Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Warning: North Korean Gov Hackers Targeting Security Researchers

Google late Monday raised the alarm about a “government-backed entity based in North Korea” targeting — and hacking into — computer systems belonging to security researchers.

Google late Monday raised the alarm about a “government-backed entity based in North Korea” targeting — and hacking into — computer systems belonging to security researchers.

Google’s Threat Analysis Group (TAG), a team that monitors global APT activity, said the ongoing campaign is aimed at security researchers working on vulnerability research and development at different companies and organizations.

The campaign, which is well organized across multiple online platforms, included drive-by browser compromises from booby-trapped websites.

“In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” Google’s Adam Weidemann explained.

“At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions,” Weidewmann said, suggesting the possible use of zero-day exploits.

He said Google was unable to confirm the mechanism of compromise and asked for the public to report Chrome vulnerabilities, including those being exploited in the wild (ITW), to its Chrome’s Vulnerability Reward Program. We encourage anyone who discovers a Chrome vulnerability to report that activity via the Chrome VRP submission process.

Google said the actors behind this campaign are linked to a government-backed entity based in North Korea, worked over time to build credibility and connect with security researchers.

The actors established a research blog and multiple Twitter profiles and used the Twitter accounts to post links to their blog, post videos of their claimed exploits and to amplify and retweet posts from other accounts that they control.

Advertisement. Scroll to continue reading.

Google found that the lure blog contained write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.

“While we are unable to verify the authenticity or the working status of all of the exploits that they have posted videos of, in at least one case, the actors have faked the success of their claimed working exploit,” Weidermann said, providing screenshots and proof of the operation.

From the Google TAG blog:

The actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains.  

Weidemann said the actors have used accounts on Twitter, LinkedIn, Telegram, Discord, Keybase and e-mail, mostly on users running Microsoft’s Windows operating system.

“If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,” Weidemann added.

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...