EXECUTIVE SUMMARY:

The notorious North Korea-linked hacking group known as Lazarus is believed to be the mastermind behind a new global hacking campaign.

The campaign involves opportunistic use of security flaws in Log4Shell, a security vulnerability identified several years ago that poses severe risk to organizations.

Cyber security researchers have discovered that this latest campaign deploys previously undocumented remote access trojans (RATs) on compromised hosts.

The latest: Log4Shell

Tracked under the name ‘Operation Blacksmith,’ the campaign began in March of this year, and continues to-date. The campaign relies on at least three new malware families, and through them (specifically, RATs), attackers can gain remote control of infected systems.

The malware was written in DLang, a less common programming language. Its use reflects a shift among North Korean hacking campaigns towards the adoption of more obscure programming languages. But that’s not why this campaign captured researchers’ attention…

This campaign stood out to researchers on account of hackers’ use of Telegram as a channel for command-and-control communications. Some campaign malware used Telegram as its primary channel for accepting commands, communicating outputs, and for file transfer – both inbound and outbound.

Affected organizations

After successfully infiltrating an organization, the attackers conduct reconnaissance, using an array of commands to collect system information, query logs, and to perform OS credential dumping. Thus far, ransomware attacks haven’t been reported, although that could change without warning.

These attacks appear opportunistic in nature. Known victims operate in the manufacturing, agricultural and physical security sectors. Tailored malware implants have been found on compromised systems.

Today’s Log4Shell statistics

If you believed that the Log4Shell threat had been gradually and quietly neutralized, the following statistics describe a different reality:

  • Over 20% of Log4j downloads continue to be for vulnerable versions, according to supply chain management company Sonatype
  • 8% of tested apps still have Log4Shell vulnerabilities, while 3.8% use a Log4j 2.x version susceptible to CVE-2021-44832
  • One-third of Log4j-inclusive apps rely on the outdated, unsupported Log4j 1.x series of the library, which has seven high and critical vulnerabilities within it that remain unresolved

Systems still vulnerable

In July of last year, the Cybersecurity and Infrastructure Security Agency (CISA) warned of hacker operations that are connected to this one. Worryingly, the activities resulted in ransomware attacks on hospitals and healthcare facilities.

The Log4Shell vulnerability was originally reported on December 9th of 2021 and exists in the popular Java library called Log4j. As you’ll recall, due to the code library’s widespread use, the vulnerability inherently affected millions of Java applications.

Although patches were released in a timely fashion, months passed before the vast majority of organizations updated their code, apps…etc.

The vulnerability received extensive attention at the time of disclosure, including on CyberTalk.org. However, two-years later, a number of systems remain vulnerable.

Log4Shell threat prevention

The persistent reliance on outdated library versions remains as a significant issue – one that’s often fueled by developers who want to avoid unnecessary complexity.

Log4Shell hasn’t served as the wake-up call anticipated by the security industry.

Organizations are strongly advised to proactively scan environments, pinpoint open-source library versions and to swiftly create emergency upgrade plans for comprehensive security advancement and enrichment purposes.

For further insights into Log4Shell and vulnerability fixes: