Microsoft Threat Intelligence has exposed a sophisticated supply chain attack. Orchestrated by the North Korea-based cyber group, Diamond Sleet (formerly known as ZINC), this attack involved a deviously altered version of an application developed by CyberLink Corp., a leader in multimedia software. The attack’s distinctiveness lies in its use of a legitimate CyberLink application installer, which was tampered with to incorporate malicious code. This code, cunningly crafted, downloads and initiates a secondary, more dangerous payload.
The Insidious Nature of the Attack
What makes this attack particularly concerning is the use of a valid certificate, originally issued to CyberLink Corp., to sign the infected file. Hosted on CyberLink’s authentic update infrastructure, the malicious file demonstrates an alarming level of sophistication. It even includes specific checks designed to restrict the time frame of its execution and to slip past security product detection. The impact of this malicious endeavor has been significant, with over 100 devices compromised across various countries, including Japan, Taiwan, Canada, and the United States.
Microsoft’s Comprehensive Response
In response to this critical threat, Microsoft has taken a series of decisive steps:
- Alerting CyberLink about the compromise.
- Notifying affected Microsoft Defender for Endpoint customers.
- Reporting the attack to GitHub, leading to the removal of the second-stage payload.
- Blacklisting the CyberLink Corp. certificate involved in the attack.
- Ensuring Microsoft Defender Antivirus and Microsoft Defender for Endpoint effectively detect Diamond Sleet activities.
Diamond Sleet: A Closer Look at the Perpetrator
Diamond Sleet is a notorious North Korea-based cyber group, with a track record of targeting sectors such as media, defense, and IT. Their operations are characterized by espionage, data theft, financial motives, and the potential destruction of corporate networks. Diamond Sleet is known for its exclusive use of custom malware and its recent shift to weaponizing open-source and proprietary software.
The Technical Anatomy of the Attack
The attack was first noticed in October 2023, with the modified CyberLink installer file appearing on numerous devices globally. This file, upon execution, performs checks to evade security measures and proceeds to download a secondary payload disguised as a PNG file. This complex process involves decrypting and launching the payload entirely in memory, making detection challenging.
Key Recommendations for Mitigation
To combat this threat, Microsoft recommends:
- Utilizing Microsoft Defender Antivirus with cloud-delivered protection and automatic sample submission.
- Enabling network protection to block access to malicious domains.
- Activating full automated mode for investigation and remediation in Microsoft Defender for Endpoint.
- Taking immediate action on compromised devices, including isolation and credential reset.
- Investigating for signs of lateral movement and other attack activities.
- Implementing specific attack surface reduction rules.
In-Depth Threat Intelligence and Hunting Queries
Microsoft provides detailed threat intelligence reports and hunting queries through Microsoft Defender XDR and Microsoft Sentinel. These tools are crucial for identifying related activities and effectively responding to the threat posed by Diamond Sleet.
In conclusion, the Diamond Sleet supply chain attack serves as a stark reminder of the evolving nature of cyber threats. Organizations must remain vigilant and employ comprehensive cybersecurity measures to protect against such sophisticated attacks. Microsoft’s response and recommendations provide a blueprint for effective defense strategies in this ongoing battle against cyber adversaries.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.