North Korean hacking ops continue to exploit Log4Shell | CyberScoop<\/title> <meta name=\"description\" content=\"Two years after it was disclosed, the Log4j vulnerability continues to enable North Korean hacking operations.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/north-korea-lazarus-log4j-log4shell\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"North Korean hacking ops continue to exploit Log4Shell\"> <meta property=\"og:description\" content=\"Two years after it was disclosed, the Log4j vulnerability continues to enable North Korean hacking operations.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/north-korea-lazarus-log4j-log4shell\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-12-11T13:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2023-12-08T20:18:49+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/north-korean-hacking-ops-continue-to-exploit-log4shell-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1080\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1701905043g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1698686983g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1701899484g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7dab012cdc88b5676610\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/78499\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=78499\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnorth-korea-lazarus-log4j-log4shell%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnorth-korea-lazarus-log4j-log4shell%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-78499 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/north-korea-lazarus-log4j-log4shell\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.085106382979\">\n<div class=\"single-article__header-content\" readability=\"30.730769230769\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/geopolitics\/\"> <span>Geopolitics<\/span> <\/a> <\/li>\n<\/ul>\n<p> Two years after it was disclosed, the Log4j vulnerability continues to enable North Korean hacking operations. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/north-korean-hacking-ops-continue-to-exploit-log4shell.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/north-korean-hacking-ops-continue-to-exploit-log4shell-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/north-korean-hacking-ops-continue-to-exploit-log4shell-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/north-korean-hacking-ops-continue-to-exploit-log4shell-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/north-korean-hacking-ops-continue-to-exploit-log4shell-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/north-korean-hacking-ops-continue-to-exploit-log4shell-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/north-korean-hacking-ops-continue-to-exploit-log4shell-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/north-korean-hacking-ops-continue-to-exploit-log4shell-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/north-korean-hacking-ops-continue-to-exploit-log4shell-2.jpg?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> Flag of the Democratic People’s Republic of Korea (Manuel Augusto Moreno) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"31.401328273245\"><body readability=\"63.144602851324\"><\/p>\n<p>Two years after the Log4j vulnerability was revealed, North Korean hackers are continuing to use the flaw in a ubiquitous piece of open source software to carry out attacks as part of a hacking campaign targeting manufacturing, agricultural and physical security entities, according to research released Monday. <\/p>\n<p>Carried out over the course of 2023 and described in a report released by <a href=\"https:\/\/blog.talosintelligence.com\/lazarus_new_rats_dlang_and_telegram\/\">Cisco\u2019s Talos Intelligence Group on Monday<\/a>, the campaign employed at least three new malware families and relied, in part, on the <a href=\"https:\/\/preprod.cyberscoop.com\/tag\/log4j\/\">Log4Shell<\/a> exploit, highlighting the long tail of the Log4j vulnerability and how failure to patch the flaw is providing a ready tool to malicious hackers.<\/p>\n<p>The campaign was the work of one of a plethora of North Korean hacking units operating under the <a href=\"https:\/\/global.ahnlab.com\/global\/upload\/download\/techreport\/%5BAhnLab%5DAndariel_a_Subgroup_of_Lazarus%20(3).pdf\">broad Lazarus umbrella<\/a>, a term industry and government researchers use to refer to the array of North Korean government hacking operations that engage in everything from cyberespionage to cryptocurrency thefts, ransomware and supply chain attacks.<\/p>\n<p>The Log4j vulnerability has \u201cbeen extensively exploited by the Lazarus umbrella of [advanced persistent threat] groups to deploy a multitude of malware, dual-use tools and conduct extensive hands-on-keyboard activity,\u201d the researchers wrote.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The research is another reminder of the prolific nature of North Korean-linked cyber operations that have targeted South Korea, the U.S. and entities around the world for years. On Dec. 1, the <a href=\"https:\/\/cyberscoop.com\/u-s-government-sanctions-prolific-north-korean-cyber-espionage-unit\/\">U.S. government announced sanctions on Kimsuky<\/a>, a premiere North Korean cyberespionage unit that also carries out financially motivated cybercrime to both fund itself and generate money for the government.<\/p>\n<p>The campaign, dubbed \u201cOperation Blacksmith,\u201d employed at least three new malware families written in <a href=\"https:\/\/dlang.org\/\">DLang<\/a>, a less common programming language. Its use continues a shift among North Korean hacking campaigns toward the use of more obscure programming languages over the past year and a half, the researchers said.<\/p>\n<p>Observed between March and September of 2023, the campaign consisted of \u201ccontinued opportunistic targeting of enterprises around the world that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation such as [Log4j],\u201d the researchers wrote.<\/p>\n<p>The operation involved a pair of remote access trojans, one of which used Telegram bots and channels for command and control, the researchers said.<\/p>\n<p>The researchers found some overlap between Operation Blacksmith and attacks that <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/10\/18\/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability\/\">Microsoft disclosed in October<\/a> involving a North Korean hacking operation known as Onyx Sleet, or Andariel, that exploited a vulnerability in the JetBrains TeamCity server software first <a href=\"https:\/\/blog.jetbrains.com\/teamcity\/2023\/10\/cve-2023-42793-vulnerability-in-teamcity-october-18-2023-update\/\">disclosed in September 2023<\/a>. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>A <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa22-187a\">July 2022 Cybersecurity and Infrastructure Security Agency advisory<\/a> flagged Andariel activity that included ransomware attacks on hospitals and health care facilities in the U.S., the Talos researchers noted.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.2627906976744\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/north-korean-hacking-ops-continue-to-exploit-log4shell-1.jpg?w=640&ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/north-korea-lazarus-log4j-log4shell\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>North Korean hacking ops continue to exploit Log4Shell | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[302,1010,1304,647,1305,288],"tags":[306,242,1306,240,1307,294],"class_list":["post-2182","post","type-post","status-publish","format-standard","hentry","category-geopolitics","category-lazarus-group","category-log4j","category-north-korea","category-talos","category-threats","tag-geopolitics","tag-lazarus-group","tag-log4j","tag-north-korea","tag-talos","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/lazarus-group\/\" rel=\"category tag\">Lazarus Group<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/log4j\/\" rel=\"category tag\">log4j<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/north-korea\/\" rel=\"category tag\">North Korea<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/talos\/\" rel=\"category tag\">Talos<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2182","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2182"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2182\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2182,"date":"2023-12-11T13:00:00","date_gmt":"2023-12-11T13:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=78499"},"modified":"2023-12-11T13:00:00","modified_gmt":"2023-12-11T13:00:00","slug":"north-korean-hacking-ops-continue-to-exploit-log4shell","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/12\/11\/north-korean-hacking-ops-continue-to-exploit-log4shell\/","title":{"rendered":"North Korean hacking ops continue to exploit Log4Shell"},"content":{"rendered":"