Hackers continue to abuse rampant Log4j vulnerability months after its discovery, according to a new report from Cisco researchers who uncovered a campaign targeting energy companies in the United States, Canada, Japan and other countries. other countries.
Cisco Talos security researchers Jung Soo An, Asheer Malhotra and Vitor Ventura said they were tracking a long-running campaign between February and July that they believe is the work of North Korean hackers sponsored by the government. ‘state with the Lazarus group.
The group’s initial attack vector was exploiting the Log4j vulnerability on exposed VMware Horizon servers – a proven method that dozens of criminal and state-backed groups have used since the bug first emerged in December.
Once hackers gain a foothold in corporate networks, they deploy custom malware implants called VSingle and YamaBot. The report notes that the Japanese CERT recently released reports on both malware and attributed them to Lazarus.
The researchers linked the activity they found to a June report from the Cybersecurity and Infrastructure Security Agency (CISA) on two incidents from April and May.
“In this campaign, Lazarus primarily targeted energy companies in Canada, the United States and Japan. The primary purpose of these attacks was likely to establish long-term access to victim networks to conduct espionage operations in support of North Korean government objectives,” the researchers said.
“This activity aligns with historic Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”
Despite its discovery in December 2021, CISA included Log4Shell in its list of the top 15 vulnerabilities regularly exploited in 2021.
In recent months, several cybersecurity companies have warned that Log4Shell is still a problem despite the global campaign to fix the vulnerability.
Symantec said an anonymous engineering company with energy and military customers was hacked by the North Korean government using the Log4j vulnerability.
Yotam Perkal, a vulnerability researcher at cybersecurity firm Rezilion, published a report in April, 55% of applications still contained an outdated version of Log4j in their latest versions.
The new US Cyber Safety Review Board recently published a high-profile report on the bug’s origins, finding that despite efforts by federal and private sector organizations to protect their networks, Log4j had become an “endemic vulnerability”.
“Log4j is not complete. It wasn’t a historic comeback and now we’re in the clear,” Silvers said. “The council found that organizations are likely to face continued exposure from Log4j for years, possibly a decade or more.”