In today’s digital age, servers are crucial components of any organization’s IT infrastructure. They store and process critical data, provide access to applications, and enable communication between devices. However, they also serve as vulnerable access points for hackers to infiltrate a network. This vulnerability has been highlighted by the recent attacks on Windows server systems by the Lazarus group, a highly dangerous hacking group believed to be associated with North Korea.
In this article, we will explore the threats posed by the Lazarus group and other cyber threats, and provide tips on how to protect your servers.
Servers as Vulnerable Access Points
Servers are high-value targets for hackers, since compromising them can provide access to sensitive data and a foothold into a network. Servers are also harder to mitigate than individual devices, since they must remain constantly available to service requests and cannot be taken offline for maintenance or patching without disrupting operations.
ASD Log: Windows Server Systems Under Attack
The Australian Signals Directorate (ASD) recently released an alert that Windows server systems were under attack. The attackers are using a range of techniques, including vulnerabilities in public-facing infrastructure and spear-phishing campaigns to gain access to the network. They then utilize stolen credentials to move laterally within the network and escalate their privileges until they gain access to critical systems.
Lazarus Exploits: Vulnerabilities and Misconfigurations of IIS Servers
The Lazarus group has been known to exploit vulnerabilities and misconfigurations of Internet Information Services (IIS) servers. They use this access to steal sensitive data, spread malware, and launch further attacks on the network. IIS servers are commonly used by organizations to host websites and web applications, making them a popular target for hackers.
LSASS dumping: potential credential theft activity
The LSASS is a critical component of Windows operating systems that stores authentication credentials. Hackers can dump the contents of the LSASS to obtain passwords and other credential information. This is a common tactic used by the Lazarus group to access sensitive data and escalate their privileges within a network.
Final phase of Lazarus attack: network reconnaissance and lateral movement
After gaining access to a server or network, the Lazarus group engages in network reconnaissance to identify high-value targets. They then move laterally within the network, using stolen credentials or exploiting vulnerabilities to gain access to critical systems. This phase of the attack is aimed at achieving their ultimate objectives, such as data exfiltration or disruption of operations.
ASEC’s recommendation: Monitor abnormal process execution
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) recommends that organizations monitor abnormal process execution. This involves identifying and monitoring processes that are not normally found on a system and could be indicative of malware or other malicious activity. Regular monitoring can help detect attacks early, allowing for prompt mitigation measures to be taken.
The Importance of Attack Surface Management
Attack surface management is the practice of identifying and managing the attack surface of an organization’s IT infrastructure. This includes servers, network devices, and applications. By reducing the attack surface, organizations can lessen the risk of cyberattacks. Attack surface management should be an ongoing process to ensure that new vulnerabilities or misconfigurations are identified and addressed promptly.
Monitoring abnormal process execution relationships
One technique that organizations can use for attack surface management is monitoring abnormal process execution relationships. This involves identifying and monitoring relationships between processes that are not normally related. This technique can help detect malware or other malicious activity that may be using a legitimate process as a cover.
In conclusion, servers are critical components of any organization’s IT infrastructure. However, the vulnerability of servers to cyber attacks highlights the need for organizations to take preemptive measures to protect against threats such as the Lazarus group. Implementing attack surface management, monitoring abnormal process execution, and regularly patching and updating servers can all help to reduce the risk of an attack. By taking these measures, organizations can protect their critical data and ensure uninterrupted operations.