CyberSecurity news
FlagThis
Sojun Ryu,@Securelist
//
The Lazarus Group, a North Korea-linked advanced persistent threat (APT), is behind a new cyber espionage campaign named "Operation SyncHole." This operation has targeted at least six major South Korean organizations across software, IT, financial, semiconductor manufacturing, and telecommunications industries. The earliest signs of compromise were detected in November 2024. Kaspersky GReAT experts uncovered the campaign, revealing that Lazarus employed a sophisticated combination of watering hole attacks and exploitation of vulnerabilities in South Korean software products.
The attackers strategically leveraged vulnerabilities in widely used software such as Cross EX and Innorix Agent. Cross EX is a legitimate software prevalent in South Korea, enabling security software in online banking and government websites, while Innorix Agent is a file transfer solution. By compromising legitimate South Korean media websites, the attackers redirected specific visitors to attacker-controlled infrastructure where malicious scripts were executed, exploiting vulnerabilities in Cross EX. A vulnerability in Innorix Agent facilitated lateral movement, enabling further deployment of malware across internal networks.
The campaign involved the use of updated variants of Lazarus's malicious tools, including ThreatNeedle, Agamemnon downloader, wAgent, SIGNBT, and COPPERHEDGE. The attackers exploited a "one-day" vulnerability in Innorix Agent for lateral movement. Researchers assess that the redirected site may have executed a malicious script, targeting a potential flaw in Cross EX installed on the target PC, and launching malware. The infection sequence has been observed adopting two phases, using ThreatNeedle and wAgent in the early stages and then SIGNBT and COPPERHEDGE for establishing persistence.
ImgSrc: media.kaspersky
References :
The attackers strategically leveraged vulnerabilities in widely used software such as Cross EX and Innorix Agent. Cross EX is a legitimate software prevalent in South Korea, enabling security software in online banking and government websites, while Innorix Agent is a file transfer solution. By compromising legitimate South Korean media websites, the attackers redirected specific visitors to attacker-controlled infrastructure where malicious scripts were executed, exploiting vulnerabilities in Cross EX. A vulnerability in Innorix Agent facilitated lateral movement, enabling further deployment of malware across internal networks.
The campaign involved the use of updated variants of Lazarus's malicious tools, including ThreatNeedle, Agamemnon downloader, wAgent, SIGNBT, and COPPERHEDGE. The attackers exploited a "one-day" vulnerability in Innorix Agent for lateral movement. Researchers assess that the redirected site may have executed a malicious script, targeting a potential flaw in Cross EX installed on the target PC, and launching malware. The infection sequence has been observed adopting two phases, using ThreatNeedle and wAgent in the early stages and then SIGNBT and COPPERHEDGE for establishing persistence.
ImgSrc: media.kaspersky
Share:
References :
- Securelist: Operation SyncHole: Lazarus APT goes back to the well
- The Hacker News: Lazarus Hits 6 South Korean Firms via Cross EX, Innorix Flaws and ThreatNeedle Malware
- cyberpress.org: A newly uncovered cyber campaign, attributed to the infamous Lazarus advanced persistent threat (APT) group, has targeted at least six major South Korean organizations through an attack chain leveraging watering hole techniques and the exploitation of recently patched (“one-dayâ€) vulnerabilities in local security and file transfer software.
- The DefendOps Diaries: Explore Lazarus Group's Operation SyncHole, targeting South Korea's industries with advanced cyber espionage tactics.
Classification:
- HashTags: #APT #Lazarus #CyberAttack
- Company: Kaspersky
- Target: South Korean software users
- Attacker: Lazarus
- Product: South Korean software
- Feature: watering hole attack
- Malware: SyncHole
- Type: APT
- Severity: Major