MagicLine4NX Exploit: Lazarus Group Launch Supply Chain Attacks

MagicLine4NX Exploit Supply Chain Attacks: In a collaborative effort, the NCSC and Korea’s National Intelligence Service (NIS) have come together to share a crucial report, sounding the alarm on a recent upsurge in supply chain attacks exploiting a zero-day vulnerability in MagicLine4NX software—unveiled as Operation Dream Magic. These nefarious activities have been traced back to the Lazarus threat group hailing from North Korea.

As highlighted in the report, threat actors are strategically capitalizing on this vulnerability, directing their focus globally, with a particular emphasis on organizations in South Korea. The vulnerability specifically impacts versions of MagicLine4NX predating 1.0.026.

MagicLine4NX Exploit Supply Chain Attacks

Unpacking the Attack Method:

The attack unfolds with a distinct strategy, employing a watering hole technique. Here, assailants compromise a media outlet’s website, subtly injecting malicious scripts into an unsuspecting article, specifically targeting visitors within certain IP ranges. When users unwittingly access these compromised articles with the vulnerable software version, the malicious code springs into action, unwittingly granting control to the attackers.

The malicious code goes beyond mere infiltration; it engages in reconnaissance, data exfiltration, downloading and executing encrypted payloads from the Command and Control (C2), and lateral network movement. The subsequent move involves exploiting the data synchronization function of the network-linked system, allowing the information-stealing code to spread to the business-side server, thereby compromising PCs within the targeted organization.

Other Notable Supply Chain Attacks:

Lazarus consistently relies on supply chain attacks and exploits zero-day vulnerabilities as part of its cyber warfare arsenal.

  • In a recent incident, the attackers opted for a trojanized version of CyberLink software, propagating LambLoad malware in a supply chain attack with global ramifications.
  • Back in March, the Lazarus subgroup, Labyrinth Chollima, orchestrated a supply chain attack against multiple global companies, deploying a malicious version of the 3CX desktop app.

Beyond the Cyber Battlefield:

The hacking group’s misdeeds extend beyond supply chain attacks, with connections to numerous cryptocurrency thefts amounting to a staggering $290 million from five crypto heists within a span of three months.

The Heists Unveiled:

  • On June 3, users of Atomic Wallet fell victim to a $100 million theft.
  • July 22 witnessed a double hit, with $37 million stolen from CoinsPaid and $60 million from Alphapo.
  • September 04 marked another breach, this time with $41 million pilfered from Stake.com.

A Call to Action:

The report earnestly emphasizes the critical need for organizations utilizing a vulnerable version of MagicLine4NX to swiftly update to the latest version, fortifying their digital defenses. Additionally, organizations are urged to tighten access controls to the administrator page of the network-linked system and maintain vigilant scrutiny to identify any unauthorized services or communications. In the face of these evolving cyber threats, staying proactive is paramount.

Read More: Atomic macOS Stealer AMOS malware: Apple Computers are at Risk