Lazarus hacks power firms by exploiting the Log4j flaw

The infamous North Korean state-backed cybercriminal group, Lazarus (also called APT 38), is concentrating on power firms within the US, Canada and Japan utilizing the Log4j vulnerability to breach VMware Horizon servers.

Menace intelligence firm Cisco Talos says the cybercriminals group focused sure power suppliers within the three international locations between February and July 2022. Lazarus used the Log4j vulnerability — reported final 12 months — to achieve entry to the servers and deployed Vsingle, Yamabot malware, alongside a brand new entrant — dubbed MagicRat — to ascertain a seamless connection.

The analysis revealed by Cisco Talos on Thursday states that the MagicRat malware attributed to Lazarus is a distant entry trojan used for reconnaissance and stealing credentials.

Vsingle is used to execute arbitrary code from distant networks and can be utilized to obtain plugins. Based on the researchers, Lazarus has been utilizing it for reconnaissance, guide backdooring and exfiltration. The opposite one, Yamabot, is a Golang-based malware that makes use of HTTP requests to speak with command-and-control servers.

“The principle purpose of those assaults was prone to set up long-term entry into sufferer networks to conduct espionage operations in assist of North Korean authorities goals. This exercise aligns with historic Lazarus intrusions concentrating on crucial infrastructure and power firms to ascertain long-term entry to siphon off proprietary mental property,” stated Cisco Talos.

In June this 12 months, the Cybersecurity and Infrastructure Safety Company (CISA) and the USA Coast Guard Cyber Command (CGCYBER) warned individuals utilizing VMware Horizon and Unified Entry Gateway that these merchandise are being actively exploited utilizing the Log4Shell vulnerability.

The state-sponsored cybercriminals group has been lively for greater than a decade and is chargeable for a number of the largest hacks in addition to most damaging malware strains on the market, together with the Wannacry ransomware. Earlier this 12 months, in Might, researchers additionally discovered a brand new pressure attributed to Lazarus. The group cryptojacked greater than half a billion {dollars} in 2018 after having access to a number of crypto exchanges and adopted that by looting ATMs in Asia and Africa. They’re additionally allegedly behind the Sony hacks of 2014, Bangaladesh financial institution heist from 2016. One other related cryptojacking incident fetched them north of $400 million in 2021 and the Ronin bridge breach from earlier this 12 months additionally obtained them across the identical sum.

Within the Information: Categorized NATO paperwork floor on the darkweb

Leave a Comment