UPDATED 22:18 EST / DECEMBER 17 2019

SECURITY

Lazarus Group targets Linux systems in new remote-access virus campaign

The Lazarus Group, the North Korean-linked hacking group believed to be behind in the spread of the WannaCry ransomware in 2017 and linked to a campaign targeting banks and financial institutions in 2018, is back again.

Now it’s targeting Linux systems alongside Windows. The new Lazarus campaign, detailed today by Qihoo 360 Netlab researchers, uses a remote-access Trojan virus dubbed Dacls.

First detected in May, it’s a new type of software that allows for remote code execution and enables the Lazarus Group to access file locations on a server. The Trojan is said to exploit a vulnerability first revealed in Atlassian Confluence in March, known as CVE-2019-3396. The infection path uses the vulnerability — a remote execution flaw in the Widget Connector macro in Atlassian Confluence server in versions 6.6.12 and below — to gain access and deploy Dacls for further malicious activity.

As ZDNet noted, that activity includes stealing, deleting and executing files; scanning directory structures, downloading additional payloads, killing processes, creating daemon process and uploading data including scan results and command execution output.

While currently exploiting a vulnerability in Atlassian Confluence, the method used opens the door to wider attacks.

“While this sequence relies on a successful exploit of CVE-2019-3396 it also highlights the reality of APTs – the primary attack mode is to gain traction within a system,” Tim Mackey, principal security strategist at electronic design automation firm Synopsys Inc.’s Cybersecurity Research Center, told SiliconANGLE. “This means that any organization with an unpatched vulnerability enabling remote code execution could fall victim to a similar attack, but more importantly this risk extends far beyond traditional Linux computers.”

Linux is commonly used in servers, desktops and in the “internet of things” and embedded systems, Mackey explained.

“It is the IoT and significantly the IIoT space which should be particularly concerned with threats like Dacls.Linux as the embedded systems powering IoT devices tend to have long lifespans and not have commercial anti-malware solutions,” he said.

All organizations should do a robust review of all firmware for IoT devices, Mackey added. That includes looking for critical items like unpatched vulnerabilities in the libraries used to create the firmware, but also should include a detailed accounting for all external APIs and services the firmware communicates with.

Image: methodshop/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU