This morning, ESET published their research into a unique watering hole attack that takes advantage of a Korean based security product used widely by the South Korean government and Internet banking websites to require website visitors to install certain approved security software before they can continue to use the site. WIZVERA Veraport manages security product software necessary to interact with specific sites. Lazarus group takes advantage of Veraport by the way it handles code signing. Veraport allows the download and execution of any signed executable, not just those signed by WIZVERA or other legitimate organizations. This opportunity allowed the attackers to set up watering holes by compromising websites that host server-side Veraport configs and replacing the requested files. Once on the web server, the user will be unaware of the download, because the Veraport software handles installation silently in the background.
“Watering hole” attacks aim to compromise website visitors, typically through plug-ins or browser vulnerabilities. In this case, a well known threat group associated with the government of North Korea appears to be targeting citizens in South Korea who use online banking services or online government services. The most critical portion of these attacks lies in the compromising of the webservers and the code-signing checks. While code-signing can be an essential aspect in determining a file’s integrity, it is not the end. Preventive measures to avoid things such as namespace conflicts by verifying the file hashes instead, as ESET mentioned, can be the extra step needed to prevent attacks such as this. Watering hole attacks are often used by the Lazarus group and will likely not end any time soon. Any government or business organization that requires website visitors to install plug-ins or other software should take care not to introduce additional vulnerabilities through the required software.