Shields Up: North Korean State-Sponsored Lazarus Group Targets North American Energy Firms
As tensions continue to escalate between nation-states, so do state-sponsored cyberattacks against critical infrastructure. The United States Cybersecurity & Infrastructure Security Agency (CISA) warned earlier this year that cyberattacks could target American infrastructure, and we are seeing this now with the recent discovery of a new cyber espionage campaign targeting American, Canadian, and Japanese energy companies.
Evidence suggests that North Korean state-sponsored hacking group Lazarus targeted unnamed energy providers between February and July 2022. According to research, Lazarus leveraged a Log4j vulnerability known as Log4Shell to compromise internet-exposed VMware Horizon servers. They use this vulnerability to establish a presence on the victims’ network and deploy malware to facilitate persistent access.
Lazarus Group Attack History
Lazarus Group is a threat actor allegedly authorized by the Democratic People's Republic of Korea’s (DPRK) Reconnaissance General Bureau (RGB).
Lazarus is an Advanced Persistent Threat (APT) due to the intended nature and objectives of the threat, and wide-ranging tactics, techniques, and procedures (TTPs) they frequently employ.
BlackBerry threat researchers have analyzed recent attacks such as H0lyGh0st and linked them to Lazarus subgroup PLUTONIUM. Lazarus is also believed responsible for threats such as the WannaCry ransomware attack that caused hundreds of millions of dollars worth of damage worldwide.
Many Lazarus intrusions target critical infrastructure with the intent to gain long-term access to explore victims' networks, exfiltrate data, and harvest credentials.
Recent Lazarus Group Attacks
The main goal of these most recent Lazarus attacks appears to involve conducting espionage against energy providers' activities, in alignment with North Korean government objectives.
The group uses vulnerable Log4Shell flaws to execute shellcode that establishes a reverse shell for running a variety of commands, at any time, undetected, on the compromised endpoint.
Once exploited, Lazarus Group utilizes custom malware families like VSingle, YamaBot, and a remote access trojan (RAT), known as MagicRAT, which is used to identify and retrieve data from the infected device.
Since VMWare Horizon runs with significant user account permissions, Lazarus Group can disable Windows Defender and then deploy custom malware, making the attack extremely difficult to detect. These attacks are also part of the catalyst behind CISA’s warning to take a “shields up” approach to security.
What is Log4J/Log4Shell?
BlackBerry threat researchers have published in-depth information regarding Log4j/Log4Shell.
Put simply, Log4j is a piece of software which is used globally, across public and private environments.
Exploiting the Log4j flaw is a simple matter of the attacker sending specially-crafted text to a vulnerable application (such as a publicly available VMWare server). This is followed by a particular sequence of characters that instructs the Log4j library to fetch JAVA code from a remote server – throwing the (back)door to targeted systems wide open for attackers.
Vulnerable software components are not malware, which makes the existence of the Log4j vulnerability invisible to legacy security products focused on detecting known malicious files by using virus signatures.
Sophisticated security solutions offered by BlackBerry, such as CylancePROTECT® and CylanceOPTICS®, rely on highly trained Cylance® artificial intelligence (AI) models instead of signatures, to detect known or unknown attack techniques and block them from executing.
Regardless of your existing relationship with BlackBerry, the BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure.
For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser contact form.