If you thought 2020 was a big year for social engineering schemes— watch out! Twenty twenty one is coming in hot.
Less than four weeks into the new year, Google announced our nation’s most recent exploit: North Korean hackers targeting cybersecurity experts.
That’s right. Hackers going after cybersecurity experts.
Let’s review this early 2021 social engineering attack and discover how even the cybersecurity pros themselves contracted malware.
What Happened?
Google’s Threat Analysis Group, coined TAG for short, is the world’s largest search engine’s security team.
This Google team’s job is to track and stop advanced persistent threat (APT) groups. Like the industry leaders they are, when TAG caught wind of a major cyber threat, they were quick to announce it on their blog.
The post announced that bad actors from a North Korean hacking operation, named Lazarus Group, devised a sneaky social engineering exploit to target cybersecurity professionals engaging in vulnerability research.
Imitating fellow researchers who share similar interests, the hackers contacted real vulnerability researchers via fake social media profiles and email.
After a few initial touchpoints where the bad actors established some camaraderie, the hackers sent a phishing email asking if the researchers were interested in collaborating. These fake researchers then sent a link to a Visual Studio Project, which when opened, installed malware on the victims’ systems.
But this wasn’t Lazarus Group’s only attack path. In some cases, real researchers clicked on their fake Twitter, LinkedIn, etc. social media posts. These posts contained links to the bad actor’s blogs— and simply by visiting this infected page, the security researchers contracted malware (in a suspected drive-by download).
How the Hackers Got In
The elite social engineers behind this North Korean cyber attack were thorough. They went through extensive effort to build fake “research blogs” and create multiple dummy social media accounts where they frequently posted— all with the intent of fooling researchers into believing they were credible fellow researchers themselves.
They “used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control,” Google explained. Their blogs even included “guest posts” from security experiments to further support their false notoriety. A true example of social engineering at its best.
Some of the hackers went as far as to share a fake YouTube video (one they themselves uploaded), claiming they found a way around a recently patched Windows Defender vulnerability: CVE-2021-1647. This was likely posted to establish themselves as researchers at the forefront of a new vulnerability, when in fact, none of it was real.
With all these clever efforts to gain the trust of their targets, some of the vulnerability researchers clicked infected links and downloaded the Visual Studio Project from emails or via social media.
“Within the Visual Studio Project would be source code for exploiting the vulnerability,” Google explained. This vulnerability is suspected to be “zero-day” vulnerability in Windows 10 or Chrome browsers— meaning, it was a vulnerability discovered by bad actors exclusively, still not widely known outside of the hacking community. In fact, Google is still trying to find this security vulnerability and is offering reward payout for help identifying it.
Regardless of what this zero-day vulnerability is, the gap in security allowed the bad actors to inject malware around fully patched, up-to-date digital defenses. A truly scary thought.
Google shared that the Visual Studio Build also contained an additional DLL which gave the bad actors their backdoor. A DLL, or Dynamic Link Library, is a custom malware that alerts a remote command and control server when a hacker is “in,” allowing them to infiltrate the system from the comfort of their own computer.
The Evolution of Social Engineering
Social engineering is evolving, becoming more and more complex with each passing year.
“This campaign was interesting because it preyed upon the desire of researchers to collaborate, including with people we do not know, to advance our work," Katie Nickels, director of intelligence for Red Canary and a target of the North Korean social engineering campaign, told TechRepublic. It played on basic human trust in their “community” and manipulated researcher’s greater sense of purpose in furthering developments in vulnerability studies.
Of course, the big “wow” of this attack was the intricacies the engineers went through to create believable social profiles and fake researcher websites and blogs.
It’s proof that even fully patched and up-to-date systems can be exploited by savvy hackers, who go to great lengths to reel in “big phish” with government connections. Such lengths, in fact, that they were willing to risk exposure of a little known zero-day vulnerability to compromise their targets.
Key Takeaways
There are some valuable lessons to be learned from this social engineering attack:
- If you don’t know who you’re talking to, don’t assume legitimacy.
These hackers created robust fake profiles and online presences to fool researchers. This stresses the importance of verifying beyond a quick Google search that someone is who they claim to be. - Really inspect social media profiles.
- Be wary of accepting friend or follow requests from strangers.
- Invest heavily in security awareness training.
Your employees and management alike need to know what to look out for when up against clever social engineering exploits. Empower them with knowledge of common hacking techniques and manipulation by requiring security training.
A Few Steps Towards Better Security
Hackers are getting craftier. That means you need to as well.
Improving your company’s cybersecurity starts with awareness of the threat landscape before you.
Download our 5-½ Step Guide to Avoiding Cyber Threats for some impactful ways to elevate your security posture, including some resources for staying up-to-date with the latest security updates and news.
