It has been reported that Lazarus malware has been tracked in new campaigns against South Korean supply chains, made possible through stolen security certificates.
Today, cybersecurity researchers from ESET revealed the abuse of the certificates, stolen from two separate, legitimate South Korean companies. In this supply chain attack, the threat actors are using an “unusual supply chain mechanism,” ESET says, in which Lazarus is abusing a standard requirement for South Korean internet users — the need to install additional security software when they visit government or financial services websites.
This attack by Lazarus group is yet another example of how cyber criminals will try to compromise the supply chain at any weak spot to gain access. It\’s therefore essential that all organisations have effective and robust security controls in place to maintain the integrity of its supply chain and the security of transactions which take place across it. We saw Petya ransomware spread through most of Ukraine due to a compromised tax filing software. Government departments in particular need to keep a close eye on mandatory software or portals which, if compromised, can quickly have large impacts.
What has transpired here highlights how cybersecurity does not operate within a vacuum. Maintaining good cybersecurity requires keeping an eye on the basics, and ensuring that the organisations you partner with in the supply chain do as well – as the saying goes, your security is only as strong as your weakest link. In this instance, the South Korean government should ensure that the software manager verifies the owner of the certificate, and that all organisations within their supply chain are adhering to a standard set of cyber hygiene rules as well as performing regular security audits. This is particularly true if they are requiring users to download software to access certain services.
For many services in South Korea, visitors must first download special security software in order to verify their identity, security status and enable secure downloads prior to gaining access. While the Wizvera software does exhibit security maturity and offers a safeguard to cyber threats, it only does what the configuration file instructs. In other words, the file informs Wizvera on which software it should install. All that hackers had to do was find the websites that were easiest to breach. Once breached, the attacker could then replace legitimate binaries with malicious ones. This enables Wizvera to install malicious software on visitors\’ devices.
This is yet another case of cybercriminals finding loopholes in security procedures. Based on feedback from ESET researchers, the easiest prevention of such an attack would be to provide hashes on the binaries in the configuration files. That way, the binary cannot be installed if the hashes do not match. Unfortunately, skipping this extra security step has allowed attackers to abuse the otherwise robust system. We see this often, where misconfiguration can lead to significant consequences. While typically we hear about instances of misconfigured S3 buckets, in this case, it was a misconfigured instruction file.