Lazarus Group Striking Vulnerable Windows IIS Web Servers

The infamous North Korean APT group is using Log4Shell, the 3CX supply chain attack, and other known vectors to breach Microsoft Web servers.

Dark Reading Staff, Dark Reading

May 25, 2023

1 Min Read
North Korea country shape on keyboard
Source: Per Bengston via Alamy Stock Photo

The North Korean state-backed threat actor Lazarus Group has reinvented its ongoing espionage campaign by exploiting known vulnerabilities in unpatched Windows IIS Web servers to deploy its reconnaissance malware.

Researchers with AhnLab Security Response Center (ASEC) reported that the latest round of espionage attacks used the Lazarus Group signature DLL side-loading technique during initial compromise.

"The AhnLab Smart Defense (ASD) log ... (showed) that Windows server systems are being targeted for attacks, and malicious behaviors are being carried out through w3wp.exe, an IIS Web server process," the ASEC researchers explained. "Therefore, it can be assumed that the threat actor uses poorly managed or vulnerable Web servers as their initial breach routes before executing their malicious commands later."

Initial attack vectors for the intelligence-gathering campaign include unpatched machines with known vulnerabilities like Log4Shell, public certificate vulnerabilities, and 3CX supply chain attack, the ASEC team advised.

"In particular, since the threat group primarily utilizes the DLL side-loading technique during their initial infiltrations, companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement," the AhnLab report added.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights