Learn about the Lazarus hacking group and their exploits on vulnerable Windows IIS web servers. Discover their techniques, known attack vectors
North Korean state-backed hackers, known as the Lazarus Group, have resurfaced, targeting vulnerable Windows Internet Information Services (IIS) web servers to gain unauthorized access. This alarming development confirmed by ASEC highlights how web servers with vulnerable versions are getting exploited with vulnerability suitable for the version to install a web shell or execute malicious commands1 in this case it's Windows IIS server. In this Threatfeed, we will delve into the details of the Lazarus Group's activities, tactics, the implications for web server security, and effective countermeasures to protect against such threats.
The infamous Lazarus Group has long been associated with cyberattacks targeting various sectors, including finance, government, and critical infrastructure. This state-sponsored hacking group is known for its advanced tactics and persistent campaigns. With an extensive arsenal of malware and sophisticated techniques, they have wreaked havoc on numerous organizations worldwide.
Recent reports have revealed a shift in the Lazarus Group's tactics, explicitly focusing on vulnerable Windows IIS web servers. While these servers, widely used to host websites and web applications, have become prime targets due to their prevalence and potential for exploitation.
Lazarus Group's Server Exploitation
In a previous report, Symantec revealed that hackers had been utilizing malware on IIS (Internet Information Services) to discreetly execute commands on compromised systems through web requests, effectively bypassing detection by security tools.
By compromising these servers, the Lazarus Group gains an initial foothold from which they can launch further attacks and infiltrate organizations' networks.
The targeting of Windows IIS web servers by the Lazarus Group raises serious concerns regarding web server security. Organizations relying on these servers must be vigilant and take immediate steps to bolster their defenses. Failure to do so can result in severe consequences, including data breaches, financial losses, reputational damage, and compromised customer trust.
The Lazarus Group leverages various vulnerabilities in Windows IIS web servers to gain initial access. Some commonly exploited vulnerabilities include:
These vulnerabilities, when left unpatched, provide an entry point for the Lazarus Group to infiltrate the targeted web servers.
Once the Lazarus Group gains access to a Windows IIS web server, they can exploit it for various malicious purposes. Some potential consequences include:
To mitigate the risks associated with Lazarus Group attacks targeting Windows IIS web servers, organizations should implement robust security measures. Here are some essential steps to enhance web server security:
Maintain a proactive approach to patch management. Stay informed about the latest security updates for Windows IIS servers and promptly apply patches to address known vulnerabilities. Regularly update server software, frameworks, and applications to protect against newly discovered vulnerabilities.
Implement secure configurations for Windows IIS servers, following industry best practices and guidelines. Disable unnecessary services and features, limit user privileges and enforce strong password policies. Regularly review and update security settings based on evolving threats and recommendations.
Isolate web servers from critical internal systems through network segmentation. By compartmentalizing the network, organizations can limit the potential impact of a compromised web server and prevent lateral movement by attackers.
Deploy IDPS solutions capable of detecting and blocking suspicious activities. These systems monitor network traffic and identify potential intrusions or malicious behaviors. Configure alerts and response mechanisms to swiftly address any detected threats.
Implement WAF solutions to provide an additional layer of protection for web applications hosted on Windows IIS servers. WAFs can detect and block common web-based attacks, such as SQL injections, cross-site scripting (XSS), and remote file inclusion (RFI).
Educate employees about the risks associated with cyberattacks, including phishing and social engineering techniques used by the Lazarus Group. Regularly conduct security awareness training sessions to reinforce good cybersecurity practices and encourage a culture of vigilance within the organization.
Lazarus group has employed various attack vectors, including Log4Shell, public certificate vulnerability, and the 3CX supply chain attack, to initiate their breaches. This group is known for its highly dangerous activities and actively launches attacks globally. Therefore, it is crucial for corporate security managers to adopt attack surface management techniques to identify vulnerable assets and exercise caution by promptly applying the latest security patches whenever possible.
Specifically, as the threat group primarily relies on the DLL side-loading technique for initial infiltrations, companies should proactively monitor abnormal process execution relationships. By doing so, they can detect any suspicious activities and take preemptive measures to prevent the threat group from carrying out actions such as information exfiltration & lateral movement.
– Trojan/Win.LazarLoader.C5427612 (2023.05.15.02) – Trojan/Win.LazarLoader.C5427613 (2023.05.15.03)
[DLL Side-loading File Path] – C:\ProgramData\USOShared\Wordconv.exe – C:\ProgramData\USOShared\msvcr100.dll
– e501bb6762c14baafadbde8b0c04bbd6: diagn.dll – 228732b45ed1ca3cda2b2721f5f5667c: msvcr100.dll – 47d380dd587db977bf6458ec767fee3d: ? (Variant malware of msvcr100.dll) – 4d91cd34a9aae8f2d88e0f77e812cef7: cylvc.dll (Variant malware of msvcr100.dll)