UPDATED 22:18 EDT / DECEMBER 17 2019


Lazarus Group targets Linux systems in new remote-access virus campaign

The Lazarus Group, the North Korean-linked hacking group believed to be behind in the spread of the WannaCry ransomware in 2017 and linked to a campaign targeting banks and financial institutions in 2018, is back again.

Now it’s targeting Linux systems alongside Windows. The new Lazarus campaign, detailed today by Qihoo 360 Netlab researchers, uses a remote-access Trojan virus dubbed Dacls.

First detected in May, it’s a new type of software that allows for remote code execution and enables the Lazarus Group to access file locations on a server. The Trojan is said to exploit a vulnerability first revealed in Atlassian Confluence in March, known as CVE-2019-3396. The infection path uses the vulnerability — a remote execution flaw in the Widget Connector macro in Atlassian Confluence server in versions 6.6.12 and below — to gain access and deploy Dacls for further malicious activity.

As ZDNet noted, that activity includes stealing, deleting and executing files; scanning directory structures, downloading additional payloads, killing processes, creating daemon process and uploading data including scan results and command execution output.

While currently exploiting a vulnerability in Atlassian Confluence, the method used opens the door to wider attacks.

“While this sequence relies on a successful exploit of CVE-2019-3396 it also highlights the reality of APTs – the primary attack mode is to gain traction within a system,” Tim Mackey, principal security strategist at electronic design automation firm Synopsys Inc.’s Cybersecurity Research Center, told SiliconANGLE. “This means that any organization with an unpatched vulnerability enabling remote code execution could fall victim to a similar attack, but more importantly this risk extends far beyond traditional Linux computers.”

Linux is commonly used in servers, desktops and in the “internet of things” and embedded systems, Mackey explained.

“It is the IoT and significantly the IIoT space which should be particularly concerned with threats like Dacls.Linux as the embedded systems powering IoT devices tend to have long lifespans and not have commercial anti-malware solutions,” he said.

All organizations should do a robust review of all firmware for IoT devices, Mackey added. That includes looking for critical items like unpatched vulnerabilities in the libraries used to create the firmware, but also should include a detailed accounting for all external APIs and services the firmware communicates with.

Image: methodshop/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.