North Korean Nation-State Actor Exposed in JumpCloud Hack After OPSEC Blunder

North Korean nation-state actors affiliated with the Reconnaissance General Bureau (RGB) have been linked to the JumpCloud hack following an operational security (OPSEC) error that exposed their true IP addresses.

Threat intelligence firm Google Mandiant linked the activity to a threat actor it tracks under the name UNC4899, which likely shares overlap with already monitored clusters as Jade Sleet and TraderTraitor, groups with a notable history of the blockchain and cryptocurrency sectors.

UNC4899 also overlaps with APT43, another hacking crew associated with the Democratic People’s Republic of Korea (DPRK) that was unmasked earlier this March while conducting a series of campaigns to gather intelligence and siphon cryptocurrency from targeted companies.

The enemy’s collective modus operandi is characterized by the use of an Operational Relay Box (ORB) uses a shared L2TP IPsec tunnel with a commercial VPN provider to disguise the attacker’s true point of origin, with the commercial VPN service acting as a last resort.

“There have been many instances where DPRK threat actors did not use this last step, or mistakenly did not use it when carrying out operations on the victim’s network,” the company said. said in analysis published Monday, it added observing “UNC4899 connected directly to an attacker-controlled ORB from their 175.45.178(.)0/24 subnet.”

The intrusion directed at JumpCloud occurred on June 22, 2023, as part of a sophisticated spear-phishing campaigns that leverages unauthorized access to penetrate fewer than five customers and less than 10 systems in a so-called software supply chain attack.

Mandiant’s findings are based on incident response initiated after a cyber attack against one of the affected JumpCloud customers, an unnamed software solutions entity, the starting point of which was a malicious Ruby script (“init.rb”) that was executed through the JumpCloud agent on June 27, 2023.

A notable aspect of the incident was the targeting of four Apple systems running macOS Ventura version 13.3 or 13.4.1, underscoring the North Korean actor’s continued investment in honing malware tailored specifically for the platform in recent months.

“Early access was obtained by compromising JumpCloud and injecting malicious code into their command framework,” the company explained. “In at least one instance, the malicious code was a lightweight Ruby script running through the JumpCloud agent.”

The script, for its part, is engineered to download and run a second-stage payload named FULLHOUSE.DOORED, using it as a conduit for spreading additional malware such as STRATOFEAR and TIEDYE, after which the previous payload is removed from the system in an attempt to cover its tracks –

• FULLHOUSE. DOORED – First stage AC/C++ based backdoor that communicates using HTTP and includes support for shell command execution, file transfer, file management, and process injection
• STRATOFEAR – Second-stage modular implant primarily designed to gather system information and load and run more modules from remote servers or loaded from disk
• WARMUP – A second-stage Mach-O executable that can communicate with remote servers to run incremental payloads, harvest basic system information, and execute shell commands

TIEDYE is also said to show similarities to RABBITHUNT, a backdoor written in C++ that communicates via a special binary protocol over TCP and which is capable of shell reverse, file transfer, process creation, and process termination.

“The campaign targeting JumpCloud, and the previously reported DPRK supply chain compromise from earlier this year affecting Trading Technologies’ X_TRADER app and 3CX Desktop Application software, exemplify the cascading effect of these operations to gain access to service providers for compromised downstream victims,” ​​Mandiant said.

“Both operations suspect links to financially motivated DPRK actors, suggesting that DPRK operators implemented supply chain TTPs to target specific entities as part of their increased efforts to target cryptocurrency and fintech related assets.”

The development comes days after GitHub warned about a social engineering attack by actor TraderTraitor to trick employees working at blockchain, cryptocurrency, online gambling, and cybersecurity firms into executing code hosted on GitHub repositories that relied on malicious packages hosted on npm.

Infection chains are known to leverage malicious npm dependencies to download unknown second-stage payloads from actor-controlled domains. The packages have been removed and the accounts suspended.

“The identified packets, issued in pairs, require installation in a specific order, then retrieve a token that facilitates the download of the final malicious payload from the remote server,” Phylum said in a new analysis detailing the discovery of a new npm module used in the same campaign.

“The broad attack surface presented by this ecosystem is hard to ignore. It is nearly impossible for a developer in today’s world not to rely on any open source package. This fact is commonly exploited by threat actors who aim to maximize their blast radius to spread malware widely, such as thieves or ransomware.”

Pyongyang has long used cryptocurrency theft to fuel its nuclear weapons program, as well as orchestrate cyber espionage attacks to gather strategic intelligence to support the regime’s political and national security priorities.

“North Korea’s intelligence apparatus has the flexibility and resilience to create cyber units based on the needs of the country,” Mandiant noted last year. “Additionally, the overlapping infrastructure, malware, and tactics, techniques, and procedures suggest a shared resource between their cyber operations.”

The Lazarus Group remains a prolific state-sponsored threat actor in this regard, consistently improving attacks designed to deliver everything from remote access trojans to ransomware to tailor-made backdoors and also demonstrating a readiness to change tactics and techniques to hinder analysis and make tracking them more difficult.

This is exemplified by its ability to not only compromise a vulnerable Microsoft Internet Information Service (IIS) web server, but also use it as a malware distribution center in a watering hole attack aimed at South Korea, according to AhnLab Security Emergency Response Center (ASEC).

“Threat actors continue to use vulnerability attacks for early access to unpatched systems,” ASEC said. “This is one of the most dangerous threat groups that is very active around the world.”

The second RGB-backed group that is equally focused on gathering information on geopolitical events and negotiations affecting DPRK interests is Kimsuky, who was detected using Chrome Remote Desktop to remotely take over a host that has been compromised through a backdoor such as AppleSeed.

“Kimsuky APT Group continues to launch spear-phishing attacks against Korean users,” ASEC show this month. “They usually use the malware distribution method via shrouded document files attached to emails, and users who open these files may lose control of their current system.”