“Most general cybercrime is opportunistic in nature, using simple and cheap means such as mass phishing campaigns and automated password guessing bots to cast a wide net to potential victims. Chris Clements, vice president of solutions architecture at Cerberus Sentinel, told Spiceworks, “The targeted nature of their campaigns also means they can take target specific approaches by analyzing the individual behaviors and operations at their objective organization.“ The Lazarus attack campaign against American, Japanese, and Canadian energy companies involves regular and custom-made malware for specific operations. Lazarus Group Attack Chain Against Energy Companies Through Log4Shell Using MagicRAT | Source: Cisco Talos Opens a new window “The discovery of MagicRAT in the wild is an indication of Lazarus’ motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide,” Talos added Opens a new window. Since the Qt framework is a library for developing graphical user interfaces, something that serves no purpose in the attack, Talos said its purpose in MagicRAT is “making human analysis harder, and automated detection through machine learning and heuristics less likely.” MagicRAT is a simple remote access trojan that uses the Qt framework Opens a new window, performs system environment reconnaissance and can download additional payloads, such as custom-built port scanners and malware, such as TigerRAT Opens a new window. See More: Lessons Learned from Cyberattacks on Critical Infrastructure Opens a new windowįinally, MagicRAT is deployed after being downloaded from a remote location. Meanwhile, YamaBot is set up to establish communication between the target system and the command-and-control (C2) servers. It also prepares for the next step: the theft of credentials. VSingle serves as a reconnaissance, backdoor and exfiltration tool to execute arbitrary code, download plugins, and create the possibility of lateral movement. Lazarus first establishes a reverse shell and manually sets up a backdoor into the compromised systems through VSingle, which then allows it to establish another reverse shell. The company clarified that Symantec Opens a new window and South Korea’s AhnLab Opens a new window previously detailed the campaign but Lazarus has updated its M.O., evident from the use of MagicRAT. Once in, Lazarus deployed VSingle and YamaBot, two malware strains exclusive to its operations, and a third “relatively simple” remote access trojan dubbed MagicRAT by Cisco Talos. CSRB assessed that it could take up to a decade, maybe more, for organizations worldwide to patch Log4Shell flaws. In July 2022, the Department of Homeland Security’s Cyber Safety Review Board (CSRB) described Log4Shell vulnerabilities as endemic given the ubiquity of Log4j across a multitude of computer and industrial control systems, servers, and networks. This poses a huge threat to some of the most critical systems within the critical infrastructure space.” However, it seems there are still systems that have not been patched yet. “In June of 2022, CISA issued an alert (AA22-174A) specifically addressing this threat. However, our adversaries are still able to find and exploit unpatched sites that are directly connected to the internet,” Erich Kron, security awareness advocate at KnowBe4, told Spiceworks. “The Log4j exploit used in these attacks has been known, and called critical, for over a year. Lazarus’ established its initial entry point into internet-facing VMware Horizon installations by exploiting the highly prevalent Log4Shell vulnerabilities in the Java-based logging framework Log4j. According to threat research firm Cisco Talos, APT38’s campaign was active Opens a new window until July this year. The nation-state group kicked off its latest campaign against energy companies in February 2022, a couple of months before the Ronin Network crypto heist. It was also behind the WannaCry ransomware attack in 2017 and other data exfiltration and cyber espionage activities. According to Cisco Talos, APT 38 targets VMWare Horizon instances by exploiting the widely prevalent Log4j vulnerabilities.ĪPT38, commonly known as Lazarus and Hidden Cobra, is a North Korean state-sponsored cybercrime group that earned infamy by orchestrating the $620 million Ronin Network crypto heist Opens a new window, the biggest cryptocurrency theft in history, in April 2022. North Korean Advanced Persistent Threat (APT) group APT38, also known as the Lazarus group, is targeting energy companies in the U.S., Japan, and Canada.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |