Security vulnerabilities discovered in a popular authentication software application have been exploited by North Korean hacking groups despite an unusual warning issued to South Korean users four months ago, the National Intelligence Service (NIS) said on Tuesday.
In a joint operation intended to fortify Korea’s national security, the NIS has joined forces with antivirus software companies to create applications able to detect vulnerable software on users’ devices in order to delete it automatically.
Led by the National Cyber Security Center, the “Magic Broom Operation” is a joint effort between the public and private sectors. Three major antivirus firms—including AhnLab, Hauri, and ESTsecurity—will help Korean government agencies wipe out security holes in their customers’ systems by running their specialized software nationwide.
The removal process will commence on November 15 for the three antivirus software companies’ enterprise customers. Unaffiliated customers are advised to use a removal tool, referring to guidelines by the government.
The NIS issued a press release on November 7 advising the public for a second time to remove software named ‘MagicLine4NX’ from their systems, as it is being used by North Korean hackers to secretly collect information from the South, a problem which, according to the agency, has been ongoing since the end of last year.
Widely used for authentication purposes throughout South Korea, MagicLine4NX self-activates on computers once it has been installed. After discovering the security holes in the software, South Korean government agencies distributed security patches to address the issue in March. The process of applying the patches, however, was too slow, which led the NIS three months later to issue its warning to the public against using the program.
On June 28, the agency warned the public of North Korean cyberattacks, disclosing that the enemy hackers had been exploiting the vulnerabilities embedded within MagicLine4NX. Nearly fifty organizations had been compromised and infected by the malicious codes devised by the Reconnaissance General Bureau in North Korea.
“Most institutions have complied with our security recommendations and have removed the compromised version of MagicLine4NX,” said the NIS. “However, we found that a few organizations had not taken any security measures, which has exposed them to cyberattacks.” The spy agency added that the North Korean hackers had been taking advantage of the delay of these non-responders to exploit vulnerabilities in their systems.
Moreover, the cybercriminals were discovered to have attempted to lay infrastructure for future attacks. “The hackers tried to infiltrate a news website by leveraging security holes,” said the agency. If the attack had succeeded, any readers who visited the website whose computer was also compromised would be affected, the NIS stressed.