Pyongyang is actively exploiting malicious open-source applications to prospect engineers and tech support personnel. And, as a bonus, there's some LinkedIn cafphishing going on, too.
North Korea weaponizes open-source software.
Microsoft warns that the North Korean threat actor the company tracks as “ZINC” is targeting engineers and technical support employees working at “media, defense and aerospace, and IT services in the US, UK, India, and Russia.” The threat actor is using malicious versions of open-source applications, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording. Microsoft believes the campaign is “motivated by traditional cyberespionage, theft of personal and corporate data, financial gain, and corporate network destruction.”
LinkedIn catphish have been observed in the campaign.
Duo Security’s Decipher notes that ZINC uses LinkedIn to contact potential victims, then move to WhatsApp to send the malware: “One key piece of the campaigns is the use of LinkedIn personas as initial outreach vectors for victims. ZINC actors create fake persons on LinkedIn, posing as recruiters at defense, tech, or entertainment companies, and then luring the victims into moving the conversations onto WhatsApp. ZINC actors would at some point deliver the ZetaNile-compromised application to the victims. The actor has used the compromised PuTTY infection method in the past, but only recently started using KiTTY, too. KiTTY is a fork of PuTTY, and in both cases, ZINC uses DLL search order hijacking in order to load a malicious DLL onto the victim’s machine.”
Recognizing malicious code in the software supply chain.
Jeff Williams, co-founder and CTO of Contrast Security notes that it’s no easy task to find malicious code in the software supply chain. “Detecting malicious code in an open-source library is extremely difficult,” he wrote. “Attackers can infiltrate open-source projects easily, use pseudonyms, and hide their attacks in commits that also include valuable functionality and bug fixes. These attacks can be as small as a single line of innocuous-looking code, but surreptitiously enables full control of machines running applications trojaned in this way.” The more obvious ways of looking for malicious code are likely, in such contexts, to be less than fully successful. “Simple application security scanning, pentesting, firewalling, and SBOMing will not discover these infections or prevent their exploit. While we have known about these issues for well over a decade, not much has been done. Unfortunately, in the wake of SolarWinds, attackers have finally started to take advantage of this attack vector, and we are wholly unprepared to deal with it.”
Lazarus gets high marks as a threat actor (and that’s not a good thing).
Tom Kellerman, senior vice president of cyber strategy at Contrast Security, wrote to give the Lazarus Group grudgingly good notices: “Lazarus is the A team of North Korean hacker crews. They have been elevating their game for awhile. This attack could become a perfect storm as rogue nation states and cybercrime cartels might adopt this kill chain, thus poisoning open source software globally. Organizations must deploy intelligent runtime protection and immediately test any third-party open source code moving through their supply chains.”