CAS Corporation confirmed on the 24th that the Lazarus hacking group has carried out advanced cyber attacks targeting various organizations in South Korea.
This attack exploited a zero-day vulnerability found in Innorix Agent, targeting at least six Korean organizations in sectors including software, IT, finance, semiconductors, and telecommunications. CAS Corporation named the attack 'Operation SyncHole' and noted that the vulnerability was patched immediately.
The attackers exploited vulnerabilities in Innorix Agent, a browser-integrated third-party secure file transfer tool, to conduct lateral movement and install malware. Ultimately, it was analyzed that they deployed Lazarus's main malicious software, ThreatNeedle and LPEClient, and took control of the internal network.
The Global Research and Analysis Team (GReAT) at CAS Corporation proactively discovered another arbitrary file download zero-day vulnerability through malware behavior analysis during this process, and the vulnerability was reported to the Korea Internet Security Agency (KrCERT) and the supplier before being patched.
Another avenue used in the attack involved CrossEX, a South Korean browser security tool, with evidence confirming that a variant backdoor malware was executed through the tool's subprocess, SyncHost.exe. Recently, CrossEX officially acknowledged the existence of security vulnerabilities, leading to an update.
Igor Kuznetsov, GReAT director at CAS Corporation, said, 'Browser plugins or auxiliary tools used in region-specific software or legacy systems are a major cause of widening the attack surface,' and added, 'Such tools running with high privileges are more easily targeted by attackers than modern browsers.'