Attacking the very people who work on stopping threat actors may seem like a bad idea. But some threat groups do go after people who’ve made a career doing vulnerability research. We’ll take a look at a recent social engineering attack campaign targeted at cyber defense experts. How can you and your employees avoid falling into this trap?
Look at the User
Most data breaches still involve the use of known vulnerabilities. In a 2019 study, for instance, 60% of breach victims say they suffered a security incident after someone had exploited a known vulnerability where the patch was not applied. An even greater percentage (62%) say they didn’t know they were at risk prior to the data breach.
Threat actors can exploit openings the ‘traditional’ way by probing software for bugs or purchasing access to flaws. Or, they can get a bit more creative, like targeting researchers.
Social Engineering a Security Researcher
At the end of January 2021, Google observed government-backed attackers targeting security professionals working on vulnerability research. The threat actors began their social engineering efforts by creating a blog and multiple Twitter profiles. From there, they shared fake vulnerability write-ups posted to their blog, along with ‘guest’ posts written by unwitting researchers. The attackers also used those social media profiles to post videos of their ‘exploits’. They would also retweet posts from other accounts under their control.
Google confirmed the threat actors also faked the success of at least one of their claimed working exploits. But that didn’t stop the attackers from attempting to build credibility with other experts. After starting a conversation, the threat actors asked the target if they wanted to work together on a research project. They then provided the researcher with a Virtual Studio project. This contained custom malware that began talking to the attackers’ command-and-control (C&C) domains.
In addition to the social engineering tactics described above, the state-sponsored attackers also targeted researchers with a Twitter link that led to a write-up posted on their blog. Clicking on the link caused the researchers’ system to install a malicious service. It also installed a back door that began sending out a beacon to the attackers’ command and control server.
At the time of its report, Google had not found how the attackers performed this latter compromise. Those who fell victim to that attack chain were running up-to-date Windows 10 computers and Chrome browsers, Google noted. As such, that doesn’t rule out the possibility of the attackers having used Chrome exploits and an Internet Explorer zero-day flaw to infect the researchers with the malware, as reported by ENKI and Microsoft.
Putting These Attacks Into Perspective
There were several other high-profile attacks on researchers recently. For instance, the operators of the Minebridge remote access Trojan updated their malware in an effort to target researchers in the infosec industry. The attackers embedded the malware in a macro-based Word document. The document masqueraded as the resume from a threat intelligence analyst looking for a job. Once it was opened, Minebridge buried itself in TeamViewer software, which the attackers then used to deploy more malware and/or conduct digital espionage against their victims.
All of this points to a simple reality: researchers are human, too. They can be taken in by the same types of social engineering tactics used by threat actors against other elements of a workforce. At the same time, they need the same types of training to protect the employees against this type of attack.
Social Engineering Prevention Tips
To prevent a social engineering attack such as the campaign described above, focus on security awareness training. They should begin by dividing their users into three categories: end users, management and technical users, with security professionals falling into the last category. Then, decide on a delivery method for the awareness training that works for them. Some might be inclined to work with an established provider, for instance. Others might decide to create their own content.
Regardless, make sure that the security awareness training program you choose focuses on people-centric risks. It’s not enough for them to focus on basic social engineering like phishing emails. (The campaign described above used fake social media profiles and a blog, after all.) It’s also not enough to deliver training once a year; digital threats evolve more quickly than that. Indeed, you need to train for more than just email. Their programs need to provide ample coverage for both the basics of phishing and refined attack techniques, and they need to do so on an ongoing basis.
Lastly, make sure the program you choose focuses on the fundamentals with all employees — including expert researchers. That includes helping employees to learn how they can stop oversharing on social media. It also includes helping them to explore the advantages of keeping one part of their digital lives apart from others. In response to the attack discussed above, for instance, consider working with your security experts to use one computer, network, etc. for their research and another set of tools for their personal lives such as connecting with people on social media.
This step could prevent data as valuable as vulnerability research from falling into the wrong hands due to social engineering like a malicious blog post or fake Twitter profile.