Zero-day in MagicLine4NX as a new attack vector for cybercriminals from the DPRK.
The National Cyber Security Center of the United Kingdom (NCSC) and the National Intelligence Service of South Korea (NIS) issued a joint warning about the actions of the North Korean hacker group Lazarus. According to the agencies, attackers use a recently discovered vulnerability in the MagicLine4NX software developed by the South Korean company Dream Security to attack supply chains.
MagicLine4NX is an authentication software used to securely log in to organizations systems. As indicated in the security bulletin, cybercriminals from the DPRK used the zero-day vulnerability in MagicLine4NX to hack their targets, primarily South Korean institutions.
The attack took place in March of this year and began with the compromise of the website of a South Korean media outlet, where hackers introduced malicious scripts that allowed them to carry out a "Watering Hole"attack.
When certain targets from specific IP ranges visited a specific article on the compromised site, the scripts ran malicious code that activated the mentioned vulnerability in MagicLine4NX, affecting software up to version 1.0.0.26.
As a result, the victim's computer connected to the attackers C2 server, which allowed them to gain access to the server located on the Internet by exploiting a vulnerability in the network-related system.
Using the infected system's data synchronization feature, North Korean hackers distributed a code to steal information to a business-related server, breaking into computers inside the target organization.
The malicious code was connected to two command and control servers: one served as an intermediate gateway, and the second was located in an external network.
The malicious code's functions included scouting, data exfiltration, downloading and executing encrypted payloads from the hackers server, and lateral movement across the network.
Detailed information about this attack, codenamed "Dream Magic" and attributed to the Lazarus group, is provided in the detailed ASEC report, available only in Korean.
The National Cyber Security Center of the United Kingdom (NCSC) and the National Intelligence Service of South Korea (NIS) issued a joint warning about the actions of the North Korean hacker group Lazarus. According to the agencies, attackers use a recently discovered vulnerability in the MagicLine4NX software developed by the South Korean company Dream Security to attack supply chains.
MagicLine4NX is an authentication software used to securely log in to organizations systems. As indicated in the security bulletin, cybercriminals from the DPRK used the zero-day vulnerability in MagicLine4NX to hack their targets, primarily South Korean institutions.
The attack took place in March of this year and began with the compromise of the website of a South Korean media outlet, where hackers introduced malicious scripts that allowed them to carry out a "Watering Hole"attack.
When certain targets from specific IP ranges visited a specific article on the compromised site, the scripts ran malicious code that activated the mentioned vulnerability in MagicLine4NX, affecting software up to version 1.0.0.26.
As a result, the victim's computer connected to the attackers C2 server, which allowed them to gain access to the server located on the Internet by exploiting a vulnerability in the network-related system.
Using the infected system's data synchronization feature, North Korean hackers distributed a code to steal information to a business-related server, breaking into computers inside the target organization.
The malicious code was connected to two command and control servers: one served as an intermediate gateway, and the second was located in an external network.
The malicious code's functions included scouting, data exfiltration, downloading and executing encrypted payloads from the hackers server, and lateral movement across the network.
Detailed information about this attack, codenamed "Dream Magic" and attributed to the Lazarus group, is provided in the detailed ASEC report, available only in Korean.
