expanding attacks to downstream victims, and establishing persistent access to victims' environments. Microsoft has notified CyberLink of the supply chain attack and is notifying customers who use Microsoft Defender for Endpoint who have been affected by the attack.

Follow us on Facebook for more pills like this

11/23/2023 12:51

Marco Verro

Last pills

Zero-day threat on Android devices: Samsung prepares a crucial updateFind out how Samsung is addressing critical Android vulnerabilities and protecting Galaxy devices from cyber threats

CrowdStrike: how a security update crippled the tech worldGlobal impact of a security update on banking, transportation and cloud services: what happened and how the crisis is being addressed

Checkmate the criminal networks: the Interpol operation that reveals the invisibleFind out how Operation Interpol exposed digital fraudsters and traffickers through extraordinary global collaboration, seizing luxury goods and false documents

Google Cloud security predictions for 2024: how AI will reshape the cybersecurity landscapeFind out how AI will transform cybersecurity and address geopolitical threats in 2024 according to Google Cloud report