• ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users.
• Operation DreamJob is the name for a series of campaigns where the group uses social engineering techniques to compromise its targets, with fake job offers as the lure.
• ESET reconstructed the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy up until the final backdoor payload.
• Similarities with this latest Linux backdoor link it with high confidence to the 3CX supply-chain attack. 3CX is an international VoIP software developer and distributor that provides phone system services.
• 3CX was compromised and its software was used in a supply-chain attack driven by external threat actors to distribute additional malware to specific 3CX customers. The attack had been planned well in advance – as early as December 2022.

BRATISLAVA, PRAGUE — April 20, 2023 — ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users. ESET Research was able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy up until the final payload: the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account. It is the first time for this major North Korea–aligned threat actor to be using Linux malware as part of this operation. Similarities with this newly discovered Linux malware corroborate the theory that the infamous North Korea–aligned group is behind the 3CX supply-chain attack.

“This latest discovery provides corroborating evidence and reinforces our high level of confidence that the recent 3CX supply-chain attack was in fact conducted by Lazarus – a link that was suspected from the very beginning and demonstrated by several security researchers since,” says ESET researcher Peter Kálnai, who investigates Lazarus activities.

3CX is an international VoIP software developer and distributor that provides phone system services to many organizations. According to its website, 3CX has more than 600,000 customers and 12 million users in various sectors, including aerospace, healthcare, and hospitality. It provides client software to use its systems via a web browser, mobile app, or a desktop application. Late in March 2023, it was discovered that the desktop application for both Windows and macOS contained malicious code that enabled a group of attackers to download and run arbitrary code on all machines where the application was installed. 3CX itself was compromised and its software was used in a supply-chain attack driven by external threat actors to distribute additional malware to specific 3CX customers.

The perpetrators had planned the attacks long before execution – as early as December 2022. This suggests that they already had a foothold inside 3CX’s network late last year. Several days before the attack was publicly revealed, a mysterious Linux downloader was submitted to VirusTotal. It downloads a new Lazarus backdoor for Linux, SimplexTea, which connects to the same Command & Control server as payloads involved in the 3CX compromise.

“This compromised software, deployed on various IT infrastructures, allows the download and execution of any kind of payload, which can have devastating impacts. The stealthiness of a supply-chain attack makes this method of distributing malware very appealing from an attacker’s perspective, and Lazarus has already used this technique in the past,” explains Kálnai. “It is also interesting to note that Lazarus can produce and use native malware for all major desktop operating systems: Windows, macOS, and Linux,” adds Marc-Etienne M.Léveillé , ESET researcher who helped with the research.

Operation DreamJob is the name for a series of campaigns where Lazarus uses social engineering techniques to compromise its targets, with fake job offers as the lure. On March 20, a user in the country of Georgia submitted to VirusTotal a ZIP archive called HSBC job offer.pdf.zip. Given other DreamJob campaigns by Lazarus, this payload was probably distributed through spearphishing or direct messages on LinkedIn. The archive contains a single file: a native 64-bit Intel Linux binary written in Go and named HSBC job offer․pdf.

For more technical information about the latest Lazarus DreamJob campaign and links to the 3CX supply-chain attack, check out the blog post “Linux malware strengthens links between Lazarus and the 3CX supply-chain attack” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

• Over 56% of the core routers ESET purchased from secondary market vendors contained a treasure trove of sensitive data, including corporate credentials, VPN details, cryptographic keys, and more.
• In the wrong hands, this data is enough to jump-start a cyberattack that could lead to a data breach, placing the company, its partners and customers at risk.
• This research shows that companies are not following sufficient security protocols and processes for decommissioning hardware.
• A number of impacted organizations were unresponsive to ESET’s disclosures and communications.

BRATISLAVA, SAN DIEGO — April 18, 2023 —ESET, a global leader in digital security, today unveiled new research into corporate network devices that were disposed of and sold on the secondary market. After looking at configuration data from 16 distinct network devices, ESET found that over 56% – nine routers – contained sensitive company data.

Of the nine networks that had complete configuration data available:

• 22% contained customer data
• 33% exposed data allowing third-party connections to the network
• 44% had credentials for connecting to other networks as a trusted party
• 89% itemized connection details for specific applications
• 89% contained router-to-router authentication keys
• 100% contained one or more of IPsec or VPN credentials, or hashed root passwords
• 100% had sufficient data to reliably identify the former owner/operator

“The potential impact of our findings is extremely concerning and should be a wake-up call,” said Cameron Camp, the ESET security researcher who led the project. “We would expect medium-sized to enterprise companies to have a strict set of security initiatives to decommission devices, but we found the opposite. Organizations need to be much more aware of what remains on the devices they put out to pasture, since a majority of the devices we obtained from the secondary market contained a digital blueprint of the company involved, including, but not limited to, core networking information, application data, corporate credentials, and information about partners, vendors, and customers.”

