https://www.channelfutures.com/wp-content/themes/channelfutures_child/assets/images/logo/footer-new-logo.png
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • MSP 501 Rankings
    • NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Channel Futures 20: Top Tech Providers
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2023 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Technology Advisor 101 (TA 101)
    • Channel Leaders Lists
  • Events
    • Back
    • 2023 Call for Speakers
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
Channel Futures
  • NEWSLETTER
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • MSP 501 Rankings
    • NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Channel Futures 20: Top Tech Providers
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2023 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Technology Advisor 101 (TA 101)
    • Channel Leaders Lists
  • Events
    • Back
    • 2023 Call for Speakers
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
    • Newsletter
  • REGISTER
  • MSPs
  • VARs / SIs
  • Agents
  • Cloud Service Providers
  • Channel Partners Events
 Channel Futures

MSSP Insider


Shutterstock

Social Engineering

MSSPs, Beware: Threat Analysis Group Warns of North Korean Social Engineering

  • Written by Kelly Teal
  • January 27, 2021
Google’s security researchers say hackers have come up with a “novel” technique for targeting victims.

Google is warning entities with security research arms – which includes many managed security service providers – to be on guard.

The company’s Threat Analysis Group this week said hackers with backing from the North Korean government are using a “novel” social engineering method to infiltrate networks. The tactic appears to target Chrome and Windows 10. The campaign itself goes back several months.

“In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets,” wrote Adam Weidemann in a Jan 25 blog. “They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.”

Those materials looked convincing, according to the Threat Analysis Group.

“Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including ‘guest’ posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers,” Weidemann wrote.

Google’s Threat Analysis Group so far has been unable to verify the authenticity or working status of all the exploits that feature videos, he added. In at least one case, “the actors have faked the success of their claimed working exploit.”

That happened on Jan. 14, when the hackers said they had exploited a recently fixed Windows Defender vulnerability, CVE-2021-1647.

“In the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake,” Weidemann said. “Multiple comments on YouTube identified that the video was faked and that there was not a working exploit demonstrated. After these comments were made, the actors used a second Twitter account (that they control) to retweet the original post and claim that it was ‘not a fake video.’”

How the Hacks Worked

Part of the reason this cyber criminality is unique is that the hackers have identified and pursued specific security researchers, in a new way, Google found. The bad actors would establish communication with an expert, then ask to collaborate. From there, the hackers provided a Visual Studio Project, the Threat Analysis Group said. That’s where big problems arose.

“Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events,” Wiedemann explained. “The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains.”

The Threat Analysis Group also has seen researchers get compromised after visiting the hackers’ blog.

“In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” Wiedemann wrote.

Troublingly, these systems were running fully patched and updated Windows 10 and Chrome browsers, he added. That makes confirming how the compromise happened difficult. To that end, Google is offering a reward under its Chrome Vulnerability Reward Program.

In the meantime, MSSPs with security research groups need to remain on guard. The North Korean actors have used multiple platforms to reach potential victims, Google said. Those outlets include Twitter, LinkedIn, Telegram, Discord, Keybase and email. If anyone in your company has touched these accounts or the hackers’ blog, the Threat Analysis Group recommends reviewing the indicators of compromise at the bottom of this page. So far, it appears that hackers have only breached Windows systems, Google said.

In terms of MSSPs (and other organizations) protecting themselves, Google offers a couple recommendations. First, compartmentalize research activities using separate physical or virtual machines for general web browsing. Do the same when interacting with others in the research community, as well as accepting files from third parties and your own security research.

Tags: MSPs MSSP Insider Business of Security Endpoint Security

Most Recent


  • Making Waves
    7 Channel People Making Waves This Week at TD Synnex, Veeam, Kaseya, Zendesk, More
    Microsoft has discovered malicious activity by a state-sponsored threat actor based in China.
  • Businessman reading cloud computing news
    Cloud Computing News: VMware, Celigo, Google Cloud, AWS Dominate the Week
    Find out what the vendors are up to this week and how partners are impacted.
  • OffSec Partners Get Expanded Global Partner Program
    The expanded partner program includes three new partner types.
  • zero day vulnerability
    Barracuda Networks Identifies Long-Exploited Zero-Day Vulnerability
    The earliest identified evidence of exploitation dates back to October 2022.

Leave a comment Cancel reply

-or-

Log in with your Channel Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • Security Vulnerability
    Older Fortinet Vulnerabilities Lead to Attack on Local Government Office
  • Threats
    Cybersecurity and Threat Protection: MSSPs, Get Your Advice Here
  • DevSecOps
    ServiceNow, Microsoft Set to Deliver Broad SecOps Integration
  • Dunce Cap Businessman
    Tired of MSSPs ‘Failing,’ Nuspire Debuts Platform to Combat Cyberattacks

Upcoming Events

View all

Channel Partners Europe

June 13, 2023 - June 14, 2023

Channel Futures Leadership Summit

October 30, 2023 - November 2, 2023

Channel Partners Conference & Expo

March 11, 2024 - March 14, 2024

Galleries

View all

7 Channel People Making Waves This Week at TD Synnex, Veeam, Kaseya, Zendesk, More

June 2, 2023

Cloud Computing News: VMware, Celigo, Google Cloud, AWS Dominate the Week

June 2, 2023

Channel People on the Move: HPE, Lumen, Sophos, TD Synnex, AireSpring, More

June 1, 2023

Industry Perspectives

View all

Dell Technologies World: Dell Apex Expanded Across On-Premises, Cloud and Edge

May 22, 2023

Identity Is Increasingly Valuable – and Targeted

May 18, 2023

Gaining a Competitive Advantage through AV Managed Services

May 10, 2023

Webinars

View all

From Problem to Profit: Mastering the Science of Selling Using Business Outcomes

May 9, 2023

Meet the 2023 Channel Futures Channel Influencers

April 13, 2023

DE&I Dialogue: How the Right DE&I Initiatives Can Propel Your Business

April 5, 2023

White Papers

View all

6 UCaaS Reseller Challenges and How Real World Businesses Solved Them

February 1, 2023

Frost Radar: North American UCaaS Market, 2022

February 1, 2023

The Complete Guide to White-Label UCaaS for Reseller Success

February 1, 2023

Channel Futures TV

View all

Coffee with Craig and James Episode No. 123: MartinWolf M&A Advisors, CP Expo Preview

UScellular Takes On Rivals with Partner Program Simplicity

April 21, 2023

OpenText Simplifying Deal Registration, Doubling Down on MDF

April 21, 2023

Everything-as-a-Service: CloudBlue Touts Critical Customer Transition

April 18, 2023

Twitter

MSP 501

The industry's largest and most comprehensive partner awards program.

Newsletters and Updates

Sign up for The Channel Report, Channel Futures Update, MSP 501 Newsletter and more.

Live Channel Events

Get the latest information on the next industry-leading Channel Partners event.

Galleries

Educational slide shows and images from live events.

Media Kit And Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • Channel Partners Events
  • Telecoms.com
  • MSP 501
  • Black Hat
  • IoT World Today
  • Omdia

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Newsletter

FOLLOW Channel Futures ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2023 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X