Security News > 2022 > September > North Korean Lazarus hackers take aim at U.S. energy providers
The North Korean APT group 'Lazarus' is exploiting VMWare Horizon servers to access the corporate networks of energy providers in the United States, Canada, and Japan.
Lazarus is a state-backed threat actor known for conducting espionage, data theft, and cryptocurrency stealing campaigns over the past decade.
According to researchers at Cisco Talos, who uncovered the latest operation, Lazarus targeted the energy organizations between February and July 2022, leveraging public VMWare Horizon exploits for initial access.
Since VMWare Horizon runs with high privileges, Lazarus can deactivate Windows Defender via registry key modifications, WMIC, and PowerShell commands before deploying VSingle.
Lazarus attack chain diversification isn't limited to the final malware payloads but extends to the proxy or reverse tunneling tools and credential harvesting techniques.
As highlighted in this report, Lazarus is closely monitored by cybersecurity firms, so they can't afford to become lazy in diversifying their attack chains.
News URL
Related news
- North Korean hackers spotted using ClickFix tactic to deliver malware (source)
- North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware (source)
- North Korean hackers linked to $1.5 billion ByBit crypto heist (source)
- OpenAI bans ChatGPT accounts used by North Korean hackers (source)
- North Korean Hackers Steal $1.5B in Cryptocurrency (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- Safe{Wallet} Confirms North Korean TraderTraitor Hackers Stole $1.5 Billion in Bybit Heist (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)
- North Korean Lazarus hackers infect hundreds via npm packages (source)
- North Korean hackers adopt ClickFix attacks to target crypto firms (source)