3 min read

North Korean hackers attempt to hack security researchers investigating zero-day vulnerabilities

Graham CLULEY

January 27, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
North Korean hackers attempt to hack security researchers investigating zero-day vulnerabilities
  • Fully-patched Windows 10 computers using the Chrome browser are being infected by visiting bogus security researcher website.
  • Hackers would take weeks or months to gain the trust of security researchers before tricking them into running malicious code.

Threat experts at Google say that they have identified an ongoing hacking campaign that has targeted computer security experts, specifically those researching the very type of software vulnerabilities exploited by cybercriminals.

Google’s Threat Analysis Group (TAG) says that the attackers are backed by the North Korean government, and are using advanced persistent threats (APTs) in an attempt to compromise the computers of their high value targets.

As Google describes, the attackers reach out to their intended victims via email or websites such as Twitter and LinkedIn, posing as fellow researchers.

Over time and in conversations which can last for weeks or months the attackers attempt to establish their credibility and trustworthiness by posting videos of the exploits they claimed to have discovered, or posting links to their research on their blogs or Github.

The “evidence” of their discoveries was further amplified by having other social media accounts under the hackers’ control reshare the links in an attempt to increase its apparent authenticity.

Ingeniously, the attackers then ask the researcher they are targeting if they want to collaborate on vulnerability research together, and share a Visual Studio project with the source code to an exploit they are working on.

A careless researcher may not spot that the project also contains a malicious .DLL file that can install a backdoor onto their computer.

In addition, in some attacks researchers have been compromised after visiting the fake researcher’s blog. As Google explains, visiting the website hosting the blog – even on a fully-patched up-to-date version of the Chrome browser running on a fully-patched version of Windows 10 – can result in computers becoming infected by malware.

Google admits that it is not clear at the moment how the infection is taking place, but it is asking anyone who is able to identify such a previously unknown vulnerability in Chrome to make contact as they would be eligible for a reward under its bug bounty program.

According to The Register, one researcher was targeted by the North Korean hackers was zero-day vulnerability hunter Alejandro Caceres, the co-founder of US-based security research outfit Hyperion Gray.

Caceres said that he had been contacted by a bogus researcher calling himself James Willy, and offered a reward for anyone who could provide the hacker’s true identity and address.

Google’s Threat Analysis Group says that it is sharing details of the hacking campaign in the hope that it will act as a warning to all security researchers to be on their guard:

“We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.”

The Twitter and LinkedIn profiles used by the attackers have since been suspended. Although, of course, there is nothing to stop the hackers creating other accounts in an attempt to ensnare more unsuspecting security researchers.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths
Graham CLULEY

September 30, 2022

2 min read
Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials
Silviu STAHIE

September 30, 2022

1 min read
North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find
Silviu STAHIE

September 30, 2022

1 min read