A North Korean cyber-espionage group has exploited an ActiveX zero-day to infect South Korean targets with malware or steal data from compromised systems, local media and security researchers have reported.
The perpetrators of these attacks are known as the Andariel Group. According to a report authored by South Korean cyber-security firm AhnLab, the Andariel Group is a smaller unit of the larger and more well-known Lazarus Group —North Korea's cyber-espionage apparatus, believed to be a unit of its military.
The recent wave of attacks has started last month. Local media reports that Andariel hackers deployed at least nine separate ActiveX vulnerabilities for their attacks, including a new zero-day.
The preferred method of action is via watering-hole attacks —hacking legitimate sites, hosting exploit code, and infecting all incoming site visitors until a high-value target is compromised.
Andariel attackers usually deploy a backdoor trojan on infected hosts, which they use to search and gather information.
"The zero-day vulnerability has been found in these attacks," a government official from the Korea Internet & Security Agency (KISA) told local media [translated quote].
North Korean hackers, and particularly the Andariel Group, have a history of using ActiveX vulnerabilities, according to both local media and Simon Choi, a South Korean security researcher and founder of the Cyber Warfare Intelligence Center.
Operation GoldenAxe. North Korea's cyber attack only on South Korea (using ActiveX vuln) from 2007 to 2018. pic.twitter.com/2u6QbxkDRa— Simon Choi (@issuemakerslab) May 29, 2018
A South Korean security researcher who did not want his name revealed told Bleeping Computer the ActiveX zero-day is connected to attacks on Samsung SDS Acube installations.
Acube is a desktop-based groupware application developed by Samsung's enterprise division. The application is popular with South Korean enterprises, and also supports ActiveX controls.
ActiveX is a software framework created by Microsoft. It was developed to support a wide range of interactive features and has been embedded across time in popular apps such as Internet Explorer, Office, and others.
Samsung has released an update to Acube to prevent the exploitation of this zero-day via its application. South Korea's CERT team has also issued a security alert on Monday, along with instructions on how companies could update their Acube installations.
But until more details emerge about this mysterious ActiveX zero-day, the main point to take from these reports is that cyber-attacks carried out by North Korean hackers have continued unabated in spite of the ongoing peace talks between North and South Korean officials.
Security experts expected a slowdown of North Korea's cyber-espionage activity in South Korea, similar to the slowdown of Chinese hacking ops after the US and China signed a diplomatic cybersecurity agreement in late 2015.
But it has not been so. Five cyber-security vendors —Dell SecureWorks, McAfee, Symantec, FireEye, and Recorded Future— have recently shared their observations of North Korea's recent cyber-activity in a Cyberscoop report, highlighting that the North's cyber-espionage campaigns have either remained at the same level, or grown in recent weeks.
Bleeping Computer has recently covered one of Lazarus Group's most recent hacking campaigns, known as Operation GhostSecret.
The US Department of Homeland Security and Federal Bureau of Investigation released a joint statement this week, linking two malware strains —Brambul and Joanap— to the Lazarus Group (referred to as Hidden Cobra by US authorities).