North Korean hacking ops continue to exploit Log4Shell CyberScoop
p
By
AJ Vicens
pp
December 11 2023
ppTwo years after the Log4j vulnerability was revealed North Korean hackers are continuing to use the flaw in a ubiquitous piece of open source software to carry out attacks as part of a hacking campaign targeting manufacturing agricultural and physical security entities according to research released Monday ppCarried out over the course of 2023 and described in a report released by Ciscos Talos Intelligence Group on Monday the campaign employed at least three new malware families and relied in part on the Log4Shell exploit highlighting the long tail of the Log4j vulnerability and how failure to patch the flaw is providing a ready tool to malicious hackersppThe campaign was the work of one of a plethora of North Korean hacking units operating under the broad Lazarus umbrella a term industry and government researchers use to refer to the array of North Korean government hacking operations that engage in everything from cyberespionage to cryptocurrency thefts ransomware and supply chain attacksppThe Log4j vulnerability has been extensively exploited by the Lazarus umbrella of advanced persistent threat groups to deploy a multitude of malware dualuse tools and conduct extensive handsonkeyboard activity the researchers wroteppThe research is another reminder of the prolific nature of North Koreanlinked cyber operations that have targeted South Korea the US and entities around the world for years On Dec 1 the US government announced sanctions on Kimsuky a premiere North Korean cyberespionage unit that also carries out financially motivated cybercrime to both fund itself and generate money for the governmentppThe campaign dubbed Operation Blacksmith employed at least three new malware families written in DLang a less common programming language Its use continues a shift among North Korean hacking campaigns toward the use of more obscure programming languages over the past year and a half the researchers saidppObserved between March and September of 2023 the campaign consisted of continued opportunistic targeting of enterprises around the world that publicly host and expose their vulnerable infrastructure to nday vulnerability exploitation such as Log4j the researchers wroteppThe operation involved a pair of remote access trojans one of which used Telegram bots and channels for command and control the researchers saidppThe researchers found some overlap between Operation Blacksmith and attacks that Microsoft disclosed in October involving a North Korean hacking operation known as Onyx Sleet or Andariel that exploited a vulnerability in the JetBrains TeamCity server software first disclosed in September 2023 ppA July 2022 Cybersecurity and Infrastructure Security Agency advisory flagged Andariel activity that included ransomware attacks on hospitals and health care facilities in the US the Talos researchers notedp
By
AJ Vicens
pp
December 11 2023
ppTwo years after the Log4j vulnerability was revealed North Korean hackers are continuing to use the flaw in a ubiquitous piece of open source software to carry out attacks as part of a hacking campaign targeting manufacturing agricultural and physical security entities according to research released Monday ppCarried out over the course of 2023 and described in a report released by Ciscos Talos Intelligence Group on Monday the campaign employed at least three new malware families and relied in part on the Log4Shell exploit highlighting the long tail of the Log4j vulnerability and how failure to patch the flaw is providing a ready tool to malicious hackersppThe campaign was the work of one of a plethora of North Korean hacking units operating under the broad Lazarus umbrella a term industry and government researchers use to refer to the array of North Korean government hacking operations that engage in everything from cyberespionage to cryptocurrency thefts ransomware and supply chain attacksppThe Log4j vulnerability has been extensively exploited by the Lazarus umbrella of advanced persistent threat groups to deploy a multitude of malware dualuse tools and conduct extensive handsonkeyboard activity the researchers wroteppThe research is another reminder of the prolific nature of North Koreanlinked cyber operations that have targeted South Korea the US and entities around the world for years On Dec 1 the US government announced sanctions on Kimsuky a premiere North Korean cyberespionage unit that also carries out financially motivated cybercrime to both fund itself and generate money for the governmentppThe campaign dubbed Operation Blacksmith employed at least three new malware families written in DLang a less common programming language Its use continues a shift among North Korean hacking campaigns toward the use of more obscure programming languages over the past year and a half the researchers saidppObserved between March and September of 2023 the campaign consisted of continued opportunistic targeting of enterprises around the world that publicly host and expose their vulnerable infrastructure to nday vulnerability exploitation such as Log4j the researchers wroteppThe operation involved a pair of remote access trojans one of which used Telegram bots and channels for command and control the researchers saidppThe researchers found some overlap between Operation Blacksmith and attacks that Microsoft disclosed in October involving a North Korean hacking operation known as Onyx Sleet or Andariel that exploited a vulnerability in the JetBrains TeamCity server software first disclosed in September 2023 ppA July 2022 Cybersecurity and Infrastructure Security Agency advisory flagged Andariel activity that included ransomware attacks on hospitals and health care facilities in the US the Talos researchers notedp
