Light Dark
May 16, 2021 By David Bisson 3 min read
Software Vulnerabilities
Application Security
Security Services

Attacking the very people who work on stopping threat actors may seem like a bad idea. But some threat groups do go after people who’ve made a career doing vulnerability research. We’ll take a look at a recent social engineering attack campaign targeted at cyber defense experts. How can you and your employees avoid falling into this trap?

Look at the User

Most data breaches still involve the use of known vulnerabilities. In a 2019 study, for instance, 60% of breach victims say they suffered a security incident after someone had exploited a known vulnerability where the patch was not applied. An even greater percentage (62%) say they didn’t know they were at risk prior to the data breach.

Threat actors can exploit openings the ‘traditional’ way by probing software for bugs or purchasing access to flaws. Or, they can get a bit more creative, like targeting researchers.

Social Engineering a Security Researcher

At the end of January 2021, Google observed government-backed attackers targeting security professionals working on vulnerability research. The threat actors began their social engineering efforts by creating a blog and multiple Twitter profiles. From there, they shared fake vulnerability write-ups posted to their blog, along with ‘guest’ posts written by unwitting researchers. The attackers also used those social media profiles to post videos of their ‘exploits’. They would also retweet posts from other accounts under their control.

Google confirmed the threat actors also faked the success of at least one of their claimed working exploits. But that didn’t stop the attackers from attempting to build credibility with other experts. After starting a conversation, the threat actors asked the target if they wanted to work together on a research project. They then provided the researcher with a Virtual Studio project. This contained custom malware that began talking to the attackers’ command-and-control (C&C) domains.

In addition to the social engineering tactics described above, the state-sponsored attackers also targeted researchers with a Twitter link that led to a write-up posted on their blog. Clicking on the link caused the researchers’ system to install a malicious service. It also installed a back door that began sending out a beacon to the attackers’ command and control server.

At the time of its report, Google had not found how the attackers performed this latter compromise. Those who fell victim to that attack chain were running up-to-date Windows 10 computers and Chrome browsers, Google noted. As such, that doesn’t rule out the possibility of the attackers having used Chrome exploits and an Internet Explorer zero-day flaw to infect the researchers with the malware, as reported by ENKI and Microsoft.

Putting These Attacks Into Perspective

There were several other high-profile attacks on researchers recently. For instance, the operators of the Minebridge remote access Trojan updated their malware in an effort to target researchers in the infosec industry. The attackers embedded the malware in a macro-based Word document. The document masqueraded as the resume from a threat intelligence analyst looking for a job. Once it was opened, Minebridge buried itself in TeamViewer software, which the attackers then used to deploy more malware and/or conduct digital espionage against their victims.

All of this points to a simple reality: researchers are human, too. They can be taken in by the same types of social engineering tactics used by threat actors against other elements of a workforce. At the same time, they need the same types of training to protect the employees against this type of attack.

Social Engineering Prevention Tips

To prevent a social engineering attack such as the campaign described above, focus on security awareness training. They should begin by dividing their users into three categories: end users, management and technical users, with security professionals falling into the last category. Then, decide on a delivery method for the awareness training that works for them. Some might be inclined to work with an established provider, for instance. Others might decide to create their own content.

Regardless, make sure that the security awareness training program you choose focuses on people-centric risks. It’s not enough for them to focus on basic social engineering like phishing emails. (The campaign described above used fake social media profiles and a blog, after all.) It’s also not enough to deliver training once a year; digital threats evolve more quickly than that. Indeed, you need to train for more than just email. Their programs need to provide ample coverage for both the basics of phishing and refined attack techniques, and they need to do so on an ongoing basis.

Lastly, make sure the program you choose focuses on the fundamentals with all employees — including expert researchers. That includes helping employees to learn how they can stop oversharing on social media. It also includes helping them to explore the advantages of keeping one part of their digital lives apart from others. In response to the attack discussed above, for instance, consider working with your security experts to use one computer, network, etc. for their research and another set of tools for their personal lives such as connecting with people on social media.

This step could prevent data as valuable as vulnerability research from falling into the wrong hands due to social engineering like a malicious blog post or fake Twitter profile.

 |  | 
David Bisson
Contributing Editor

More from Software Vulnerabilities
August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

August 2, 2023

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

March 30, 2023

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature