A North Korean threat actor has been tied to a software supply chain attack on JumpCloud, which impacted several downstream customers including a U.S.-based software solutions company. A new Monday analysis reveals that the threat actor is leveraging the supply-chain attack to target MacOS keychains and reconnaissance data associated with executives and internal security teams at the unnamed software customer.
Researchers with Mandiant on Monday said that while working with the victim software company in July, they identified a malicious Ruby script (init.rb) that was executed through the JumpCloud agent on multiple systems. JumpCloud, an identity and access management company, first learned of the breach on June 27 after discovering anomalous activity on a system that they tracked back to a spear-phishing campaign on June 22. According to JumpCloud CISO Bob Phan, fewer than five JumpCloud customers and 10 devices total were impacted (overall, JumpCloud has 200,000 customers).
Like JumpCloud’s incident response partner Crowdstrike, as well as SentinelLabs researchers, Mandiant researchers attributed the attack to a North Korean actor. The attack is part of an increasing wave of financially motivated operations by North Korean actors in the past year focused specifically on cryptocurrency, they said.
“Mandiant is tracking this activity as UNC4899, a suspected North Korean actor,” said researchers with Mandiant on Monday. “We assess with high confidence that UNC4899 is a cryptocurrency-focused group that falls under the [DPRK's Reconnaissance General Bureau]. UNC4899's targeting is selective, and they have been observed gaining access to victim networks through JumpCloud.”
Researchers first discovered the attack on the downstream victim through the malicious Ruby script, and also through a JumpCloud agent log that showed a directive triggering execution on the victim system.
The Ruby script included instructions for executing a second-stage payload, which within 24 hours of initial access deployed additional backdoors. Researchers identified a number of different backdoors as part of the attack. These included a version of FULLHOUSE.DOORED, a known malware with shell command execution, file transfer and process injection capabilities. Also identified was STRATOFEAR, a modular backdoor that primarily retrieves and executes additional module; and TIEDYE, which can retrieve and execute additional payloads, collect basic system information and execute shell commands.
“Mandiant assesses DPRK cryptocurrency units will continue development of MacOS malware and capabilities to target high-value individuals within the cryptocurrency industry, and the software solutions they use.”
The threat actor appeared to target four Apple OSX Ventura systems during the intrusion. Mandiant researchers were able to identify specific signing identifiers correlating to attacker payloads through a forensic artifact that is related to the XProtect Behavioral Service of Apple’s XProtect services, which is intended to automatically block known malware.
“There are currently five behavioral-based rules defined by Apple," according to Mandiant researchers. "Information about executed programs that violate one or more of these rules is recorded in the XProtect Database (XPdb), which is stored in SQLite 3 format and located at /var/protected/xprotect/XPdb. At this time, it does not appear that the XProtect Behavioral Service is configured to block execution.”
Multiple operational security errors by the threat actor also allowed researchers to further understand the attacker’s infrastructure; for instance, attackers used Operational Relay Boxes and leveraged VPN providers as the final hop to obscure their source address, but sometimes they mistakenly did not employ this last hop, exposing pieces of the network infrastructure.
“Mandiant observed the DPRK threat actor UNC4899 connecting directly to an attacker-controlled ORB from their 175.45.178[.]0/24 subnet (Ryugyong Dong, Pyongyang)," said researchers. "Additionally we observed the DPRK threat actor log directly into a Pyongyang IP, from one of their jump boxes. Our evidence supports that this was an OPSEC slip up since the connection to the North Korean netblock was short-lived."
The fact that this compromise stems from a supply chain attack is notable given that North Korean threat actors have previously leveraged supply-chain attacks in order to carry out a number of malicious activities, including ones targeting cryptocurrency. Earlier this year, threat actors launched a supply chain attack against Trading Technologies that resulted in that company’s X_TRADER app being compromised and ultimately led to the downstream compromise of 3CX. Researchers with Mandiant said that overall North Korean operators have streamlined these types of supply-chain compromises, making them harder to track, attribute and stop.
“The level of shared targeting and tooling leads Mandiant to believe that shifts are continuing to occur even outside of the heavily RGB dominated cyber landscape,” according to researchers. “Mandiant assesses DPRK cryptocurrency units will continue development of MacOS malware and capabilities to target high-value individuals within the cryptocurrency industry, and the software solutions they use.”