The NCSC and South Korea’s National Intelligence Service (NIS) have published a joint advisory that warns organisations worldwide about a supply chain attack called Operation Dream Magic orchestrated by the notorious Lazarus threat group.
Based on reports, these campaigns exploit a zero-day vulnerability in MagicLine4NX software, affecting versions before 1.0.026 and posing a significant threat to organisations, especially those in South Korea.
The Operation Dream Magic uses a watering hole as its primary tactic.
The attack methodology employed by Lazarus’ Operation Dream Magic starts with a sophisticated watering hole technique. The attackers infected a media outlet’s website by attaching malicious scripts to an article.
These specifically crafted scripts could target users within specific IP ranges. When individuals using the vulnerable MagicLine4NX software access the compromised articles, they will unintentionally activate a malicious code that would provide the attackers control of the targeted systems.
In addition, the malicious code deployed in these attacks serves a multi-staged purpose. It could operate reconnaissance, exfiltrate data, download and execute encrypted payloads from the C2 servers, and facilitate lateral movement within the network.
Subsequently, the attackers exploit the data synchronisation feature of network-linked systems, allowing the infostealing code to spread to the server on the business side, ultimately compromising PCs within the targeted organisation.
Lazarus is notorious for relying on supply chain attacks and exploiting zero-day vulnerabilities when executing their cybercriminal tactics. Recent incidents include using a trojanized version of CyberLink software to disseminate the LambLoad malware and a supply chain attack in March by the Labyrinth Chollima subgroup using a malicious version of the 3CX desktop app.
Beyond supply chain attacks, Lazarus is also the alleged culprit of multiple cryptocurrency thefts, amassing over $290 million from five crypto heists in three months. Notable thefts include $100 million from Atomic Wallet users, $37 million from CoinsPaid, $60 million from Alphapo, and $41 million from Stake.com.
This new report from these agencies urges organisations that use flawed versions of MagicLine4NX to update them to the latest version. Additionally, organisations should restrict access to the admin page of network-linked systems and monitor their networks for unauthorised services or communications.
