Google’s Threat Analysis Group (TAG) has recently published a report detailing how a campaign backed by the government of North Korea is targeting cybersecurity researchers. This campaign focusses explicitly on security researchers involved in vulnerability and exploit development. The actors behind this campaign have employed multiple ways of targeting the security community. This report is a good reminder for the security community that they can be a target of state-sponsored campaigns.
Laying the Groundwork
The attackers have set up a research blog for building their credibility and connecting with security researchers. TAG has identified at least 10 Twitter accounts used for interacting with a prospective target. From these Twitter accounts, they share the links to their blog and proof-of-concept videos of exploits. They retweet their content through the rest of the accounts for maximizing their reach. They are also interacting with security researchers and contacting them through Twitter’s direct message feature.
Their blog features various write-ups for publicly disclosed vulnerabilities. It also includes multiple guest posts written by legitimate security researchers. This looks like an attempt to build credibility among the researcher community. TAG could not check the authenticity of their exploits; they found at least one instance where the attackers have faked that their exploit is working successfully.
LIFARS is an industry leader that develops proactive strategies and tactics against evolving cybersecurity threats. Our services such as comprehensive gap assessment, red-teaming, penetration testing, threat hunting and vulnerability assessment reveal a company’s vulnerabilities. Our vCISOs will ensure your optimal cybersecurity strategy and adequate posture.
Fake Claim(s) Of Successful Exploits
As recent as January 14, 2021, they shared a YouTube video through one of their Twitter handles to exploit CVE-2021-1647. This CVE relates to a vulnerability in the Windows Defender tool. This YouTube video shows their claimed-to-be successful exploit that leads to a cmd.exe shell. Various comments on the video stated that their exploit is fake and it was not working. However, they replied to the same tweet from another Twitter account in their control, claiming that it was not a fake video. TAG has clarified that the exploit shown is indeed fake.
Target: Security Researchers
According to the TAG’s report, the North Korea-backed attackers are using a novel social engineering method. After selecting their potential target, they establish an initial communication through one of their Twitter handles. They ask their target if they would like to collaborate on a vulnerability research project through this communication. After this, they provide a Visual Studio Project file that contains the source code for exploiting the vulnerability. Visual Studio Build Events executes an additional malicious DLL that begins communication with the attacker’s command & control server.
TAG has also mentioned that they have come across multiple incidents where security researchers were compromised after visiting the blog. In all of those cases, the victims clicked on a Twitter link that redirected them to an article posted on this blog. Immediately after this, a malicious service gets installed on the victim’s system. An in-memory backdoor comes into action and starts communicating with the attacker’s command & control server. The compromised systems were running an up-to-date version of Chrome browser and Windows 10. Google’s team is yet to confirm what exactly is happening, but they have said that any information regarding this is welcome. This vulnerability is also eligible for Chrome’s Vulnerability Reward Program.
TAG has also noted that the attackers are using platforms other than Twitter to establish the initial contact. These platforms include Telegram, LinkedIn, Keybase, Discord, and email. TAG has prepared a list of links, including their blog, Twitter accounts, Linked Accounts, Keybase, Telegram, command & control domains, sample hashes, and indicators of compromise. Since this report was first published less than four days ago, multiple security researchers have shared that they have been targeted. At this point, it is highly recommended that researchers should separate their research activities and general/personal browsing. Security researchers must exercise due care and caution while accepting files from third parties that they were targeted via this campaign.