Security Intelligence
Loading table of contents...
Researchers have uncovered the IP address of an operational relay box (ORB) involved in a supply chain attack against software company JumpCloud, attributed to the North Korean Reconnaissance General Bureau (RGB), known as Lazarus. Lazarus is known for its use of ORBs and commercial VPN providers to obfuscate its location. However, in this case, Lazarus actors either forgot or chose not to use this technique and instead connected directly to the victim from an ORB on the 175.45.178[.]0/24 subnet.
Lazarus’s recent hacking activity has been very prolific, with reports implicating the group with campaigns against Microsoft Internet Information Services (IIS) servers, crypto-currency companies, GitHub, and JumpCloud.
Source: The Hacker News
Analysis
There are several explanations for the exposure of Lazarus' infrastructure during this campaign. The most likely reason is that the actor made a mistake, forgetting to use a VPN to connect to the ORB when establishing a session with the victim. Cyber actors are human, and mistakes can happen, especially when dealing with multiple victims and intrusion sets.
Another explanation is that the actor deliberately did not use a VPN to avoid unreliable connection issues or slow speeds. Although each layer of VPN servers and hop points increases operational security, they decrease the reliability and speed of the connection. It’s possible that the actor needed a reliable and speedy connection for a specific task and that outweighed the need for operational security in that specific case. Unfortunately for the actor, researchers capitalized on this decision.
IP range details showing DPRK association (Source: ipinfo.io)
The public exposure of this subnet will allow cybersecurity researchers to probe it for vulnerabilities, patterns, and other indicators of compromise (IoCs) that may help disrupt or detect future Lazarus campaigns. That is, until Lazarus switches to new infrastructure and carries on as usual.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for threats emanating from nation-state actors such as Lazarus. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate any threats these groups may pose. Covalence users are automatically notified when such activity is detected in their environment and are encouraged to review these AROs as quickly as possible.
