Google unveiled a new report from its Threat Analysis Group on Monday highlighting the work of a group of cyberattackers associated with the government of North Korea that sought to impersonate cybersecurity researchers in an effort to target those “working on vulnerability research and development at different companies and organizations.” Adam Weidemann, a member of the Threat Analysis Group, wrote that the attackers used a variety of fake blogs, Twitter accounts and LinkedIn profiles to make themselves look legitimate and communicate with researchers and analysts they were hoping to go after.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
ZDNet noted that the malware associated with the attack was tied to a notorious North Korean government-backed organization called the Lazarus Group.
“The actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,” Weidemann wrote.
“Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains.”
Weidemann added that some security researchers were hit with attacks after visiting some of the fake blogs built by the those behind the campaign.
SEE: Bad actors launched an unprecedented wave of DDoS attacks in 2020 (TechRepublic)
Some shared a YouTube video that claims someone had exploited CVE-2021-1647, a recently patched Windows Defender vulnerability. While many of the comments noted that it was fake, Twitter accounts connected to the campaign sought to deny these comments and tried to convince others it was real.
All of the Twitter and LinkedIn accounts named in the Google report have been taken down by both websites. But Weidemann noted that the attackers also used Telegram, Discord, Keybase, and email to contact their targets.
The blog includes a list of the accounts and blogs, and tells anyone who communicated with them to check their systems in case they were breached.
The report caused a bit of a stir within the cybersecurity community, as one would expect. Multiple cybersecurity experts took to Twitter to say they had either been contacted by or communicated with the accounts named in the report.
WARNING! I can confirm this is true and I got hit by @z0x55g who sent me a Windows kernel PoC trigger. The vulnerability was real and complex to trigger. Fortunately I only ran it in VM.. in the end the VMDK I was using was actually corrupted and non-bootable, so it self-imploded https://t.co/dvdCWsZyne
— Richard Johnson (@richinseattle) January 26, 2021
Chloé Messdaghi, chief strategist with Point3 Security, said she was contacted by four of these attackers and noted that experts with any amount of notoriety or government ties have to be careful at all times.
“They want people with government connections, and they work to climb that ladder of contacts to figure out who they can reach. We don’t know who they’re targeting or why, but for me it’s been an ongoing thing for a year, where people I know will get in touch and say ‘Hey I went to this site and your name is on there, but just letting you know that I think it might be malicious,'” Messdaghi said.
“As someone they’ve targeted, I’m glad Google is coming out with this alert. There are so many people throughout the world seeking private intel, and if you don’t know who you’re talking to, work on the assumption that the name and picture you’re being offered is likely not valid. The accounts of these four attackers are suspended, but really that means nothing. They’ll just make up another name and be back.”
She noted that many researchers have the urge to give back to the cybersecurity community but have to be wary about who they’re associated with.
Katie Nickels, director of intelligence for Red Canary, said for anyone working in this field, there is always heightened threat of being targeted, not just by adversaries who might not like their research and analysis but also by adversaries who are intent on gaining advanced knowledge of vulnerabilities, exploits, and other methods of attack.
“While we are knowledgeable about ways to protect ourselves, sometimes we forget that we are ripe targets and get complacent just like anyone else. This campaign was interesting because it preyed upon the desire of researchers to collaborate, including with people we do not know, to advance our work,” Nickels said.
SEE: 2020 sees huge increase in records exposed in data breaches (TechRepublic)
“One concerning part of this attack is that the adversaries managed to draw researchers into seemingly legitimate websites and compromise their machines via drive-by downloads. Clicking unverified links on Twitter and elsewhere is commonplace for all but the most cautious individuals.”
SafeGuard Cyber CEO Jim Zuffoletti said attacks like this are on the rise because attackers are moving into channels of communication that “are invisible to security teams,” adding that the distributed nature of work since the onset of the COVID-19 pandemic made it imperative that security teams put better controls in place for social and chat apps.
Others said it was well known within the cybersecurity community that there were people eager to exploit the culture of sharing for nefarious reasons.
But Andrea Carcano, co-founder of Nozomi Networks, said what was new about the attack was the boldness of the attackers and their willingness to risk sophisticated zero-day exploits to target researchers.
Carcano explained that some of the attacks were fairly obvious and would have been caught, but the scariest one involved the researcher who was infected by simply visiting a web page with some technical documentation.
Carcano and Paul Bischoff, lead researcher with Comparitech, both suggested researchers open projects in secure environments or on other devices besides your actual machine. Bischoff also said to beware of any Twitter accounts with lots of numbers and to use a script blocking extension “to prevent any drive-by downloads that might occur as a result of visiting a malicious page.”
SEE: How asset management companies are vulnerable to ransomware and phishing attacks (TechRepublic)
“You know you’ve made it when cybercriminals are trying to gain access to your social media accounts or research,” joked James McQuiggan, security awareness advocate at KnowBe4.
“People are sociable and for the most part like to meet other people. With social media, it’s easier with tweets, connections and chats. However, we take a risk when we accept that LinkedIn connection or that follow on Twitter that the person at the end of the request is who they say they are.”
McQuiggan said it was key to make sure to look through someone’s profile before accepting any friend or follow requests and to be wary of anyone who immediately sends you links to unknown websites.
Some cybersecurity experts, like Vdoo Vice President of Security Shachar Menashe, said they take extra precautions by using encrypted email services and other endpoint protections.
“It does bother me more than other attacks because if successful, these attacks could be used to attack others, which is an abuse of our hard work trying to secure these very same systems,” Menashe said.
Saryu Nayyar, CEO of Gurucul, said Google most likely “only scratched the surface of these campaigns” and predicted that there are many more similar accounts being used for similar activity.
“It is a reminder that security practitioners and researchers need to be on guard themselves,” Nayyar said. “Their knowledge and skill make them difficult targets, forcing malicious actors to put a lot of effort and resources to compromise them. But for a rival state actor, an expert in the field is worth the expense.”