News Heading - 1

Lazarus Hackers Exploit Log4Shell Security Flaw to Deploy New RAT Malwares

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer

Hackers connected to North Korean threat group, Lazarus, were observed exploiting Log4Shell vulnerability (aka CVE-2021-44228) to attack organizations worldwide.

Discovered in early 2023, the campaign dubbed ‘’ Operation Blacksmith ’’ by Cisco Talos researchers, is said to target manufacturing, agricultural and physical security companies worldwide.

‘’Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based RAT utilizing Telegram as its C2 channel,’’ the advisory disclosed.

Exploiting Log4Shell flaw in publicly facing VMWare Horizon servers, the actors deployed three novel malwares. Of them, two are remote access trojans (RATs) named NineRAT and DLRAT, and the other is a malware downloader named BottomLoader. A definitive shift in Lazaus’ techniques and tools was observed, overlapping with its alleged sub-group, Onyx Sleet, (aka PLUTIONIUM or Andariel).

Upon initial reconnaissance, the hackers set up a proxy tool ״ HazyLoad ״ for continued access to the infected system. It was also observed that Lazarus, instead of using unauthorized domain-level user accounts, created system-level accounts with administrative privileges.

Another noted deviation observed in their tactic was ‘’downloading and using credential dumping utilities such as ProcDump and MimiKatzs’’ for their hands-on-keyboard activity.

The second phase of the campaign involves the deployment of the novel NineRAT. First identified in March 2023, the DLand-based trojan uses Telegram-based C2 channel for receiving preliminary commands. The malware not only has the ability to uninstall itself from the system but can also perform system re-fingerprinting, in some instances. This allows it to collect data shared by other APT groups.

‘’Re-fingerprinting the infected systems indicates the data collected by Lazarus via NineRAT may be shared by other APT groups and essentially resides in a different repository from the fingerprint data collected initially by Lazarus during their initial access and implant deployment phase,’’ Cisco concludes.

News Heading - 2

Norton Healthcare Confirms ALPHV May Ransomware Attack

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer

In a public notification, Norton Healthcare disclosed that the May security incident had compromised sensitive data belonging to patients, former and current employees, and dependants.

Based in Louisville, Kentucky (US), Norton Healthcare is a leading provider of medical care and health services across Greater Louisville, Southern Indiana, and the Commonwealth of Kentucky. It

‘’On May 9, 2023, Norton Healthcare discovered that it was experiencing a cybersecurity incident, later determined to be a ransomware attack,’’ Norton revealed .

On confirming the cyberattack, the healthcare provider notified federal law enforcement, and engaged a leading forensic security provider to investigate the incident.

Its investigation revealed that certain network storage devices were accessed by an unauthorized threat actor between May 7, and May 9, 2023, respectively.

Although the hackers were unable to access its healthcare’s medical record system or Norton MyChart; sensitive personal information, including name contact details, Social Security Number, date of birth, health data, insurance information, and medical identification numbers were accessed.

In case of certain individuals, information like, financial account numbers, driver’s licenses or other government ID numbers, and digital signatures were also exposed.

Norton Healthcare says that in addition to bolstering its security systems, it will also provide 2-year complimentary credit monitoring and identity protection services to impacted individuals.

While the healthcare provider didn’t call it a ransomware attack, notorious ALPHV (BlackCat) took responsibility for the attack in late May, claiming to have stolen 4.7TB of company data. Furthermore, as proof of its claim, the gang posted dozens of files , including images of checks and bank statements, Social Security number, and other personal information.

In the breach filing with the US HHS’ Office for Civil Rights, Norton Healthcare disclosed that 501 individuals were impacted. But the incident report filed with the Office of the Maine Attorney General suggests the number to be 2.5 million .