Lazarus, the notorious North Korean hacking group, has once again made headlines, this time by exploiting the Log4j vulnerability, despite it being disclosed two years ago. The Log4j vulnerability, officially known as CVE-2021-44228, continues to pose significant risks to organizations worldwide, with Lazarus demonstrating the persistence of cyber threats and the challenges associated with mitigating known vulnerabilities.
The Log4j vulnerability, initially disclosed in 2021, shook the cybersecurity community due to its critical nature. Log4j is a widely-used open source Java logging library, and the vulnerability allowed threat actors to execute remote code on servers, potentially leading to unauthorized access and data breaches. Despite widespread awareness and patches issued by software developers, the vulnerability's exploitation remains a persistent threat.
[RELATED: Tracking the Start of the Log4j Vulnerability]
A new report from Cisco's Talos Intelligence Group says that Lazarus, a prolific North Korean hacking group operating under the broad Lazarus umbrella, has been actively exploiting the Log4j vulnerability in a campaign named "Operation Blacksmith." The campaign, ongoing since March 2023, has targeted manufacturing, agricultural, and physical security entities globally.
As part of Operation Blacksmith, Lazarus has introduced three previously unseen malware families written in the DLang programming language. Among these are two remote access trojans (RATs) named NineRAT and DLRAT, and a malware downloader dubbed BottomLoader. The use of DLang, a less common programming language in cybercrime operations, highlights Lazarus' adaptability and evasion tactics.
NineRAT, Lazarus' first novel RAT in this campaign, utilizes the Telegram API for command and control communication. It supports various commands for information gathering, token setting, upgrading, file transfer, and more. DLRAT, on the other hand, serves as a trojan and downloader, collecting system information and executing commands from the C2 server to introduce additional payloads on infected systems.
BottomLoader, the malware downloader in Lazarus' arsenal, fetches and executes payloads from a hardcoded URL using PowerShell. It establishes persistence and facilitates the exfiltration of files from the infected system to the C2 server, adding operational versatility to Lazarus' cyber arsenal.
Lazarus' exploitation of the Log4j vulnerability in Operation Blacksmith emphasizes the risk associated with open source vulnerabilities. Despite widespread awareness and efforts to patch vulnerabilities promptly, organizations continue to grapple with the challenge of maintaining visibility into their software components.
Patrick Carey, Sr. Director of Market Strategy at Synopsys, offered his analysis of the situation:
"This is a good example of the long tail of risk that follows disclosure of an open source vulnerability. Even when a vulnerability is highly publicized, as is the case with Log4J CVE-2021-44228, organizations can remain vulnerable for years due to lack of visibility into which software in their organization contains the vulnerable components. This is why it is so important that they use a Software Composition Analysis (SCA) tool to scan both the software they produced, as well as the software they acquire, to give them visibility into the open source components, and associated vulnerabilities, lurking in the software they build and use."
Operation Blacksmith underscores the need for continued collaboration between cybersecurity professionals, organizations, and the security community to address and mitigate the ongoing challenges posed by known vulnerabilities.
[RELATED: Cyber Safety Review Board's First Report: Log4j Here to Stay]
Follow SecureWorld News for more stories related to cybersecurity.
