Microsoft recently disclosed a significant supply chain breach involving Taiwanese multimedia software firm CyberLink, orchestrated by the North Korean cyberespionage group, Diamond Sleet (aka ZINC, Labyrinth Chollima, and Lazarus).
The attack, utilizing a trojanized CyberLink installer, was identified as early as October 20, 2023, and has affected over 100 devices worldwide, including those in Japan, Taiwan, Canada, and the United States. Microsoft attributes the breach to Diamond Sleet with high confidence.
This cyber intrusion involved the compromise of a legitimate CyberLink code signing certificate, now added to Microsoft’s disallowed certificate list for customer protection against potential misuse.
Dubbed ‘LambLoad’ by Microsoft, the malware downloader targets systems lacking FireEye, CrowdStrike, or Tanium security software. The attack employs a second-stage payload concealed within a PNG file, fetched from command-and-control servers when specific conditions are met.
Microsoft, after detecting the breach, alerted CyberLink and is notifying affected Microsoft Defender for Endpoint customers. Additionally, GitHub removed the second-stage payload in adherence to its Acceptable Use Policies.
CyberLink, a renowned multimedia software developer since 1996, has distributed 400 million copies of its applications globally. The company remains engaged in addressing the fallout from this cyber incident in collaboration with security experts.
Preventing supply chain breaches demands heightened scrutiny of software sources. Employing robust endpoint protection tools and keeping them updated helps detect and prevent trojanized software installations. Conducting thorough security audits, including monitoring code signing certificate usage and enforcing stringent access controls, mitigates risks. Regularly educating employees on phishing threats and promoting a culture of cybersecurity awareness reduces the likelihood of falling victim to supply chain attacks.