North Korean state-backed hackers, known as the Lazarus Group, have resurfaced, targeting vulnerable Windows Internet Information Services (IIS) web servers to gain unauthorized access. This alarming development confirmed by ASEC highlights how web servers with vulnerable versions are getting exploited with vulnerability suitable for the version to install a web shell or execute malicious commands1 in this case it's Windows IIS server. In this Threatfeed, we will delve into the details of the Lazarus Group's activities, tactics, the implications for web server security, and effective countermeasures to protect against such threats.

Lazarus Group: A State-Backed Hacker Collective

The infamous Lazarus Group has long been associated with cyberattacks targeting various sectors, including finance, government, and critical infrastructure. This state-sponsored hacking group is known for its advanced tactics and persistent campaigns. With an extensive arsenal of malware and sophisticated techniques, they have wreaked havoc on numerous organizations worldwide.

Targeting Windows IIS Web Servers: A New Focus

Recent reports have revealed a shift in the Lazarus Group's tactics, explicitly focusing on vulnerable Windows IIS web servers. While these servers, widely used to host websites and web applications, have become prime targets due to their prevalence and potential for exploitation.

Lazarus Group's Server Exploitation

In a previous report, Symantec revealed that hackers had been utilizing malware on IIS (Internet Information Services) to discreetly execute commands on compromised systems through web requests, effectively bypassing detection by security tools.

By compromising these servers, the Lazarus Group gains an initial foothold from which they can launch further attacks and infiltrate organizations' networks.

Implications for Web Server Security

The targeting of Windows IIS web servers by the Lazarus Group raises serious concerns regarding web server security. Organizations relying on these servers must be vigilant and take immediate steps to bolster their defenses. Failure to do so can result in severe consequences, including data breaches, financial losses, reputational damage, and compromised customer trust.

Vulnerabilities Exploited by the Lazarus Group

The Lazarus Group leverages various vulnerabilities in Windows IIS web servers to gain initial access. Some commonly exploited vulnerabilities include:

1. CVE-2021-31166: A remote code execution vulnerability in the HTTP Protocol Stack (http.sys).
2. CVE-2021-31176: A remote code execution vulnerability in the HTTP Protocol Stack (http.sys).
3. CVE-2021-31178: A remote code execution vulnerability in the HTTP Protocol Stack (http.sys).
4. CVE-2021-31207: A remote code execution vulnerability in the HTTP Protocol Stack (http.sys).

These vulnerabilities, when left unpatched, provide an entry point for the Lazarus Group to infiltrate the targeted web servers.

Consequences of a Successful Attack

Once the Lazarus Group gains access to a Windows IIS web server, they can exploit it for various malicious purposes. Some potential consequences include:

1. Data Theft: Sensitive information, such as customer data, financial records, or intellectual property, may be stolen and used for nefarious purposes.
2. Disruption of Services: The attackers may disrupt the normal functioning of the web server, leading to downtime, loss of business, and inconvenience to users.
3. Propagation of Malware: Compromised web servers can be used as distribution points for malware, infecting visitors to the websites hosted on those servers.
4. Espionage and Surveillance: The Lazarus Group's activities may extend beyond mere financial gains, with the potential for targeted surveillance and espionage.

Protecting Against Lazarus Group Attacks

To mitigate the risks associated with Lazarus Group attacks targeting Windows IIS web servers, organizations should implement robust security measures. Here are some essential steps to enhance web server security:

1. Regular Patching and Updates

Maintain a proactive approach to patch management. Stay informed about the latest security updates for Windows IIS servers and promptly apply patches to address known vulnerabilities. Regularly update server software, frameworks, and applications to protect against newly discovered vulnerabilities.

2. Harden Server Configuration

Implement secure configurations for Windows IIS servers, following industry best practices and guidelines. Disable unnecessary services and features, limit user privileges and enforce strong password policies. Regularly review and update security settings based on evolving threats and recommendations.

3. Network Segmentation

Isolate web servers from critical internal systems through network segmentation. By compartmentalizing the network, organizations can limit the potential impact of a compromised web server and prevent lateral movement by attackers.

4. Intrusion Detection and Prevention Systems (IDPS)

Deploy IDPS solutions capable of detecting and blocking suspicious activities. These systems monitor network traffic and identify potential intrusions or malicious behaviors. Configure alerts and response mechanisms to swiftly address any detected threats.

5. Web Application Firewalls (WAF)

Implement WAF solutions to provide an additional layer of protection for web applications hosted on Windows IIS servers. WAFs can detect and block common web-based attacks, such as SQL injections, cross-site scripting (XSS), and remote file inclusion (RFI).

6. Security Awareness and Training

Educate employees about the risks associated with cyberattacks, including phishing and social engineering techniques used by the Lazarus Group. Regularly conduct security awareness training sessions to reinforce good cybersecurity practices and encourage a culture of vigilance within the organization.

Response

Lazarus group has employed various attack vectors, including Log4Shell, public certificate vulnerability, and the 3CX supply chain attack, to initiate their breaches. This group is known for its highly dangerous activities and actively launches attacks globally. Therefore, it is crucial for corporate security managers to adopt attack surface management techniques to identify vulnerable assets and exercise caution by promptly applying the latest security patches whenever possible.

Specifically, as the threat group primarily relies on the DLL side-loading technique for initial infiltrations, companies should proactively monitor abnormal process execution relationships. By doing so, they can detect any suspicious activities and take preemptive measures to prevent the threat group from carrying out actions such as information exfiltration & lateral movement.

File Detection

– Trojan/Win.LazarLoader.C5427612 (2023.05.15.02) – Trojan/Win.LazarLoader.C5427613 (2023.05.15.03)

IoCs

[DLL Side-loading File Path] – C:\ProgramData\USOShared\Wordconv.exe – C:\ProgramData\USOShared\msvcr100.dll

MD5

– e501bb6762c14baafadbde8b0c04bbd6: diagn.dll – 228732b45ed1ca3cda2b2721f5f5667c: msvcr100.dll – 47d380dd587db977bf6458ec767fee3d: ? (Variant malware of msvcr100.dll) – 4d91cd34a9aae8f2d88e0f77e812cef7: cylvc.dll (Variant malware of msvcr100.dll)