norm. threat bulletin: 13th December 2023

The Lazarus Group and persistence of Log4Shell

The infamous Lazarus Group, also known as APT38, is a threat actor associated with North Korea, and is linked to a new global campaign exploiting Log4j vulnerabilities to deploy undisclosed remote access trojans (RATs) on compromised hosts.

Cisco Talos is monitoring this activity, named Operation Blacksmith, identifying three DLang-based malware families: NineRAT (using Telegram for C2), DLRAT, and the downloader BottomLoader. The adversary’s latest tactics align with Andariel, a Lazarus sub-group focused on initial access and espionage. Andariel is responsible for initial access, reconnaissance, and long-term access for espionage supporting North Korean interests.

Attack chains exploit CVE-2021-44228 (Log4Shell) against publicly accessible VMWare Horizon servers, targeting sectors like manufacturing, agriculture, and physical security.

The exploitation Log4Shell is still active as 2.8% of applications still use vulnerable versions. NineRAT, developed around May 2022, was employed in March 2023 against a South American agricultural organisation and in September 2023 on a European manufacturing entity, aiming to evade detection using a legitimate messaging service for C2.

NineRAT serves as the primary means of interaction with infected endpoints, allowing attackers to gather system information, upload/download files, and modify itself. Re-fingerprinting indicates data collected by Lazarus via NineRAT may be shared with other APT groups, residing in a separate repository.

HazyLoad, a custom proxy tool, featured in attacks after initial reconnaissance, identified by Microsoft as part of intrusions exploiting JetBrains TeamCity vulnerabilities. HazyLoad is executed through another malware, BottomLoader.

Operation Blacksmith delivers DLRAT, serving as both a downloader and a RAT for system reconnaissance, malware deployment, and C2 commands execution, providing Lazarus Group with redundant backdoor access for persistence.

Remediation

If you have an application vulnerable to Log4Shell:

• Contact your application vendor to see if a patch is already available.
• If your application is running Java 8 or later, upgrade the log4j library version to >= 2.17.0. Make sure to restart the application.
• If your application is running Java 7, upgrade the log4j library to 2.12.3. Make sure to restart the application.
• If your application is running Java 6, upgrade the log4j library to 2.3.1. Make sure to restart the application.

By utilising norm.’s Vulnerability Patch Management module in addition to the Threat Detection and Response module, customers can not only ensure they are protected against vulnerabilities disclosed via vendor bug bounty programs, but also protected against any potential compromise attempt.

References:
Lazarus Group Log4j Attacks Spread New Malware Families | Decipher (duo.com)
Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans (thehackernews.com)
Understanding Log4Shell: the Apache log4j2 Remote Code Execution Vulnerability (CVE-2021-44228, CVE-2021-45046) – Horizon3.ai | Blog

APT28 exploiting critical Outlook vulnerability, Microsoft warns

On Monday 4^th December 2023, Microsoft announced that it had detected Kremlin backed activity exploiting a known critical security flaw within Microsoft Outlook, to gain unauthorised access to target accounts within Microsoft Exchange servers. Microsoft has attributed the exploitation attempts to a threat actor called Forest Blizzard, also more commonly known as APT28.

The exploited vulnerability in question was CVE-2023-23397 (CVSS Score: 9.8), which is a privilege escalation exploit that can allow threat actors to access a user’s Net-NTLMv2 hash which can then in turn be used to perform a relay attack against another service to authenticate as the user. This was patched by Microsoft in March of 2023. The goal of the exploit according to the Polish Cyber Command (DKWOC) is to obtain unauthorised access to private and public entities’ mailboxes.

Once the threat actors have access to a user’s mailbox, they can modify folder permissions within. According to DKWOC, in most cases the modifications that occur change the default permissions of the “Default” group from None to Owner, meaning that the content of the mailboxes which have been granted this permission can be read by any authenticated user in the organisation, allowing threat actors to extract high-value information. Another point worth mentioning is that introducing modifications such as this can allow for maintenance of unauthorised access to mailbox contents even after losing direct access to it.

It has been stated in June 2023 by the cyber security firm Recorded Future, that a spear phishing campaign performed by APT28, which aimed to exploit multiple vulnerabilities in Roundcube (an open-source webmail software), featured overlapping activity to that of the Microsoft Outlook vulnerability.

The National Cyber Security Agency of France (ANSSI) also stated in late October 2023 that APT28 is to blame for several attacks targeting government entities, universities, businesses, and research institutes using various exploits including CVE-2023-23397 to deploy malicious software including CredoMap, a known info-stealer.

Further research from cyber security company ProofPoint has observed a large volume of phishing campaigns occurring in 2023 which have leveraged CVE-2023-23397 to targets within Europe and North America. By utilising norm.’s Vulnerability Patch Management module, customers can ensure they are protected against vulnerabilities disclosed via vendor bug bounty programs.

References:
Microsoft Warns of Kremlin-Backed APT28 Exploiting Critical Outlook Vulnerability (TheHackerNews)
NVD – CVE-2023-23397 (nist.gov)
Guidance for investigating attacks using CVE-2023-23397 (Microsoft Security Blog)

The surge of Phishing scams during the Holiday Season: 5 festive warning signs to stay protected

This holiday season is not only a time for joy and celebration but unfortunately, it’s also a prime season for cyber criminals to exploit unsuspecting individuals through phishing scams. As people engage in increased online activities, shopping sprees, and festive communication, the risk of falling victim to phishing attempts becomes more pronounced.

In this article, we will explore the rise of phishing scams during the festive period and highlight five key festive things to watch out for to protect yourself online.

1. Fake Charity Scams: Cybercriminals often exploit the spirit of giving by creating fake charity emails or websites, claiming to support a noble cause. Be cautious of unsolicited donation requests and verify the legitimacy of the charity before making any contributions.

• E-commerce Scams: With the surge in online shopping during the holidays, phishing scammers may send fake shipping notifications or promotions from seemingly reputable retailers. Always double-check the sender’s details and cross-verify any promotions directly on the official website.

• E-card Scams: Phishers may use e-cards as a guise to deliver malicious links or malware. Exercise caution when receiving unexpected e-cards, especially if they prompt you to download any files or click on links without proper context.

• Travel-related Scams: As many people plan holiday trips, scammers may send fake travel offers or booking confirmations to steal personal information. Verify the legitimacy of any travel-related communication by contacting the service provider directly through their official channels.

• Social Media Scams: Be wary of unsolicited friend requests, messages, or posts on social media platforms, especially if they contain suspicious links or ask for personal information. Cybercriminals may exploit the holiday season to target individuals through social engineering tactics.

Staying vigilant and adopting a sceptical mindset can significantly reduce the risk of falling victim to phishing scams during the festive season. By utilising norm.’s Cyber Safety and Phishing module and being aware of these five key warning signs, you can enjoy the holidays with confidence, knowing that you are taking proactive steps to safeguard your online security.

References:
Festive Fraud – Are You Scam Savvy (Natwest Bank)
Festive shoppers urged to be Cyber Aware as figures reveal average online losses of £1,000 (NCSC)
The 12 scams of Christmas (Swansea Council)