Source URL: https://www.theregister.com/2025/01/29/lazarus_groups_supply_chain_attack/
Source: The Register
Title: Lazarus Group cloned open source projects to plant backdoors, steal credentials
Feedly Summary: Stealing crypto is so 2024. Supply-chain attacks leading to data exfil pays off better?
North Korea’s Lazarus Group compromised hundreds of victims across the globe in a massive secret-stealing supply chain attack that was ongoing as of earlier this month, according to security researchers.…
AI Summary and Description: Yes
Summary: North Korea’s Lazarus Group has executed a significant supply chain attack, known as Phantom Circuit, using maliciously altered versions of legitimate software to compromise hundreds of global victims, especially within the cryptocurrency sector. The attack methodology underscores a concerning shift that allows hackers to embed malware while evading detection, raising alarms for cybersecurity professionals regarding supply chain vulnerabilities.
Detailed Description: The details provided illustrate a sophisticated attack strategy employed by the Lazarus Group, signaling a serious threat to information security, particularly in sectors that utilize open source software.
– **Attack Overview**:
– The Phantom Circuit operation involved the compromise of software developers by injecting backdoors into legitimate software and open source tools, specifically targeting the cryptocurrency industry.
– The attack progressed across waves, increasing the number of victims from 181 in November to 1,225 in December, with significant targeting of regions like India and Brazil.
– **Technical Execution**:
– The group primarily forked open source projects, modifying repositories such as Codementor and other cryptocurrency-related applications, incorporating Node.js obfuscated backdoors.
– Once developers unwittingly downloaded these modified packages, malware executed on their systems, giving the attackers remote access to sensitive data.
– **Infrastructure and Obfuscation**:
– The Lazarus Group employed a command-and-control (C2) infrastructure that used React applications and Node.js APIs for centralized control over the attack.
– Layered obfuscation techniques were leveraged to disguise the attack’s origins, routing traffic through various VPNs and proxies.
– **Data Exfiltration**:
– Stolen data, including credentials and authentication tokens, was sent back to a C2 infrastructure, obscured within legitimate network traffic to evade detection.
– Investigations uncovered connections to North Korean IP addresses, confirming a link to previous attacks conducted by Lazarus Group.
– **Security Implications**:
– This incident highlights the critical need for vigilance in software supply chains, especially regarding the use of open source code, as attackers can easily disguise malicious intent within legitimate repositories.
– Organizations must enhance their security protocols and monitoring capabilities to detect unauthorized changes in software dependencies and establish tighter controls on the use of external code within development environments.
The findings emphasize the necessity for security professionals to adopt a proactive approach towards supply chain risk management and to ensure strict adherence to security practices when integrating third-party software components.