MSSPs, Beware: Threat Analysis Group Warns of North Korean Social Engineering

Google is warning entities with security research arms – which includes many managed security service providers – to be on guard.

The company’s Threat Analysis Group this week said hackers with backing from the North Korean government are using a “novel” social engineering method to infiltrate networks. The tactic appears to target Chrome and Windows 10. The campaign itself goes back several months.

“In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets,” wrote Adam Weidemann in a Jan 25 blog. “They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.”

Those materials looked convincing, according to the Threat Analysis Group.

“Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including ‘guest’ posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers,” Weidemann wrote.

Google’s Threat Analysis Group so far has been unable to verify the authenticity or working status of all the exploits that feature videos, he added. In at least one case, “the actors have faked the success of their claimed working exploit.”

That happened on Jan. 14, when the hackers said they had exploited a recently fixed Windows Defender vulnerability, CVE-2021-1647.

“In the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake,” Weidemann said. “Multiple comments on YouTube identified that the video was faked and that there was not a working exploit demonstrated. After these comments were made, the actors used a second Twitter account (that they control) to retweet the original post and claim that it was ‘not a fake video.’”

How the Hacks Worked

Part of the reason this cyber criminality is unique is that the hackers have identified and pursued specific security researchers, in a new way, Google found. The bad actors would establish communication with an expert, then ask to collaborate. From there, the hackers provided a Visual Studio Project, the Threat Analysis Group said. That’s where big problems arose.

“Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events,” Wiedemann explained. “The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains.”

The Threat Analysis Group also has seen researchers get compromised after visiting the hackers’ blog.

“In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” Wiedemann wrote.

Troublingly, these systems were running fully patched and updated Windows 10 and Chrome browsers, he added. That makes confirming how the compromise happened difficult. To that end, Google is offering a reward under its Chrome Vulnerability Reward Program.

In the meantime, MSSPs with security research groups need to remain on guard. The North Korean actors have used multiple platforms to reach potential victims, Google said. Those outlets include Twitter, LinkedIn, Telegram, Discord, Keybase and email. If anyone in your company has touched these accounts or the hackers’ blog, the Threat Analysis Group recommends reviewing the indicators of compromise at the bottom of this page. So far, it appears that hackers have only breached Windows systems, Google said.

In terms of MSSPs (and other organizations) protecting themselves, Google offers a couple recommendations. First, compartmentalize research activities using separate physical or virtual machines for general web browsing. Do the same when interacting with others in the research community, as well as accepting files from third parties and your own security research.