North Korean nation-state actors affiliated with the Reconnaissance General Bureau (RGB) have been attributed to the JumpCloud hack following an operational security (OPSEC) blunder that exposed their actual IP address.
Google-owned threat intelligence firm Mandiant attributed the activity to a threat actor it tracks under the name UNC4899, which likely shares overlaps with clusters already being monitored as Jade Sleet and TraderTraitor, a group with a history of striking blockchain and cryptocurrency sectors.
UNC4899 also overlaps with APT43, another hacking crew associated with the Democratic People’s Republic of Korea (DPRK) that was unmasked earlier this March as conducting a series of campaigns to gather intelligence and siphon cryptocurrency from targeted companies.
The adversarial collective’s modus operandi is characterized by the use of Operational Relay Boxes (ORBs) using L2TP IPsec tunnels along with commercial VPN providers to disguise the attacker’s true point of origin, with commercial VPN services acting as the final hop.
“There have been many occasions in which DPRK threat actors did not employ this last hop, or mistakenly did not utilize this while conducting actions on operations on the victim’s network,” the company said in an analysis published Monday, adding it observed “UNC4899 connecting directly to an attacker-controlled ORB from their 175.45.178[.]0/24 subnet.”
The intrusion directed against JumpCloud took place on June 22, 2023, as part of a sophisticated spear-phishing campaign that leveraged the unauthorized access to breach fewer than five customers and less than 10 systems in what’s called a software supply chain attack.
Mandiant’s findings are based on an incident response initiated in the aftermath of a cyber attack against one of JumpCloud’s impacted customers, an unnamed software solutions entity, the starting point being a malicious Ruby script (“init.rb”) executed via the JumpCloud agent on June 27, 2023.
A notable aspect of the incident is its targeting of four Apple systems running macOS Ventura versions 13.3 or 13.4.1, underscoring North Korean actors’ continued investment in honing malware specially tailored for the platform in recent months.
“Initial access was gained by compromising JumpCloud and inserting malicious code into their commands framework,” the company explained. “In at least one instance, the malicious code was a lightweight Ruby script that was executed via the JumpCloud agent.”
The script, for its part, is engineered to download and execute a second-stage payload named FULLHOUSE.DOORED, using it as a conduit to deploy additional malware such as STRATOFEAR and TIEDYE, after which the prior payloads were removed from the system in an attempt to cover up the tracks –
- FULLHOUSE.DOORED – A C/C++-based first-stage backdoor that communicates using HTTP and comes with support for shell command execution, file transfer, file management, and process injection
- STRATOFEAR – A second-stage modular implant that’s chiefly designed to gather system information as well as retrieve and execute more modules from a remote server or loaded from disk
- TIEDYE – A second-stage Mach-O executable that can communicate with a remote server to run additional payloads, harvest basic system information, and execute shell commands
TIEDYE is also said to exhibit similarities to RABBITHUNT, a backdoor written in C++ that communicates via a custom binary protocol over TCP and which is capable of reverse shell, file transfer, process creation, and process termination.
“The campaign targeting JumpCloud, and the previously reported DPRK supply chain compromise from earlier this year which affected the Trading Technologies X_TRADER application and 3CX Desktop App software, exemplifies the cascading effects of these operations to gain access to service providers in order to compromise downstream victims,” Mandiant said.
“Both operations have suspected ties to financially motivated DPRK actors, suggesting that DPRK operators are implementing supply chain TTPs to target select entities as part of increased efforts to target cryptocurrency and fintech-related assets.”
The development comes days after GitHub warned of a social engineering attack mounted by the TraderTraitor actor to trick employees working at blockchain, cryptocurrency, online gambling, and cybersecurity companies into executing code hosted in a GitHub repository that relied on malicious packages hosted on npm.
The infection chain has been found to leverage the malicious npm dependencies to download an unknown second-stage payload from an actor-controlled domain. The packages have since been taken down and the accounts suspended.
“The identified packages, published in pairs, required installation in a specific sequence, subsequently retrieving a token that facilitated the download of a final malicious payload from a remote server,” Phylum said in a new analysis detailing the discovery of new npm modules used in the same campaign.
“The vast attack surface presented by these ecosystems is hard to ignore. It’s virtually impossible for a developer in today’s world not to rely on any open-source packages. This reality is typically exploited by threat actors aiming to maximize their blast radius for widespread distribution of malware, such as stealers or ransomware.”
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
Pyongyang has long used cryptocurrency heists to fuel its sanctioned nuclear weapons program, while simultaneously orchestrating cyber espionage attacks to collect strategic intelligence in support of the regime’s political and national security priorities.
“North Korea’s intelligence apparatus possesses the flexibility and resilience to create cyber units based on the needs of the country,” Mandiant noted last year. “Additionally overlaps in infrastructure, malware, and tactics, techniques and procedures indicate there are shared resources amongst their cyber operations.”
The Lazarus Group remains a prolific state-sponsored threat actor in this regard, consistently mounting attacks that are designed to deliver everything from remote access trojans to ransomware to purpose-built backdoors and also demonstrating a readiness to shift tactics and techniques to hinder analysis and make their tracking much harder.
This is exemplified by its ability to not only compromise vulnerable Microsoft Internet Information Service (IIS) web servers, but also use them as malware distribution centers in watering hole attacks aimed at South Korea, according to the AhnLab Security Emergency Response Center (ASEC).
“The threat actor is continuously using vulnerability attacks for initial access to unpatched systems,” ASEC said. “It is one of the most dangerous threat groups highly active worldwide.”
A second RGB-backed group that’s equally focused on amassing information on geopolitical events and negotiations affecting the DPRK’s interests is Kimsuky, which has been detected using Chrome Remote Desktop to remotely commandeer hosts already compromised through backdoors such as AppleSeed.
“The Kimsuky APT group is continuously launching spear-phishing attacks against Korean users,” ASEC pointed out this month. “They usually employ methods of malware distribution through disguised document files attached to emails, and users who open these files may lose control over their current system.”