ESET researchers have discovered attempts to deploy Lazarus malware via a supply-chain attack (on less secure parts of the supply network) in South Korea. In order to deliver its malware, the attackers used an unusual supply-chain mechanism, abusing legitimate South Korean security software and digital certificates stolen from two different companies. The attack was made easier for Lazarus as South Korean internet users are often asked to install additional security software when visiting government or internet banking websites.
“To understand this novel supply-chain attack, you should be aware that Wizvera VeraPort, referred to as an integration installation program, is a South Korean application that helps manage such additional security software. When Wizvera VeraPort is installed, users receive and install all necessary software required by a specific website. Minimal user interaction is required to start such software installation,” explained Anton Cherepanov, ESET researcher who led the investigation into the attack. “Usually this software is used by government and banking websites in South Korea. For some of these websites it’s mandatory to have Wizvera VeraPort installed.”
“While the Wizvera software does exhibit security maturity and offers a safeguard to cyber threats, it only does what the configuration file instructs,” observed Boris Cipot, senior security engineer at Synopsys. “In other words, the file informs Wizvera on which software it should install. All that hackers had to do was find the websites that were easiest to breach. Once breached, the attacker could then replace legitimate binaries with malicious ones. This enables Wizvera to install malicious software on visitors’ devices.”
Additionally, the attackers used illegally obtained code-signing certificates in order to sign the malware samples. One of these certificates was issued to the US branch of a South Korean security company. “The attackers camouflaged the Lazarus malware samples as legitimate software. These samples have similar file names, icons and resources as legitimate South Korean software,” says Peter Kálnai, ESET researcher who analysed the Lazarus attack with Cherepanov. “It’s the combination of compromised websites with Wizvera VeraPort support and specific VeraPort configuration options that allows attackers to perform this attack.”
“What has transpired here highlights how cybersecurity does not operate within a vacuum,” added Stuart Sharp, VP of Technical Services at OneLogin. “Maintaining good cybersecurity requires keeping an eye on the basics, and ensuring that the organisations you partner with in the supply chain do as well – as the saying goes, your security is only as strong as your weakest link. In this instance, the South Korean government should ensure that the software manager verifies the owner of the certificate, and that all organisations within their supply chain are adhering to a standard set of cyber hygiene rules as well as performing regular security audits. This is particularly true if they are requiring users to download software to access certain services.”
“This attack by Lazarus group is yet another example of how cybercriminals will try to compromise the supply chain at any weak spot to gain access,” agreed Javvad Malik, Security Awareness Advocate at KnowBe4. “It’s therefore essential that all organisations have effective and robust security controls in place to maintain the integrity of their supply chains and the security of transactions which take place across them. We saw Petya ransomware spread through most of Ukraine due to a compromised tax filing software. Government departments in particular need to keep a close eye on mandatory software or portals which, if compromised, can quickly have large impacts.”
“This is yet another case of cybercriminals finding loopholes in security procedures,” concluded Cipot. “Based on feedback from ESET researchers, the easiest prevention of such an attack would be to provide hashes on the binaries in the configuration files. That way, the binary cannot be installed if the hashes do not match. Unfortunately, skipping this extra security step has allowed attackers to abuse the otherwise robust system. We see this often, where misconfiguration can lead to significant consequences. While typically we hear about instances of misconfigured S3 buckets, in this case, it was a misconfigured instruction file.”
