"Lazarus Group Striking Vulnerable Windows IIS Web Servers"

The North Korea-backed threat actor Lazarus Group has made changes to its ongoing espionage campaign by exploiting known vulnerabilities in unpatched Windows IIS Web servers to launch its reconnaissance malware. AhnLab Security Response Center (ASEC) researchers reported that the most recent wave of espionage attacks involved the Lazarus Group signature DLL side-loading technique during the initial compromise. The AhnLab Smart Defense (ASD) log revealed that Windows server systems are the target of attacks, and that malicious activity is carried out via w3wp.exe, an IIS Web server process. Therefore, the threat actor uses poorly managed or vulnerable Web servers as initial entry points before executing their malicious commands. The ASEC team highlighted that the intelligence-gathering campaign's initial attack vectors include unpatched machines with known vulnerabilities such as Log4Shell, public certificate vulnerabilities, and the 3CX supply chain attack. This article continues to discuss the North Korean Advanced Persistent Threat (APT) group using Log4Shell, the 3CX supply chain attack, and other known vectors to breach Microsoft Web servers.

Dark Reading reports "Lazarus Group Striking Vulnerable Windows IIS Web Servers"