Organizations often recycle aging tech through third-party companies that are charged with verifying the secure destruction or recycling of digital equipment and the disposal of the data contained therein. Whether an error by an e-waste company or the company’s own disposal processes, a range of data was found on the routers, including:

• Third-party data: As we have seen in real-world cyberattacks, a breach of one company’s network can proliferate to their customers, partners, and other businesses with whom they may have connections.
• Trusted parties: Trusted parties (which could be impersonated as a secondary attack vector) would accept certificates and cryptographic tokens found on these devices, allowing a very convincing adversary in the middle (AitM) attack with trusted credentials, capable of syphoning off corporate secrets, with victims unaware for extended periods.
• Customer data: In some cases, core routers point to internal and/or external information stores with specific information about their owners’ customers, sometimes stored on premises, which can open customers up to potential security issues if an adversary is able to gain specific information about them.
• Specific applications: Complete maps of major application platforms used by specific organizations, both locally hosted and in the cloud, were scattered liberally throughout the configurations of these devices. These applications range from corporate email to trusted client tunnels for customers, physical building security such as specific vendors and topologies for proximity access cards and specific surveillance camera networks, and vendors, sales and customer platforms, to mention a few. Additionally, ESET researchers were able to determine over which ports and from which hosts those applications communicate, which ones they trust, and which ones they do not. Due to the granularity of the applications and the specific versions used in some cases, known vulnerabilities could be exploited across the network topology that an attacker would already have mapped.
• Extensive core routing information: From core network routes to BGP peering, OSPF, RIP and others, ESET found complete layouts of various organizations’ inner workings, which would provide extensive network topology information for subsequent exploitation, were the devices to fall into the hands of an adversary. Recovered configurations also contained nearby and international locations of many remote offices and operators, including their relationship to the corporate office – more data that would be highly valuable to potential adversaries. IPsec tunneling can be used to connect trusted routers to each other, which can be a component of WAN router peering arrangements and the like.
• Trusted operators: The devices were loaded with potentially crackable or directly reusable corporate credentials – including administrator logins, VPN details, and cryptographic keys – that would allow bad actors to seamlessly become trusted entities and thus to gain access across the network.

“There are well-documented processes for proper decommissioning of hardware, and this research shows that many companies are not following them rigorously when preparing devices for the secondary hardware market,” said Tony Anscombe, Chief Security Evangelist at ESET. “Exploiting a vulnerability or spearphishing for credentials is potentially hard work. But our research shows that there is a much easier way to get your hands on this data, and more. We urge organizations involved in device disposal, data destruction, and reselling of devices to take a hard look at their processes and ensure they are in compliance with the latest NIST standards for media sanitization.”

The routers in this research originated at organizations ranging from medium-sized businesses to global enterprises in a variety of industries (data centers, law firms, third-party tech providers, manufacturing and tech companies, creative firms, and software developers). As part of the discovery process, ESET, where possible, disclosed the findings to each identified organization – several of them household names – collaborating to ensure they were aware of the details potentially compromised by others in the chain of custody of the devices. Some of the organizations with compromised information were shockingly unresponsive to ESET’s repeated attempts to connect, while others showed proficiency, handling the event as a full-blown security breach.

Organizations are reminded to verify that they are using a trusted, competent third party to dispose of devices, or that they are taking all the necessary precautions if handling the decommissioning themselves. That should extend past routers and hard drives to any device that’s part of the network. Many organizations in this research probably felt that they were contracting with reputable vendors, but their data still leaked. With this in mind, it’s recommended that organizations follow the manufacturer’s guidelines for removing all data from a device before it physically leaves their premises, which is a simple step that many IT staff can handle.

Organizations are reminded to treat disclosure notifications seriously. Doing otherwise may leave them vulnerable to a costly data breach and significant reputational damage.

At RSA 2023, Camp and Anscombe will present this research at the presentation “We (Could Have) Cracked Open the Network for Under $100” on April 24, 2023, at 9:40 a.m. PT.

To read the white paper, which includes resources on secure device disposal, visit our new blog post “Discarded, not destroyed: Old routers reveal corporate secrets” on WeLiveSecurity.