North Korean hackers exploit known bug in ‘high-profile’ software vendor

Hackers connected to the North Korean government have exploited a vulnerability in a “high-profile” software vendor to target its customers, according to a recent report.

In mid-July, researchers from the cybersecurity firm Kaspersky detected a series of attacks on several victims who were targeted through unidentified security software designed to encrypt web communications using digital certificates.

What was remarkable is that the software flaws exploited by the hackers were not new, yet the targeted company had not patched them despite warnings from the vendor.

Attacks like this one are especially dangerous because exploiting vulnerabilities in high-profile software enables hackers to efficiently spread their malware after initial infections, Kaspersky said.

Researchers attributed the campaign to the infamous North Korean hacker group known as Lazarus. The group has targeted the software vendor that developed the exploited software on multiple occasions, according to the report.

This persistence indicates that the threat actor is determined to steal valuable source code or tamper with the software supply chain, the researchers said.

The report did not name any of the victims or the vulnerabilities exploited by hackers.

Earlier this year, Lazarus reportedly initiated a supply-chain attack on the phone company 3CX, with the aim of installing malware on its clients' desktops. 3CX provides office phone systems to more than 12 million daily users in over 600,000 companies, including Mercedes-Benz, Coca-Cola, and the United Kingdom's National Health Service.

In the attack analyzed by Kaspersky, Lazarus' toolset included the SIGNBT and LPEClient malware strains. The exact method by which the targeted software was exploited to deliver the malware remains unknown.

SIGNBT loader is “equipped with an extensive set of functionalities designed to exert control over the victim’s system.” For example, it can gather information about the victim’s device, such as computer name, product name, operation system details, system uptime, main processor information, time zone, network status, and malware configuration data.

Lazarus has also been observed delivering such tools as LPEClient and credential dumping utilities — tools that steal login details from a system — to the victim devices.

The North Korean threat actor previously used the LPEClient malware, for instance, in an attack against a defense contractor in 2020. The malware usually serves as the initial infection vector, helping hackers collect more information about the victim and facilitating the delivery of additional payloads.

LPEClient is designed to collect victim information and download additional payloads from a remote server.

Since it was last exploited, LPEClient has undergone significant evolution — it now employs advanced techniques to improve its stealth and avoid detection.

“This indicates a continued effort by the threat actors to increase the sophistication and effectiveness of their malware,” the researchers said.