The Lazarus Group, a North Korean state-backed cyber espionage group, has continued its ongoing campaign to steal sensitive information from organizations by exploiting vulnerabilities in unpatched Windows IIS Web servers. According to researchers with AhnLab Security Response Center (ASEC), the latest round of attacks utilizes the Lazarus Group’s signature DLL side-loading technique during initial compromise.
Initially, the group targets unpatched machines with known vulnerabilities, such as Log4Shell, public certificate vulnerabilities, and 3CX supply chain attacks. The ASEC team advises companies to monitor abnormal process execution relationships and take preemptive measures to prevent the group from carrying out activities such as information exfiltration and lateral movement.
The AhnLab Smart Defense (ASD) log revealed that the campaign was targeting Windows server systems, and malicious behaviors were being carried out through w3wp.exe, an IIS Web server process. The researchers explained that it can be assumed that the threat actor uses poorly managed or vulnerable Web servers as their initial breach routes before executing their malicious commands later.
The Lazarus Group has been active for over a decade and has been involved in several high-profile cyber attacks. The group is known for stealing money from banks, conducting cyber espionage campaigns, and attacking critical infrastructure and government systems. The group has previously been linked to attacks on Sony Pictures in 2014 and the WannaCry ransomware outbreak in 2017.
The Lazarus Group’s recent shift to exploiting known vulnerabilities in unpatched Windows IIS Web servers is consistent with its modus operandi. The group has historically been known to exploit vulnerabilities in operating systems and software in order to gain access to targeted systems. The group is highly skilled in using social engineering techniques to deliver malicious payloads such as spear-phishing emails and watering hole attacks.
Companies can protect themselves against attacks from the Lazarus Group by identifying and patching vulnerabilities in their systems and conducting regular security training for their employees. They can also deploy endpoint detection and response solutions and network monitoring tools to detect and block suspicious activities. Companies should also regularly update their security protocols to stay ahead of evolving threat actors.
In particular, companies should be vigilant when monitoring their Web servers, as poorly managed or vulnerable servers could be used as initial breach routes by the Lazarus Group. By proactively monitoring abnormal process execution relationships and taking preemptive measures, companies can prevent the group from carrying out activities such as information exfiltration and lateral movement.
The Lazarus Group’s continued cyber espionage campaign highlights the need for organizations to remain vigilant and proactive in their cyber defense strategies. With threat actors constantly evolving their tactics and techniques, companies must stay ahead of the curve by anticipating and mitigating potential vulnerabilities.