The North Koreans are up to no good again. Microsoft is reporting that they have discover a supply chain attack by a group of threat actors named Diamond Sleet who are using a malicious variant of a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload:
Microsoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a software company that develops multimedia software products. This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.
Microsoft attributes this activity with high confidence to Diamond Sleet, a North Korean threat actor. The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised by Diamond Sleet. More recently, Microsoft has observed Diamond Sleet utilizing trojanized open-source and proprietary software to target organizations in information technology, defense, and media.
Ken Westin, Field CISO, Panther Labs had this to say:
North Korean APT groups continue to target the software supply chain because it’s proven to be successful repeatedly, instead of targeting individual systems, they infect software upstream giving them potential access to a larger number of systems. They continue to increase the level of sophistication in these attacks with strong knowledge of the tooling and techniques of modern DevOps teams. Most organizations are not monitoring their DevOps processes for these types of attacks and lack mechanisms to detect when code may be compromised. I predict more threat groups will follow this approach to infect a larger number of systems downstream as well as improve methods to bypass rudimentary security measures.
I encourage you to read the full report as it has a lot of detail as to what you can do to protect yourself from this threat actor. Because this group of North Koreans clearly mean business.
Like this:
Like Loading...
Related
This entry was posted on November 25, 2023 at 10:04 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Microsoft Discovers Diamond Sleet’s Supply Chain Attack
The North Koreans are up to no good again. Microsoft is reporting that they have discover a supply chain attack by a group of threat actors named Diamond Sleet who are using a malicious variant of a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload:
Microsoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a software company that develops multimedia software products. This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.
Microsoft attributes this activity with high confidence to Diamond Sleet, a North Korean threat actor. The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised by Diamond Sleet. More recently, Microsoft has observed Diamond Sleet utilizing trojanized open-source and proprietary software to target organizations in information technology, defense, and media.
Ken Westin, Field CISO, Panther Labs had this to say:
North Korean APT groups continue to target the software supply chain because it’s proven to be successful repeatedly, instead of targeting individual systems, they infect software upstream giving them potential access to a larger number of systems. They continue to increase the level of sophistication in these attacks with strong knowledge of the tooling and techniques of modern DevOps teams. Most organizations are not monitoring their DevOps processes for these types of attacks and lack mechanisms to detect when code may be compromised. I predict more threat groups will follow this approach to infect a larger number of systems downstream as well as improve methods to bypass rudimentary security measures.
I encourage you to read the full report as it has a lot of detail as to what you can do to protect yourself from this threat actor. Because this group of North Koreans clearly mean business.
Share this:
Like this:
Related
This entry was posted on November 25, 2023 at 10:04 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.