Research has identified malicious software packages associated with the North Korean hacking group, Lazarus Group. These malicious actors are posing as recruiters, leveraging financial firm names to draw in developers.
Understanding Lazarus Group’s tactics
Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start shares, “The Lazarus Group’s use of fake coding assessments to target developers highlights an evolution in their tactics. This builds on previous incidents like Operation Dream Job and In(ter)ception, where the group used fake job offers and interviews to infect targets. Now, they exploit trusted platforms like GitHub, PyPI, and npm to deliver malicious code hidden in legitimate libraries, such as pyperclip and pyrebase.”
Eric Schwake, Director of Cybersecurity Strategy at Salt Security, explains key reasons why this tactic is risky:
- “Exploits developer trust: The attack takes advantage of developers’ natural desire to demonstrate their skills. It uses the legitimate process of code reviews and assessments, making it difficult to detect.
- Blends in with regular activity: Downloading and running code is a fundamental part of a developer’s workflow, making it harder to identify malicious activity among regular operations.
- Targets a critical asset: Developers often have privileged access to source code, sensitive data, and production environments. Compromising a developer can lead to severe downstream consequences.”
How security leaders can mitigate risks from Lazarus Group
Guenther offers the following recommendations for security professionals:
- “Awareness: Train developers to verify coding tests and offers, especially those with time constraints or unfamiliar software.
- Supply chain security: Use tools like software composition analysis to check open-source packages for integrity.
- Code auditing: Regularly review third-party code and libraries for malicious elements.
- Endpoint protection: Implement EDR to catch abnormal behavior tied to malware.
- Zero trust: Apply a zero-trust model to limit access if a developer's system is compromised.”
Schwake suggests:
- “Zero trust for all code: Regard all code, even from seemingly trusted sources, as potentially malicious until proven otherwise. Implement rigorous code review and scanning processes.
- Secure your CI/CD pipelines: Strengthen your development infrastructure with robust access controls, code signing, and artifact verification.
- API security: APIs are crucial for modern applications. Use a dedicated API security solution to identify, protect, and monitor your entire API landscape.
- Security awareness training: Educate developers about the latest social engineering techniques and the risks associated with downloading and running code from unknown sources.”