Lazarus Hackers’ Linux Malware Linked to 3CX Supply-Chain Attack

New cyber research connects the infamous North Korea-aligned Lazarus Group behind the Linux malware attack called Operation DreamJob to the 3CX supply-chain attack.

In the company’s April 20 Live Security cyber report, ESET researchers announced a connection between the Lazarus Group and expanded attacks now targeting the Linux OS. The attacks are part of a persistent and long-running activity tracked under the name Operation DreamJob that impacted supply chains, according to the ESET cybersecurity team.

Lazarus Group uses social engineering techniques to compromise targets, with fake job offers as the lure. In this case, ESET researchers reconstructed the entire chain from the zip file that delivers a fake HSBC job offer as a decoy to the final payload. Researchers identified the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account.

This is the first public mention of this major North Korea-aligned threat actor using Linux malware as part of this operation, according to ESET. This discovery helped the team confirm “with a high level of confidence” that the Lazarus Group conducted the recent 3CX supply-chain attack.

Researchers suspected for some time that Korean state-sponsored attackers were involved in the ongoing DreamJob cyberattacks. This latest report corroborates that connection, according to the blog post.

“This attack shows, in full color, how threat actors continue to expand their arsenal, targets, tactics, and reach to get around security controls and practices,” John Anthony Smith, CEO of infrastructure and cybersecurity services firm Conversant Group, told LinuxInsider.

Unfortunate Cyber Milestone

Smith added that attackers targeting a supply chain are not new or surprising. Those are an Achilles’ Heel for organizations, and it was inevitable.

Eventually, one supply chain may affect another into a “threaded supply chain attack.” This is a significant and unfortunate milestone in security, he observed.

“We will probably see more of these. We are seeing threat actors expanding their variants to affect more systems, such as BlackCat using the Rust language so that their ransomware can infect Linux systems and be more undetectable,” he said, referencing this case of employing Linux malware.

He described the DreamJob cyberattacks as having a new look at the old fake offer scenario. Threat actors will continue to find new twists, variants, schemes, and vectors.

“So organizations must always be agile in evaluating their controls regularly along with these changing and expanding tactics,” Smith counseled.

Attack Details Revealed

3CX is a VoIP software developer and distributor that provides phone system services to many organizations. That company has more than 600,000 customers and 12,000,000 users in various sectors, including aerospace, health care, and hospitality. It delivers client software via a web browser, mobile app, or desktop application.

Cybersecurity workers in late March found 3CX was compromised with malicious code in the desktop application for both Windows and macOS. The rogue code enabled attackers to download and run arbitrary code on all machines hosting the installed software.

Cyber experts further discovered that the 3CX compromised software was used in a supply-chain attack. The Lazarus Group used external threat actors to distribute additional malware to specific 3CX customers.

CrowdStrike on March 29 reported that Labyrinth Chollima, the company’s codename for Lazarus, was behind the attack but omitted any evidence backing up the claim, according to the ESET blog. Because of the seriousness of the incident, multiple security companies started to release their own summaries of the events.

Operation DreamJob attackers approach targets through LinkedIn and tempt them with job offers from high-tech industrial firms. The hacker group is now able to target all major desktop operating systems.

Tactics and Tools Uncover Purpose

Cyber adversaries launch their campaigns for a planned purpose. The tools they use can help security agents to discern the details of that purpose, offered Zane Bond, head of product at cybersecurity software company Keeper Security.

Most campaigns against the general public are wide net, low-confidence, and low-click-rate cyberattacks. The idea is if a bad actor sends a hundred-million emails and gets one out of a million recipients to click on it, the attacker is still netting a hundred victims, he explained.

“If the payload is being sent to an unknown number of users, the operating system with the highest chance of success is Windows, by a large margin,” he told LinuxInsider.

When an adversary starts building phishing payloads for Mac and the even less common Linux, we can assume the attacker is spear phishing or sending the malicious email to pre-selected and likely high-value targets.

“When Linux systems are attacked, the targets are almost exclusively servers and the cloud. In these cases, the attacker knows who to target for access and can tailor messaging and social engineering efforts to that specific victim,” he said.

Linux Attacks Show Shifting Focus

Having Linux malware in the threat actor arsenal reflects how hackers have shifted their focus to include exploiting vulnerable IoT and operational technology (OT) devices. These attack types exist at a much larger scale than IT systems and often are not managed with the same focus on cybersecurity as IT devices are, offered Bud Broomhead, CEO at automated IoT cyber hygiene firm Viakoo.

“IoT/OT devices are functionally cyber-physical systems, where there is a physical element to their operation such as adjust valves, open doors, capture video,” he told LinuxInsider.

In essence, these devices are the eyes, ears, and hands of an organization. Broomhead added that nation-state threat actors, in particular, look to infect and have a foothold in cyber-physical system infrastructure because of their potential to disrupt and confuse their victims.

Basic Cybersecurity Protections for Any OS

According to Bond, no matter what operating system that potential cyber targets run, the same basic protections apply: do not make risky clicks, patch your systems, and use a password manager.

These three simple measures will shut down most cyberattacks. Zero-click malware is usually easily detected and patched.

As long as your system is up to date, you should be safe, he assured. To prevent standard malware that requires user intervention, avoid risky clicks.

“Lastly, a password manager autofill will be able to identify small but easy-to-miss details like SSL certs, cross-domain iframes, and fake websites,” he suggested.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Hacking

Technewsworld Channels