Cybersecurity professionals are being targeted by a social engineering campaign that uses dedicated research blogs and a network of Twitter profiles to interact with potential targets, luring them in to collaborating on malware-laced research projects, Google's Threat Analysis Group (TAG) warned late Monday, January 25.
Arguably more troublingly, some of the security researchers have been compromised via a simple visit to a purported security research blog -- despite running fully patched systems and browsers. "We are unable to confirm the mechanism of compromise" TAG admits, speculating that it may involve a zero day in Chrome.
Among those to have falled victim to the scam is Alejandro Caceres, owner of security and threat research firm Hyperion Gray, who was lured into opening a backdoored visual studio project. (Caceres only opened it in a VM, so no real harm was done, but frustrated at the way in which "someone vetted by a friend" could do this, he is offering a $20,000 reward to anyone who can identify the scammer).
"These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email", TAG warned Monday, saying those responsible set up fake research blogs, featuring analysis of real vulnerabilities and convincing social handles featuring links to security research and comments on security projects being conducted by the community.
(One of the threat actors even posted a video featuring a proof of concept exploit of CVE-2021-1647: the recently patched 0day in Windows Defender; the POC was later found to be fake).
Security researchers targeted; TAG cites "North Korea".
More troublingly, some have been compromised by a simple visit to one of the threat actor's blogs, with the precise mechanism/vector still unknown. As TAG notes: "In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server.
"At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have. Chrome vulnerabilities, including those being exploited in the wild (ITW), are eligible for reward payout under Chrome's Vulnerability Reward Program. We encourage anyone who discovers a Chrome vulnerability to report that activity via the Chrome VRP submission process."
The campaign comes after several security providers were hit by threat actors within a few months: FireEye, Microsoft, Malwarebytes, Mimecast and SonicWall have all been compromised in some shape or form since December. Cybersecurity vendors and security researchers are being urged to stay particularly alert.
Sample hashes, C2 domains and more can be found at the Threat Analysis Group's blog. TAG's Adam Weidermann blamed the campaign (without providing further detail on attribution) on a "government-backed entity based in North Korea".