Loading stock data...
GettyImages 962587158
Technology

North Korean-backed hackers target CyberLink users in global supply-chain cyberattack.

Capitalconnect

Microsoft Warns of Supply Chain Attack Involving Legitimate Application Installer

North Korean state-backed hackers are distributing a malicious version of a legitimate application developed by CyberLink, a Taiwanese software maker. The attackers have compromised CyberLink to distribute a modified installer file from the company as part of a wide-reaching supply-chain attack.

About CyberLink

CyberLink is a software company headquartered in Taiwan that develops multimedia software, such as PowerDVD, and AI facial recognition technology. According to the company’s website, CyberLink owns over 200 patented technologies and has shipped more than 400 million apps worldwide.

Malicious Installer File

The malicious installer file, tracked by Microsoft as "LambLoad," was observed on October 20, 2023. The file is hosted on legitimate update infrastructure owned by CyberLink, according to Microsoft. The attackers used a legitimate code signing certificate issued to CyberLink to sign the malicious executable.

Microsoft’s Response

Microsoft said it has detected the trojanized installer on more than 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States. The company noted that a second-phase payload observed in this campaign interacts with infrastructure previously compromised by the same group of threat actors.

Attribution to North Korean Nation-State Actor

Microsoft has attributed this attack with "high confidence" to a group it tracks as Diamond Sleet, a North Korean nation-state actor linked to the notorious Lazarus hacking group. This group has been observed targeting organizations in information technology, defense, and media. And it focuses predominantly on espionage, financial gain, and corporate network destruction.

Second-Phase Payload

The company noted that a second-phase payload observed in this campaign interacts with infrastructure previously compromised by the same group of threat actors. Microsoft said it has yet to detect hands-on keyboard activity but noted that Diamond Sleet attackers commonly steal data from compromised systems, infiltrate software build environments, progress downstream to exploit further victims, and attempt to gain persistent access to victims’ environments.

CyberLink’s Response

A spokesperson for CyberLink told TechCrunch that the organization identified a "malware issue" in the installation file for one of its apps, a video editing program called Promeo, on November 11. The company said it immediately removed the bug and additional security measures were put in place to prevent this from happening again in the future.

Supply Chain Attack

The attack is an example of a supply chain attack, where attackers compromise the software development process or distribution infrastructure of a legitimate application vendor to spread malware. This type of attack can be particularly devastating as it allows attackers to target downstream customers who may not have any security measures in place.

Microsoft’s Recommendations

Microsoft recommends that users and organizations take the following steps to protect themselves from this attack:

  • Keep software up-to-date: Ensure that all software, including applications and operating systems, is up-to-date with the latest security patches.
  • Use antivirus software: Install and regularly update antivirus software to detect and remove malware.
  • Implement a robust security posture: Implement a robust security posture, including firewalls, intrusion detection systems, and access controls, to prevent unauthorized access to sensitive data.
  • Monitor for suspicious activity: Monitor for suspicious activity, such as unusual network traffic or login attempts, and investigate any potential security incidents.

Conclusion

The North Korean state-backed hackers’ distribution of a malicious version of CyberLink’s application is a reminder of the ongoing threat posed by nation-state actors. The attack highlights the importance of maintaining robust cybersecurity measures, including keeping software up-to-date, using antivirus software, implementing a robust security posture, and monitoring for suspicious activity.

References

  • Microsoft Threat Intelligence team
  • CyberLink website
  • TechCrunch article
  • Microsoft Security Blog

Related Posts

  • North Korean Hackers Compromise Software Update Infrastructure: A recent report highlights the threat posed by North Korean hackers who have compromised software update infrastructure to spread malware.
  • Cybersecurity Threats: What You Need to Know: This article provides an overview of the most common cybersecurity threats and how to protect yourself against them.
  • Supply Chain Attacks: How to Protect Your Organization: This article discusses supply chain attacks and provides recommendations for protecting your organization from these types of attacks.
Media afb402c0 9751 4484 ba27 7c81b43e1da5 133807079767726340 Previous post Crypto.com Launches Institutional Custody Service in the United States
ElevenLabs Unveils Text to Sound Effects API for Developers Next post ElevenLabs Unveils New Text-to-Sound-Effects API for Developers

More Stories

Close

Recent Stories

Recent Post

Top Category

Technology

Cryptocurrency

Finance

AI