North Korean Group Targets Security Researchers - AgainGoogle: Attackers Leverage Social Media Accounts
A North Korean government-backed threat group that was detected targeting security researchers in January is once again staging a campaign against cybersecurity professionals using advanced social engineering techniques, Google reports.
See Also: The Anatomy of the Solarwinds Attack
Google attributed the latest campaign to an unnamed North Korean-linked group, which the company says was behind a similar campaign that targeted security researchers by posing as bug hunters in January. In that campaign, the attackers shared malicious Visual Basic software with a backdoor to exfiltrate data from their victims (see: Vulnerability Researchers Hit by North Korean Hackers).
In Wednesday’s update, Google notes the North Korean group revived the campaign yet again, this time targeting security researchers using a hoax website that is promoted by the attackers using fake LinkedIn accounts.
"In January, the Threat Analysis Group documented a hacking campaign, which we were able to attribute to a North Korean government-backed entity, targeting security researchers," Adam Weidemann, a researcher with Google's Threat Analysis Group, notes. "On March 17th, the same actors behind those attacks set up a new website with associated social media profiles for a fake company called 'SecuriElite.'"
The exact goal of the newer campaign is not clear, as these fake websites and social media profiles do not appear to have delivered any malicious content to the intended victims as of now, according to Google. In the previous campaign, the attackers did use zero-day exploits in Internet Explorer as one technique.
"Based on their activity, we continue to believe that these actors are dangerous, and likely have more 0-days," Google notes. A company spokesperson did not provide any additional details when contacted this week.
Google notes the latest campaign began in March with the attackers creating a website of the fake SecuriElite security firm as well as several LinkedIn profiles.
The new website claims the company is an offensive security company located in Turkey that offers penetration testing, software security assessments and exploits, the Google report notes. Unlike the previous campaign, however, which used a malicious website to deliver components when the victims visited the domain, the new website has not delivered any malicious content or payloads as of now.
"But we have added it to Google Safebrowsing as a precaution," Google adds.
As for the fake social media profiles, Google notes the attackers used the accounts to pose as security researchers interested in exploitation and offensive security. The hackers also posed as recruiters for antivirus and security companies.
"We have reported all identified social media profiles to the platforms to allow them to take appropriate action," the report adds.
In a tweet on Thursday, which has since been deleted, Sparsh Johari, an InfoSec professional, noted that the attackers contacted him through a LinkedIn profile and discussed certain vulnerabilities.
"His mutual connects were all from the organization I work with and he had connected with our security researchers ... I had already raised an alarm with my IT team," Johari tweeted along with a screenshot of their chat. "I smelled something fishy in the way he directed the discussion. He blew his bubble too soon and [then] I saw his mutual connects."
Google notes that one of the zero-day vulnerabilities previously exploited by the attackers is a critical memory corruption vulnerability in Internet Explorer tracked as CVE-2021-26411.
Microsoft, which patched this vulnerability in March, noted the attackers can exploit this vulnerability using specially crafted or compromised websites that contains malicious payload.
"However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email," Microsoft noted in an alert.
Google did not attribute the latest campaign to a specific group. But in January, Microsoft described a campaign involving North Korea's Zinc group, better known as the Lazarus Group or Hidden Cobra, which targeted security researchers using fake LinkedIn profiles by contacting them on the pretext of collaborating on vulnerability research (see: Microsoft Offers Details on Hack of Vulnerability Researchers).
The attackers shared malicious files with the victims to steal sensitive information via a backdoor, Microsoft said. This same advanced persistent threat group is believed to have been responsible for the WannaCry ransomware attacks in 2017, as well as a host of other attacks and malicious campaigns (see: US Offers $5 Million Reward for N. Korea Hacker Information).
Other campaigns have used similar tactics to target security researchers. For instance, in February, security firm Zscaler uncovered a Minebridge remote access Trojan, or RAT, campaign that targeted security researchers by disguising the malware as a Microsoft Word document (see: Updated Minebridge RAT Targets Security Researchers).
The report said the RAT was embedded in a macro-based Word document file. When a recipient clicked on the malicious link, Minebridge buried itself into the remote desktop software TeamViewer, which enabled the attackers to deploy more malware or spy on the victim's device.