The Week in Security: Lazarus targets Microsoft servers in espionage campaign, the future of PyPI

This week: North Korean APT Lazarus uses Microsoft IIS servers to carry out espionage. Also: What’s the future of PyPI given sustained attacks?

This Week’s Top Story

North Korean APT Lazarus targets Microsoft IIS servers in espionage malware campaign

The Lazarus group, an advanced persistent threat (APT) actor backed and influenced by North Korea, has been discovered carrying out a new espionage malware campaign. AhnLab Security Emergency response center (ASEC) discovered the group’s new campaign, which targets vulnerable versions of Microsoft Internet Information Services (IIS) servers as an initial breach route that deploys the espionage malware to its targets.

ASEC’s findings also demonstrate that this new campaign from Lazarus serves as another example of the group’s continued abuse of DLL side-loading techniques to run arbitrary payloads. For this campaign, Lazarus places a malicious DLL in the same folder as a legitimate, normal application via Microsoft IIS server process. This allows Lazarus to then run the normal application, which initiates the execution of the malicious DLL.

This new espionage campaign by Lazarus is just one of several malicious campaigns coming out of North Korea. The APT was also recently linked to the high-profile, cascading software supply chain attack on 3CX, an enterprise communications server. Based on both the espionage campaign and the attack on 3CX, it’s clear that Lazarus has become an accomplished and versatile APT. Lazarus’s recent activities also show how the nation-state of North Korea is supportive of these malicious campaigns, which often hurt organizations home to their adversaries.

News Roundup

Here are the stories we’re paying attention to this week…

Ukraine’s cyber chief on the ever-changing digital war with Russia (The Record)

In this interview, reporters from The Record interviewed Yurii Shchyhol, the chief of Ukraine’s State Service of Special Communications and Information Protection (SSSCIP), which is the agency responsible for raising awareness for cybersecurity. In it, he discusses the current state of cyber warfare in Ukraine and his expectations for the future.

PyPI attack: Targeting of repository ‘shows no sign of stopping’ (ITPro)

Cybersecurity experts have warned that the targeting of the Python Package Index (PyPI) repository is likely to continue given its popularity and potential to cause massive disruption. Following a recent attack on PyPI, security experts have called on the open source community to “develop new infrastructure and invest more in sharing attack data.”

Legion malware upgraded to target SSH servers and AWS credentials (The Hacker News)

An updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch: "It's clear that the developer's targeting of cloud services is advancing with each iteration."

Forrester predicts 2023’s top cybersecurity threats: From generative AI to geopolitical tensions (Venture Beat)

Forrester’s Top Cybersecurity Threats in 2023 report (client access reqd.) provides a stark warning about the top cybersecurity threats this year, along with prescriptive advice to CISOs and their teams on countering them.

Over 200K unique malware samples found in 12 weeks, amid AI threat warnings (The Stack)

Security researchers at Blackberry saw over 200,000 unique malware samples in the first quarter of 2023. That was approximately 2,252 unique malware samples per day; up 50% on the previous quarter. Without explicitly citing a cause for the increase, Blackberry’s researchers did note that “the release of ChatGPT marks a milestone advancing the threat of AI-generated malware…”