Cisco: Log4j vulnerability used to attack energy companies in Canada, US and Japan

Hackers continue to abuse the endemic Log4j vulnerability months after its discovery, according to a new report from Cisco researchers who discovered a campaign targeting energy companies across the U.S., Canada, Japan and other countries.

Cisco Talos security researchers Jung soo An, Asheer Malhotra and Vitor Ventura said they have been tracking a longstanding campaign between February and July that they believe is the work of North Korean state-sponsored hackers with the Lazarus Group.

The group’s initial attack vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers — a tried and true method dozens of criminal and state-backed groups have used since the bug emerged in December. 

Once the hackers have a foothold in enterprise networks, they deploy custom malware implants called VSingle and YamaBot. The report notes that the Japanese CERT recently published reports on both malware and attributed them to Lazarus.

The researchers tied the activity they found to a June report from the Cybersecurity and Infrastructure Security Agency (CISA) about two incidents from April and May.

Check out this joint #cybersecurity advisory from @CISAgov & @USCG Cyber detailing cyber threat actors exploiting a #Log4Shell vulnerability in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain access to victim networks. https://t.co/JYA5Ioz1fG pic.twitter.com/Do8qGI3YrW

— Jen Easterly (@CISAJen) June 23, 2022

“In this campaign, Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan. The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” the researchers said. 

“This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

Despite being discovered in December 2021, CISA included Log4Shell on its list of the top 15 routinely exploited vulnerabilities in 2021.

In recent months, several cybersecurity firms have warned that Log4Shell is still an issue despite the global campaign to patch the vulnerability.

Symantec said an unnamed engineering company with energy and military customers was hacked by the North Korean government using the Log4j vulnerability.

Yotam Perkal, vulnerability researcher at cybersecurity firm Rezilion, released a report in April that found 55% of applications still contained an obsolete version of Log4j in their latest versions. 

The new U.S. Cyber Safety Review Board recently released a wide-ranging report on the bug’s origins, finding that despite efforts by organizations across the federal and private sectors to protect their networks, Log4j had become an “endemic vulnerability”

“Log4j is not over. This was not a historic look back and now we’re in the clear,” Silvers said. “The board found that it is likely that organizations are going to be dealing with continued Log4j exposure for years to come, maybe a decade or longer.”