Lazarus hackers deploy new RATs via Log4j vulnerability

SISA Weekly Threat Watch, Dec 18, 2023

This week’s cybersecurity landscape witnessed an array of critical vulnerabilities and exploitations across multiple domains including WordPress vulnerabilities leading to remote code execution, Log4j exploits by the Lazarus hacking group, identification of a critical flaw in Apache Struts 2, Microsoft addressing a zero-day AMD vulnerability, and the Russian APT28 targeting numerous nations in a widespread cyber espionage campaign. These incidents highlight the diverse and evolving nature of cyber threats, emphasizing the urgency of robust security measures and prompt updates to safeguard against sophisticated attacks.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. WordPress patches critical POP chain flaw exposing websites to RCE attacks

WordPress has rolled out version 6.4.2, addressing a critical remote code execution (RCE) flaw that, when paired with another vulnerability, allows attackers to execute arbitrary PHP code on targeted websites. This vulnerability, found in the WP_HTML_Token class within WordPress core version 6.4, enhances HTML parsing in the block editor but creates a Property Oriented Programming (POP) chain vulnerability.

Exploiting this flaw demands control over all properties of a deserialized object through PHP’s unserialize() function, potentially influencing the application’s flow by manipulating values sent to magic methods like ‘_wakeup()’. While RCE is not directly exploitable in the core, its combination with certain plugins, especially in multisite setups, poses a significant risk, prompting caution among users. Users are advised to update WordPress to the latest version 6.4.2 to mitigate the vulnerabilities.

2. Log4j exploits: Lazarus group deploys DLang based RATs

The persistent exploitation of CVE-2021-44228, also known as “Log4Shell,” by the Lazarus hacking group has led to the introduction of three new malware families written in the DLang programming language. Despite being a previously patched RCE flaw in Log4j, this vulnerability remains a significant security risk, particularly affecting publicly exposed VMWare Horizon servers. Cisco Talos’ investigation, dubbed “Operation Blacksmith,” revealed Lazarus’ deployment of NineRAT, DLRAT, and BottomLoader, utilizing Telegram API for command and control, system information collection, and PowerShell-based payload execution, respectively.

The use of DLang represents a shift in Lazarus’ tactics, possibly aimed at evading detection. Cisco also suggests Lazarus might share NineRAT-collected data with other threat groups, highlighting the need for immediate Log4j updates, network segmentation, access control reinforcement, and adherence to the principle of least privilege to mitigate risks.

3. CVE-2023-50164: New critical RCE vulnerability identified in Apache Struts 2 

A critical security flaw in the Struts 2 open-source web application framework has been identified, prompting Apache to issue a security advisory. This vulnerability poses a risk of RCE. Struts, a Java framework employing the Model-View-Controller (MVC) architecture for enterprise-oriented web applications, is susceptible to a vulnerability arising from a flawed ‘file upload logic.

This flaw could potentially allow unauthorized path traversal, enabling the exploitation scenario where a malicious file could be uploaded, leading to the execution of arbitrary code. Despite the absence of evidence demonstrating malicious exploitation of the vulnerability in real-world attacks, it is crucial to underscore that threat actors were successful in weaponizing a previous security flaw, namely CVE-2017-5638 with a CVSS score of 10.0. Updating Struts to versions 2.5.33 and or greater can help mitigate the risks.

4. Microsoft’s Patch Tuesday addresses 34 vulnerabilities including an AMD zero-day  

In December’s Patch Tuesday, Microsoft released security updates addressing 34 vulnerabilities, including eight critical RCE bugs. This patch resolves a disclosed zero-day flaw, CVE-2023-20588, affecting certain AMD processors and posing a speculative leaks risk. Despite AMD suggesting mitigation measures earlier, Microsoft’s update now offers a fix for this division-by-zero vulnerability, emphasizing the importance of following best practices for securing sensitive data on affected AMD processors.

The patch also covers various vulnerability categories like elevation of privilege, information disclosure, denial of service, and spoofing. Recommendations for users include regular software updates, strong password usage, enabling two-factor authentication, and backing up critical data for added security measures.

5. Russian APT28 hackers targeting 13 nations in ongoing cyber espionage campaign 

The Russian APT28 threat actor, also known as ITG05, has deployed a tailored backdoor named HeadLace, leveraging bait associated with ongoing Israel-Hamas conflicts to distribute malware globally. Researchers have uncovered this campaign targeting at least 13 countries, including Hungary, Türkiye, Australia, and Ukraine.

By employing authentic documents from academic, financial, and diplomatic institutions as bait, the operation specifically targets European entities involved in humanitarian aid allocation, utilizing the WinRAR vulnerability (CVE-2023-38831) to propagate the HeadLace backdoor. The campaign, characterized by its adaptability and exploitation of public vulnerabilities underscores the ongoing and dynamic nature of the cyber threat landscape. Vigilance and proactive security measures are crucial in mitigating the risks posed by ITG05’s sophisticated and evolving tactics.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider