Chapter 7: Supply Chain Attacks: A Comprehensive Look From NuGet to Lazarus


In this chapter, we delve into the intricate landscape of supply chain attacks, a formidable threat vector that continues to evolve in sophistication and impact. As digital ecosystems intertwine, attackers adeptly exploit vulnerabilities in the software supply chain, jeopardizing the integrity and security of widely used applications.

From stealthy exploits in popular package managers to deceptive trojanized installers and state-sponsored breaches, the diverse tactics employed underscore the critical importance of robust security measures in the software development lifecycle.


NuGet Typosquatting: Unmasking a Stealthy Supply Chain Threat

A new supply-chain attack campaign was discovered targeting the NuGet package manager via typosquatting, widely used in .NET projects. The attackers deployed malicious packages that exploit Visual Studio’s MSBuild integration for stealthy code execution and malware installation.

These packages used typosquatting to mimic legitimate libraries, exploiting MSBuild’s features to run scripts automatically during package installation. This campaign represents a significant threat due to its stealth and the widespread use of NuGet in software development.


Cryptocurrency Wallet Impersonation: The NuGet Supply-Chain Deception

Another supply-chain attack targeting developers using the NuGet package manager was identified, involving malicious packages impersonating popular cryptocurrency wallets and exchanges.

These packages contained XML files that download and execute an obfuscated batch file, leading to the installation of the SeroXen malware. The trojan, marketed as a legitimate program, is known for its low detection rates and robust capabilities, making this attack particularly deceptive and dangerous.


Lazarus Group’s Intrusion: CyberLink Breach and Supply Chain Subversion

The Lazarus hacking group, linked to North Korea, breached Taiwanese multimedia software company CyberLink and abused their access for a supply chain attack. They trojanized a CyberLink installer, hosted on the company’s legitimate update infrastructure, to distribute malware globally.

This incident demonstrates the group’s sophisticated methods, including the use of a legitimate code signing certificate to sign the malicious executable and targeting systems without specific security software. The malware, tracked as LambLoad, selectively executes payloads and establishes persistent access, underscoring the serious threat posed by state-sponsored actors in cyber espionage.


Ledger dApp Connect Kit: A Cryptocurrency Heist through Supply Chain Tactics

In a sophisticated supply chain attack, hackers targeted the Ledger dApp Connect Kit library, injecting malicious code that led to the theft of $600,000 in cryptocurrencies and NFTs from wallets connected to compromised decentralized applications (dApps).

This attack showcases the increasing trend of targeting cryptocurrency assets through software supply chains, highlighting the need for enhanced security measures in the development and maintenance of blockchain-related applications.