Quick Hits

Lazarus Group Striking Vulnerable Windows IIS Web Servers

The infamous North Korean APT group is using Log4Shell, the 3CX supply chain attack, and other known vectors to breach Microsoft Web servers.

The North Korean state-backed threat actor Lazarus Group has reinvented its ongoing espionage campaign by exploiting known vulnerabilities in unpatched Windows IIS Web servers to deploy its reconnaissance malware.

Researchers with AhnLab Security Response Center (ASEC) reported that the latest round of espionage attacks used the Lazarus Group signature DLL side-loading technique during initial compromise.

"The AhnLab Smart Defense (ASD) log ... (showed) that Windows server systems are being targeted for attacks, and malicious behaviors are being carried out through w3wp.exe, an IIS Web server process," the ASEC researchers explained. "Therefore, it can be assumed that the threat actor uses poorly managed or vulnerable Web servers as their initial breach routes before executing their malicious commands later."

Initial attack vectors for the intelligence-gathering campaign include unpatched machines with known vulnerabilities like Log4Shell, public certificate vulnerabilities, and 3CX supply chain attack, the ASEC team advised.

"In particular, since the threat group primarily utilizes the DLL side-loading technique during their initial infiltrations, companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement," the AhnLab report added.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading