Enterprise IT Lead Generation ServicesFuel Your Pipeline. Close More Deals. Our full-service marketing programs deliver sales-ready leads. 100% Satisfaction Guarantee! Learn more.
New cyber research connects the infamous North Korea-aligned Lazarus Group behind the Linux malware attack called Operation DreamJob to the 3CX supply-chain attack.
In the company’s April 20 Live Security cyber report, ESET researchers announced a connection between the Lazarus Group and expanded attacks now targeting the Linux OS. The attacks are part of a persistent and long-running activity tracked under the name Operation DreamJob that impacted supply chains, according to the ESET cybersecurity team.
Lazarus Group uses social engineering techniques to compromise targets, with fake job offers as the lure. In this case, ESET researchers reconstructed the entire chain from the zip file that delivers a fake HSBC job offer as a decoy to the final payload. Researchers identified the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account.
This is the first public mention of this major North Korea-aligned threat actor using Linux malware as part of this operation, according to ESET. This discovery helped the team confirm “with a high level of confidence” that the Lazarus Group conducted the recent 3CX supply-chain attack.
Researchers suspected for some time that Korean state-sponsored attackers were involved in the ongoing DreamJob cyberattacks. This latest report corroborates that connection, according to the blog post.
“This attack shows, in full color, how threat actors continue to expand their arsenal, targets, tactics, and reach to get around security controls and practices,” John Anthony Smith, CEO of infrastructure and cybersecurity services firm Conversant Group, told LinuxInsider.
Unfortunate Cyber Milestone
Smith added that attackers targeting a supply chain are not new or surprising. Those are an Achilles’ Heel for organizations, and it was inevitable.
Eventually, one supply chain may affect another into a “threaded supply chain attack.” This is a significant and unfortunate milestone in security, he observed.
“We will probably see more of these. We are seeing threat actors expanding their variants to affect more systems, such as BlackCat using the Rust language so that their ransomware can infect Linux systems and be more undetectable,” he said, referencing this case of employing Linux malware.
He described the DreamJob cyberattacks as having a new look at the old fake offer scenario. Threat actors will continue to find new twists, variants, schemes, and vectors.
“So organizations must always be agile in evaluating their controls regularly along with these changing and expanding tactics,” Smith counseled.
Attack Details Revealed
3CX is a VoIP software developer and distributor that provides phone system services to many organizations. That company has more than 600,000 customers and 12,000,000 users in various sectors, including aerospace, health care, and hospitality. It delivers client software via a web browser, mobile app, or desktop application.
Cybersecurity workers in late March found 3CX was compromised with malicious code in the desktop application for both Windows and macOS. The rogue code enabled attackers to download and run arbitrary code on all machines hosting the installed software.
Cyber experts further discovered that the 3CX compromised software was used in a supply-chain attack. The Lazarus Group used external threat actors to distribute additional malware to specific 3CX customers.
CrowdStrike on March 29 reported that Labyrinth Chollima, the company’s codename for Lazarus, was behind the attack but omitted any evidence backing up the claim, according to the ESET blog. Because of the seriousness of the incident, multiple security companies started to release their own summaries of the events.
Operation DreamJob attackers approach targets through LinkedIn and tempt them with job offers from high-tech industrial firms. The hacker group is now able to target all major desktop operating systems.
Post a Comment