Lazarus APT updates its toolset in watering hole attacks
Contents
We have been tracking the latest attack campaign by the Lazarus group since last November, as it targeted organizations in South Korea with a sophisticated combination of a watering hole strategy and vulnerability exploitation within South Korean software. The campaign, dubbed “Operation SyncHole”, has impacted at least six organizations in South Korea’s software, IT, financial, semiconductor manufacturing, and telecommunications industries, and we are confident that many more companies have actually been compromised. We immediately took action by communicating meaningful information to the Korea Internet & Security Agency (KrCERT/CC) for rapid action upon detection, and we have now confirmed that the software exploited in this campaign has all been updated to patched versions.
Our findings in a nutshell:
- At least six South Korean organizations were compromised by a watering hole attack combined with exploitation of vulnerabilities by the Lazarus group.
- A one-day vulnerability in Innorix Agent was also used for lateral movement.
- …
Our findings in a nutshell:
- At least six South Korean organizations were compromised by a watering hole attack combined with exploitation of vulnerabilities by the Lazarus group.
- A one-day vulnerability in Innorix Agent was also used for lateral movement.
- …
IoC
http://bluekostec.com/eng/community/write.asp
http://0x3A//www.shcpump.com/admin/form/skin/formBasic/style.php
https://htns.com/eng/skin/member/basic/skin.php
https://thek-portal.com/eng/career/index.asp
http://0x3A//builsf.com/inc/left.php
http://www.shcpump.com/admin/form/skin/formBasic/style.php
http://0x3A//htns.com/eng/skin/member/basic/skin.php
http://0x3A//dream.bluit.gethompy.com/mobile/skin/board/gallery/index.skin.php
http://dream.bluit.gethompy.com/mobile/skin/board/gallery/index.skin.php
http://www.smartmanagerex.com
https://builsf.com/inc/left.php
http://0x3A//www.rsdf.kr/wp-content/uploads/2024/01/index.php
http://0x3A//kadsm.org/skin/board/basic/write_comment_skin.php
https://kadsm.org/skin/board/basic/write_comment_skin.php
http://0x3A//bluekostec.com/eng/community/write.asp
https://www.rsdf.kr/wp-content/uploads/2024/01/index.php
http://thek-portal.com
[email protected]
f1bcb4c5aa35220757d09fc5feea193b
dc0e17879d66ea9409cdf679bfea388c
2d47ef0089010d9b699cd1bbbc66f10a
http://0x3A//www.shcpump.com/admin/form/skin/formBasic/style.php
https://htns.com/eng/skin/member/basic/skin.php
https://thek-portal.com/eng/career/index.asp
http://0x3A//builsf.com/inc/left.php
http://www.shcpump.com/admin/form/skin/formBasic/style.php
http://0x3A//htns.com/eng/skin/member/basic/skin.php
http://0x3A//dream.bluit.gethompy.com/mobile/skin/board/gallery/index.skin.php
http://dream.bluit.gethompy.com/mobile/skin/board/gallery/index.skin.php
http://www.smartmanagerex.com
https://builsf.com/inc/left.php
http://0x3A//www.rsdf.kr/wp-content/uploads/2024/01/index.php
http://0x3A//kadsm.org/skin/board/basic/write_comment_skin.php
https://kadsm.org/skin/board/basic/write_comment_skin.php
http://0x3A//bluekostec.com/eng/community/write.asp
https://www.rsdf.kr/wp-content/uploads/2024/01/index.php
http://thek-portal.com
[email protected]
f1bcb4c5aa35220757d09fc5feea193b
dc0e17879d66ea9409cdf679bfea388c
2d47ef0089010d9b699cd1bbbc66f10a