North Korean hacking ops continue to exploit Log4Shell

Two years after the Log4j vulnerability was revealed, North Korean hackers are continuing to use the flaw in a ubiquitous piece of open source software to carry out attacks as part of a hacking campaign targeting manufacturing, agricultural and physical security entities, according to research released Monday.

Carried out over the course of 2023 and described in a report released by Cisco’s Talos Intelligence Group on Monday, the campaign employed at least three new malware families and relied, in part, on the Log4Shell exploit, highlighting the long tail of the Log4j vulnerability and how failure to patch the flaw is providing a ready tool to malicious hackers.

The campaign was the work of one of a plethora of North Korean hacking units operating under the broad Lazarus umbrella, a term industry and government researchers use to refer to the array of North Korean government hacking operations that engage in everything from cyberespionage to cryptocurrency thefts, ransomware and supply chain attacks.

The Log4j vulnerability has “been extensively exploited by the Lazarus umbrella of [advanced persistent threat] groups to deploy a multitude of malware, dual-use tools and conduct extensive hands-on-keyboard activity,” the researchers wrote.

The research is another reminder of the prolific nature of North Korean-linked cyber operations that have targeted South Korea, the U.S. and entities around the world for years. On Dec. 1, the U.S. government announced sanctions on Kimsuky, a premiere North Korean cyberespionage unit that also carries out financially motivated cybercrime to both fund itself and generate money for the government.

The campaign, dubbed “Operation Blacksmith,” employed at least three new malware families written in DLang, a less common programming language. Its use continues a shift among North Korean hacking campaigns toward the use of more obscure programming languages over the past year and a half, the researchers said.

Observed between March and September of 2023, the campaign consisted of “continued opportunistic targeting of enterprises around the world that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation such as [Log4j],” the researchers wrote.

The operation involved a pair of remote access trojans, one of which used Telegram bots and channels for command and control, the researchers said.

The researchers found some overlap between Operation Blacksmith and attacks that Microsoft disclosed in October involving a North Korean hacking operation known as Onyx Sleet, or Andariel, that exploited a vulnerability in the JetBrains TeamCity server software first disclosed in September 2023.

A July 2022 Cybersecurity and Infrastructure Security Agency advisory flagged Andariel activity that included ransomware attacks on hospitals and health care facilities in the U.S., the Talos researchers noted.