The National Cyber Security Centre (NCSC) and Korea's National Intelligence Service (NIS) released a joint cybersecurity advisory warning of a supply chain attack orchestrated by the North Korea-linked Lazarus threat group involving a zero-day vulnerability in Dream Security’s MagicLine4NX security authentication platform.
Tracked as CVE-2023-45797, the zero-day vulnerability is a buffer overflow issue that can be exploited by a remote hacker for code execution. The bug impacts MagicLine4NX versions 1.0.0.1 - 1.0.0.26.
According to the advisory, the attacks started in March 2023, with the threat actors using the zero-day flaw to gain initial access to corporate networks. The hackers targeted organizations across the world, primarily South Korean entities.
The attack chain began with a watering hole attack where the threat actor used a compromised website on a media outlet to deploy malicious scripts. When specific targets from certain IP ranges visited the hacked site, the scripts executed malicious code that exploited the MagicLine4NX zero-day vulnerability and allowed the threat actors to take over the victim’s computer.
“Malicious code installed on the business PC had two C2 servers, the first of which was the business side server of the network-linked system, which acts as a gateway in the middle, while the second C2 is located on the external internet,” the two agencies said. “This malicious code was able to exfiltrate initial beacon data and download and execute encrypted payloads. The malicious code then attempted to move from the internal server of the network-linked solution to the external server to send the initial beacon to the C2 server, but was blocked by the security policy of the solution.”
In a separate supply chain attack that came to light in March 2023, a subgroup of Lazarus known as Labyrinth Chollima was observed using a trojanized version of the popular 3CX communication software to deploy a malicious payload.
