Home » Linux » Lazarus Linux Malware Linked to 3CX Supply-Chain Attack

Lazarus Linux Malware Linked to 3CX Supply-Chain Attack

According to new cyber research, the Lazarus Group (a North Korea-aligned organization) is behind Operation DreamJob – the Linux malware that was used in the attack on the 3CX supply chains.

Live Security Cyber Report, April 20, 2014 ESET Researchers have announced that the Lazarus Group is now involved in attacks targeting Linux OS. According to ESET’s cybersecurity team, the attacks were part of an ongoing and persistent activity known as Operation DreamJob which affected supply chains.

Lazarus Group employs social engineering techniques, using fake job offers to lure targets. ESET researchers reconstructed in this case the entire chain starting from the zip that delivered a false HSBC job as a decoy, to the final payload. Researchers have identified the SimplexTea Linux Backdoor that is distributed via an OpenDrive cloud account.

According to ESET, this is the first time that this North Korea-aligned major threat actor has used Linux malware in this operation. This discovery allowed the team to confirm, “with high confidence”, that the Lazarus Group was responsible for the recent 3CX Supply-Chain attack.

Researchers have suspected for a long time that state-sponsored Korean attackers are involved in the DreamJob cyberattacks. The blog post claims that this new report confirms the connection.

John Anthony Smith CEO of Infrastructure and Cybersecurity Services firm said: “This attack shows in full color how threat actors are continuing to expand their arsenals, targets, tactics and reach to bypass security controls and practices.” Conversant GroupLinuxInsider quotes.

Unfortunate Cyber Milestone

Smith said that supply chain attacks are neither new nor surprising. These are the Achilles’ Heel of organizations and this was inevitable.

In the end, one supply line may influence another to become a “threaded chain attack.” He said that this is an unfortunate and significant milestone in the security field.

“We’ll probably see more.” “We are seeing threat actors expand their variants so they can affect more systems. For example, BlackCat uses the Rust programming language to infect Linux systems more undetectable and more undetectable,” said he, referring to this instance of Linux malware.

He said that the DreamJob cyberattacks were a fresh take on the old scenario of a fake job offer. The threat actors will continue to come up with new variants, schemes and vectors.

Smith advised that organizations should always be flexible in their evaluation of controls and tactics, as they change.


Attack Details Revealed

3CX, a VoIP developer and distributor, provides telephone system services to a wide range of organizations. This company has over 600,000 clients and 12,000,000 users across various industries, such as aerospace, health care and hospitality. Client software is delivered via web browsers, mobile apps, and desktop applications.

In late March, cybersecurity workers discovered that 3CX desktop applications for Windows and macOS were compromised by malicious code. The malicious code in the desktop application for Windows and macOS allowed attackers download and run any code they wanted on all machines that were running the installed software.

Cyber experts also discovered that 3CX software compromised was used as part of a supply-chain hack. The Lazarus Group employed external threat actors to spread additional malware to 3CX customers.

CrowdStrike According to the ESET Blog, on March 29, the report claimed that Labyrinth Chollima was the codename of Lazarus. However, it did not provide any evidence supporting the claim. Due to the seriousness, several security companies released their own summaries.

Attackers of Operation DreamJob approach their targets via LinkedIn and lure them with offers of employment from high-tech, industrial firms. The hacker group has now been able to target major desktop operating system.

Discover the purpose of Tactics and Tools

Cyber attackers launch their campaign for a specific purpose. Zane Bond of cybersecurity software company, Bond Software, explained that the tools used by cyber adversaries can be used to determine their purpose. Keeper Security.

Most cyberattacks on the general public have a wide net, low confidence, and low click-rate. He explained that if an attacker sends 100 million emails, and one recipient out of every million clicks on them, they still get 100 victims.

Windows is the most likely operating system to be successful if the payload is sent to an undetermined number of users.

If an attacker starts creating phishing emails for Mac or the less common Linux operating system, it is likely that they are spear phishing. This means sending malicious emails to selected and high-value targets.

When Linux systems are targeted, they are almost always servers and cloud. The attacker can target specific victims and tailor messages and social engineering techniques to them.


Linux Attacks Show Shifting of Focus

Linux malware reveals how hackers have expanded their scope to exploit vulnerable IoT, operational technology (OT), and IoT-connected devices. Bud Broomhead is the CEO of automated IoT Cyber hygiene, which said that these attacks are on a larger scale and do not receive the same attention to cybersecurity as IT systems. Viakoo.

He told LinuxInsider: “IoT/OT are functionally physical systems. They have a physical component to them, like adjusting valves or opening doors.

These devices are the hands, eyes and ears of an organisation. Broomhead explained that, due to their ability to confuse and disrupt their victims, nation-state threat agents, in particular look to infect cyber-physical system architecture and gain a foothold.

Basic Cybersecurity for any OS

Bond said that the same protections should be used no matter what operating systems potential cyber-targets use: avoid risky clicking, patch your system, and make sure to use a secure password manager.

Three simple steps will stop most cyberattacks. Zero-click malware can be easily detected and fixed.

He said that you are safe as long your system is updated. Avoid risky clicks to avoid standard malware which requires user interaction.

He said that an auto-fill password manager will be able “to identify small, easy-to miss details such as SSL certs. cross-domain iframes and fake websites.”