macOS Targeted with Atomic Stealer Malware in ClearFake Campaign
Threat Actor Activity
UK and South Korea Release Joint Advisory Following Surge in North Korean-linked Attacks
The United Kingdom and South Korea recently released a joint advisory warning of a surge in software supply chain attacks by North Korean (DPRK) state-linked threat actors. The increased frequency and sophistication of such attacks carried out by North Korean-linked hackers is what prompted the creation of the joint advisory, with Korea's National Intelligence Service (NIS) and Britian's National Cyber Security Centre (NCSC) announcing a new strategic partnership between the nations' governments aimed at bolstering increased security measures that disrupt and deter DPRK malicious cyber capabilities and the associated activities that contribute to their nuclear missiles program. This advisory comes just as the North Korean-linked hackers tracked as Diamond Sleet were associated to another supply chain attack that targeted downstream customers via a trojanized version of a legitimate software application produced by the Taiwanese software developers CyberLink. As outlined in the joint advisory, and consistent with the latest DPRK-associated attack, the threat actors involved in the surge of attacks have been observed leveraging zero-day vulnerabilities and exploits in third-party software to gain access to specific targets or an entire organization via their supply chains. The agencies mentioned that the attacks align with known North Korean state aligned priorities like "revenue generation and espionage, with the theft of advanced technologies across a range of sectors, including but not limited to defense.” Along with CyberLink, other recent noteworthy attacks include 3CX, MagicLine4NX, and JumpCloud.
- National Cyber Security Centre: Joint Advisory
- The Record: North Korea Article
- Bleeping Computer: MagicLine4NX Article
- The Hacker News: CyberLink Article
North Korean Hackers Exploit Critical Vulnerability in Apache ActiveMQ to Take Control of Vulnerable Instance
UPDATE: A threat actor known as Andariel, believed to be a member or partner of the North Korean state sponsored threat group Lazarus, has been identified in a cyberattack campaign targeting South Korean entities to spread the NukeSped and TigerRat backdoors. Andariel is known for targeting "national defense, political groups, shipbuilding, energy, telecommunications, ICT firms, universities, and logistics firms." The threat actors were able to install the backdoors by exploiting a critical remote code execution (RCE) vulnerability in Apache ActiveMQ, tracked as CVE-2023-46604. ActiveMQ is an open-source protocol which functions as an implementation of message-oriented middleware (MOM), allowing different applications to send messages between each other. Specifically, the flaw exists in the Java OpenWire protocol marshaller, allowing remote attackers with network access to Java-based OpenWire brokers or clients to run arbitrary shell commands by manipulating class types. Once installed, the backdoors communicate with Andariel command-and-control (C2) servers, allowing the threat actors to take complete administrative control of compromised systems. The exploited vulnerability has been patched, however threat actors knowing that many organizations are slow to patch, are actively scanning and attacking vulnerable versions of ActiveMQ. CTIX analysts recommend that any administrators responsible for infrastructure that may be vulnerable should ensure that their instances of Apache ActiveMQ are running the most recent software version.
- GBHackers On Security: Apache ActiveMQ Vulnerability Article
- Apache: ActiveMQ Vulnerability Notification
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (email@example.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.