Aerial view of power station showing Lazarus hackers cyber espionage using log4j vulnerability

Log4j Vulnerability Exploited by Lazarus Hackers for Cyber Espionage; Targets Are Energy Companies Running VMware Horizon Servers

Some security researchers have projected that the Log4j vulnerability will continue to be an issue for a decade or more, given how difficult it is to find and patch every instance of it nested deep within software packages. State-backed threat groups have been attempting to make use of it for cyber espionage purposes since it was first published, but North Korea’s Lazarus hackers appear to have come upon a particularly rich vein to mine: energy companies that run VMware Horizon servers.

Victims fitting this profile have turned up around the world, but the Lazarus hackers appear to have a particular focus on companies in the United States, Canada and Japan. The group uses the Log4j vulnerability as an entry point to install backdoors, and then quietly steals confidential information and credentials.

Lazarus hackers hit upon system for exploiting Log4j vulnerability, targeting energy companies

The Lazarus hackers are generally in pursuit of profit, used to fund the hermit kingdom’s government; some estimates have its recent income from hacking rivaling what it generally makes from trade. But in this case, the main interest appears to be cyber espionage. A report from Cisco Talos Intelligence Group indicates that the group is looking to install multiple backdoors, move laterally through networks and steal credentials for long-term access. Of course, it also exfiltrates any insider information of interest that it comes across.

VMware Horizon has been a major target for hackers looking to exploit the Log4j vulnerability since late 2021. It’s a pricey setup that is widely used by prominent companies throughout the world, and was also widely opened up to remote workers during the Covid-19 pandemic. Once it is compromised, the attacker generally has immediate access to a variety of virtual applications and desktops. VMware has been steadily patching and updating since the Log4j vulnerability was disclosed, but it is incumbent on organizations to keep up with these patches.

James McQuiggan, security awareness advocate at KnowBe4, further notes that energy companies are known to have particular issues with patching: “Cybercriminals know that energy facilities focus more on being available and operational and, similar to medical organizations, can lag on keeping up to date on current patches for internet-facing devices. Cybercriminals leverage older and common vulnerabilities relying on the notion that organizations utilize a risk avoidance or obfuscation methodology, hoping they’re not discovered or breached.

Unfortunately, putting one’s head in the sand doesn’t make the problem disappear. As VMware is a common platform used for external systems, it becomes an easy target to gain a foothold inside an energy infrastructure. Energy organizations strive to utilize in-depth defense systems with firewalls and strong identity access controls to restrict and limit access to critical systems. However, organizations that fail to install multiple layers take on a considerable risk of attack by cybercriminals.”

To date, most of the exploitation of VMware Horizon has been by initial access brokers who are in turn feeding ransomware groups. This string of activity by the Lazarus hackers is the first publicly recorded instance of it being leveraged for nation-state cyber espionage. The North Korean hackers were reportedly active between February and July 2022, identifiable by their use of the VSingle and YamaBot custom malware after the initial breach along with a never-before-seen piece of malware called “MagicRAT.” Subsequent downloads of toolkits were also linked to servers known to be used by the group.

The Talos researchers did not disclose which specific companies had been targeted, but walked through several example cases of the hacking group’s cyber espionage pattern. The researchers note that the Lazarus hackers built the new MagicRAT malware with recourse to the Qt Framework (widely used for developing graphical interfaces) for the purpose of making all types of detection harder; not just by humans and antivirus software, but by more advanced machine learning systems.

Lazarus hackers forego quick profits for long-term cyber espionage possibilities

The Lazarus hackers are in reality not one discrete group, but a collection of subgroups that associate and share intelligence with each other. These groups have been known to focus on specific tasks or specific nations. It is unclear which of these groups is primarily responsible for the Log4j vulnerability campaign, but MagicRAT was given its name as it appears to be an altered version of a backdoor called TigerRAT that was previously used by the Andariel subgroup. This subgroup has previously been observed focusing on cyber espionage in South Korea, but was also linked to a string of ransomware attacks on US health care organizations earlier this year.

There were some prior hints of this cyber espionage campaign; in April, security firm Symantec noted that the subgroup Stonefly was active in attempting to exploit the Log4j vulnerability to spy on a variety of “high value” targets known to possess classified information. The new Talos report clarifies exactly what the scope of the operation was and the industry that was primarily being targeted, in addition to revealing the primary tools the Lazarus hackers make use of.

Analysts believe that the cyber espionage and financial theft conducted by the Lazarus hackers is primarily aimed at supporting the reclusive country’s nuclear weapons program. Working from an initial base of Soviet-supplied nuclear reactors and equipment, North Korea demonstrated its first nuclear weapons test in 2006 and immediately threatened to fire them at the United States in a consistent pattern of empty saber-rattling that has now lasted for decades. The country recently reaffirmed that it would never give up nuclear weapons and reserved the right to conduct preemptive strikes, but also drafted a new law banning the sharing of its arms or technology with other countries.

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, shared some thoughts on how advanced nation-state operations of this type can be defended against: “The good news, if there is any, is that it’s still possible to mitigate risk by investing in the fundamentals of cybersecurity, beginning with a strong cultural approach.  The essential elements of protection through segmentation, attack surface reduction, and system hardening make it more difficult for threat actors to operate and spread if they get a foothold.  Careful monitoring controls that include threat hunting and rapid alerting of suspicious behavior to an experienced team can help quickly identify and neutralize attackers that manage to bypass prevention controls.  Regular security validations such as penetration testing can help identify vulnerabilities from omissions or misconfigurations before attackers can exploit them in the first place.  The problem is that it’s easy enough to say and understand the factors that contribute to cybersecurity resiliency, but implementation is challenging, especially in organizations with competing priorities and limited resources.  To be successful, leaders must own the reality of cybersecurity threats and dedicate both the human and monetary resources to protecting their organizations.”