“This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.” “The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” wrote Talos researchers Jung soo An, Asheer Malhotra and Vitor Ventura. However, Cisco Talos also observed a previously unknown remote access trojan - or RAT - named “MagicRAT,” attributed to Lazarus Group, which the hackers use for reconnaissance and stealing credentials. YamaBot was recently attributed to the Lazarus APT by Japan’s national cyber emergency response team, known as CERT.ĭetails of this espionage campaign were first revealed by Symantec in April this year, which attributed the operation to “Stonefly,” another North Korean hacking group that has some overlaps with Lazarus. According to Cisco’s research, the hackers used a year-old vulnerability in Log4j, known as Log4Shell, to compromise internet-exposed VMware Horizon servers to establish an initial foothold onto a victim’s enterprise network, before deploying bespoke malware known as “VSingle” and “YamaBot” to establish long-term persistent access. Threat intelligence company Cisco Talos said Thursday that it has observed Lazarus - also known as APT38 - targeting unnamed energy providers in the United States, Canada and Japan between February and July this year. Security researchers have linked a new cyber espionage campaign targeting U.S., Canadian and Japanese energy providers to the North Korean state-sponsored Lazarus hacking group.
0 kommentar(er)
