Lazarus Group escalates attack against vulnerable Windows IIS web servers

The Lazarus Group Targets Unpatched Windows IIS Web Servers

The North Korean state-backed hacking group, Lazarus Group, is known for its malicious cyber activities worldwide. This time, the group has been found exploiting unpatched Windows IIS web servers for deploying its reconnaissance malware. AhnLab Security Response Center (ASEC) researchers have discovered that the latest round of espionage attacks used the DLL side-loading technique during the initial compromise.

Details of the Attack

The recent attacks by the Lazarus Group are focused on Windows servers, and they use w3wp.exe, which is an IIS web server process, to carry out their malicious activity. According to the ASEC researchers, poorly managed or vulnerable web servers have been used as the initial breach routes before executing the malicious commands later. As per the ASEC team’s advice, the initial attack vectors for the intelligence-gathering campaign include unpatched machines with known vulnerabilities like Log4Shell, public certificate vulnerabilities, and the 3CX supply chain attack.

The DLL Side-Loading Technique

The ASEC report highlights that the Lazarus Group primarily utilizes the DLL side-loading technique during their initial infiltrations. This technique involves using a legitimate DLL file to camouflage the malware, allowing it to execute without raising any alarms in the system. One of the critical reasons why DLL side-loading is popular with threat actors is that it bypasses traditional security measures because the malware is running within a legitimate software process.

The Importance of Proactive Monitoring

The ASEC researchers have advised companies to proactively monitor abnormal process execution relationships and take preemptive measures to prevent the Lazarus Group from carrying out activities such as information exfiltration and lateral movement. This requires companies to implement security updates and patch their systems regularly to prevent known vulnerabilities from being exploited by attackers.

Editorial

The Lazarus Group has been active for approximately a decade. They have launched several attacks against different targets globally, including cyber espionage, financial theft, and cyber vandalism. The group’s primary focus has been South Korea and the United States, amongst others. Their recent attacks exploiting unpatched Windows IIS web servers suggest that organizations should prioritize system and software updates to stay secure against targeted attacks.

Philosophical Discussion

The most interesting philosophical discussion around the Lazarus Group is the persistent recurrence of the cyber threat it poses. They operate under a state-backing, and this has enabled their activities to continue for over a decade. Is it morally right for a state to support and empower such groups in the name of national interest? The Lazarus Group’s activities have caused significant losses globally, and the ethical implications of state-backed threats must be carefully considered.

Advice

Organizations must prioritize system updates and patching as a crucial aspect of cyber hygiene. Additionally, companies should regularly carry out proactive monitoring of their networks to identify and respond promptly to malicious activity. Further, it is crucial to assume that threat actors are always looking for vulnerable points of entry to infiltrate networks. Therefore, companies must maintain up-to-date cybersecurity frameworks to align with the evolving cyber threat landscape.