North Korean Lazarus Hackers Targeting Energy Providers Around the World

guest · Sep 8, 2022

The North Korean APT group 'Lazarus' (APT38) is exploiting VMWare Horizon servers to access the corporate networks of energy providers
By Ravie Lakshmanan - September 8, 2022

A malicious campaign mounted by the North Korea-linked Lazarus Group is targeting energy providers around the world, including those based in the United States, Canada, and Japan.

"The campaign is meant to infiltrate organizations around the world for establishing long-term access and subsequently exfiltrating data of interest to the adversary's nation-state," Cisco Talos said in a report shared with The Hacker News.
[...] the latest attack wave is notable for employing two other pieces of malware: VSingle, an HTTP bot which executes arbitrary code from a remote network, and a Golang backdoor called YamaBot.
Click to expand...

Also put to use in the campaign is a new remote access trojan called MagicRAT that comes with capabilities to evade detection and launch additional payloads on the infected systems.

"Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus," researchers Jung soo An, Asheer Malhotra, and Vitor Ventura said.
Click to expand...

Initial access into enterprise networks is facilitated by means of exploitation of vulnerabilities in VMware products (e.g., Log4Shell), with the ultimate goal of establishing persistent access to perform activities in support of North Korean government objectives.

Other tactics embraced by the group besides the use of bespoke malware include credential harvesting via tools like Mimikatz and Procdump, disabling antivirus components, and reconnaissance of the Active Directory services, and even taking steps to cleanup their traces after activating the backdoors on the endpoint.
Click to expand...

Cisco Talos: Lazarus and the tale of three RATs

By Jung soo An @Jungsoo_An, Asheer Malhotra @asheermalhotra and Vitor Ventura @_vventura - September 8, 2022

Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government.

This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.

Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan.

The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state.

Talos has discovered the use of two known families of malware in these intrusions — VSingle and YamaBot.

Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign.

Click to expand...

xxJackxx · Sep 8, 2022

Shouldn't such servers only be accessible by whitelist? I feel like they are making this too easy for hackers.

Log in or Sign up

North Korean Lazarus Hackers Targeting Energy Providers Around the World

guest Guest

xxJackxx Registered Member

Log in or Sign up

North Korean Lazarus Hackers Targeting Energy Providers Around the World

guest Guest

xxJackxx Registered Member

Useful Searches