beebright - Fotolia
How a social engineering campaign fooled infosec researchers
Impersonation tactics in social engineering attacks have become so elaborate that even highly aware members of the infosec community can fall victim to them.
Social engineering exploits the aspect of security that can't be protected by standard methods: human nature. And some attacks are so well-crafted that they even fool security researchers.
In a blog post last week, Google's Threat Analysis Group detailed a nation-state sponsored social engineering campaign that targeted the infosec community. The campaign, which Google attributed to a government-backed entity based in North Korea, took several months to establish personal connections with its victims by posing as infosec professionals working for a fictitious company known on Twitter as @BrownSec3Labs.
According to the blog, the threat actors targeted security researchers with "a novel social engineering method." This was achieved by publishing a fake research blog, building a presence on Twitter and creating legitimate-looking profiles on social media and communications platforms to connect with security researchers, working on vulnerability research and development at different companies and organizations.
"After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Bild Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains," the blog said.
Additionally, the attack compromised researchers who visited the actors' blog.
"In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher's system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions," the blog said. "Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including "guest" posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers."
According to the blog, this is an "ongoing campaign." One target, Richard Johnson, a computer security specialist at Fuzzing IO with a focus on software vulnerability analysis, confirmed the validity of the attack.
"WARNING! I can confirm this is true and I got hit by @z0x55g who sent me a Windows kernel PoC trigger. The vulnerability was real and complex to trigger. Fortunately I only ran it in VM.. in the end the VMDK I was using was actually corrupted and non-bootable, so it self-imploded," he wrote on Twitter.
WARNING! I can confirm this is true and I got hit by @z0x55g who sent me a Windows kernel PoC trigger. The vulnerability was real and complex to trigger. Fortunately I only ran it in VM.. in the end the VMDK I was using was actually corrupted and non-bootable, so it self-imploded https://t.co/dvdCWsZyne— Richard Johnson (@richinseattle) January 26, 2021
Johnson provided a positive update the following day.
"I've recovered and decrypted registry keys holding config and neutered the service, I'm RE'ing the driver. I have confirmed with colleagues that only visiting the blog was enough to get
popped via Chrome/Brave. I've confirmed my machine connected to their C&C many times," he wrote on Twitter.
How did state-sponsored threat actors manage to fool some of the most prepared and least trusting individuals on the planet?
Persistence is key
What made this campaign successful, according to SocialProof Security CEO Rachel Tobac, is that the social engineering and rapport building began very early, much earlier than observed in many other campaigns.
"A lot of times you're going to see attackers go straight to the lure, straight to the malware in your typical phishing attack. That's not what happened here. In mid-year 2020, the attackers started building rapport, building reputation with their targets, the security community in general and getting that trust built was something you can see was very important to them."
Tobac told SearchSecurity these nation-state actors used what the social engineering field refers to as the principles of persuasion.
"The first one we saw them leverage would be authority. They built authority on the topic to be able to direct people to their malicious blog. They started with real, authentic content then moved to attack. Secondly, we saw them use reciprocity, which is where they discuss personal details about themselves to elicit personal details about their target," she said. "Then we saw social proof in action where they namedropped the right people on blogs, and they weaponized their blog, which they probably did the entire time. The security community trusted it because it seemed like real content and they weren't going to look to see if they were compromised."
The fourth tactic Tobac observed was commitment and consistency. "This is all about asking seemingly innocuous questions to really build up rapport so by the time they get to the creepy questions it already feels like well, 'I've already been talking to this person for a long time.'"
One example Tobac provided is asking a researcher if they are using Chrome.
"If that person says 'yes', then of course that lure and malware they're going to use is a Chrome zero-day against that target. So, they customize their approach based on the operating system that the researcher is looking into, the field of research to make sure the malware will work on their machine. It's extremely smart."
In general, state-sponsored attacks are generally more intense. One thing makes their attack methodology unique: persistence.
"They really ingratiated themselves and built trust with the security community and researcher community. They had a following of 2,000 across accounts on Twitter. They would signal boost their own work between Twitter accounts. These tweets generated hundreds of likes and retweets before the attackers even went in to direct messaging people. They have a reputation of talking about research and putting out good research."
Reed Loden, HackerOne chief open source security evangelist, told SearchSecurity that the bug bounty platform has never seen security researchers specifically targeted by state actors before to this level of detail and persistence. However, he said, it is not surprising.
"Many security personnel have privileged access due to the need to investigate possible security issues at all levels, so they are in fact excellent targets for state actors," he said in an email to SearchSecurity.
Additionally, social media provides a wealth of information that makes it easier for threat actors to pull off social engineering attacks.
"They are far more successful when they align with a target's interest, and all this information can be found from Twitter or Instagram. Another attack vector comes from what employees inadvertently leak, e.g., a picture of them at work on LinkedIn can give a cybercriminal a perfect guide to what a uniform and badge need to look like," Loden said.
According to Tobac, anyone with the right pretext, the right timing and the right lure can get compromised. "We don't make fun of people for getting social engineered because it appeals to who we are centrally as humans. We just say that's how it goes. Human hackers [are] going to human hack."
This most recent campaign drew extra interest because it is a good example of threat actors taking their time, familiarizing themselves with their targets and patiently developing connections with them, Tobac said.
"Rather than building persistence on a network and waiting quietly on the network, we're really seeing persistence on the social engineering side, rather than the technical side."
Protecting against the human hack
In many cases, security awareness training prepares people for what to expect from a social engineering attack. That may work for traditional phishing emails and lesser impersonation tactics, but when it comes to skilled nation-state actors, it is not enough.
Tim Sadler, co-founder of email security company Tessian, told SearchSecurity that traditional security awareness training is not sufficient.
"In this attack, the cybercriminals used sophisticated impersonation tactics to build trust over time and trick the researchers into unwittingly installing malicious code," he said in an email to SearchSecurity. "Traditional security awareness training wouldn't solve for this. Why? Because many of the telltale signs of a scam, that people are taught to look out for during tick-box training sessions, just weren't present. The other problem is that one-off training doesn't account for the fact that hackers play the long game, using multiple touchpoints to target their victims. How can businesses expect their employees to remember training that was delivered over six months ago, for example?"
According to Sadler, the training needs to evolve to keep up with the evolving threat landscape.
"It should be delivered automatically and continuously, making employees aware of potential threats in-the-moment and advising them on what action to take. Security awareness training should use real-world threats that employees face to provide context. Many of today's security awareness training platforms rely on simulating phishing threats and use predefined templates of common threats. While this is a fair approach for generic phishing awareness, it's ineffective at preparing employees for the highly targeted phishing threats and impersonation scams they are likely to see today."
Tobac agreed that the solution is not more security awareness training, but more examples of how nation-state actors use social engineering. "I would say all security researchers are so aware of the way that social engineering works."
Like Johnson at Fuzzing IO, security researchers can protect themselves by using virtual machines that are isolated from other systems to access resources or open files from untrusted parties. There are other technical tools, including password managers and multifactor authentication, as well as basic best practices such as not reusing credentials on accounts and machines.
"We know one researcher who was compromised mentioned they think the fact that they used similar or identical credentials from one machine on their network to the next, led to that pivoting within the network to another machine. Those are technical solutions you can use, but when you have a nation-state actor, they are going to attempt to persist through whatever technical tools you have," Tobac said.
But none of the technical defenses prevent individuals from falling victim to the con in the first place, which is why social engineering attacks are such a challenge. Being vigilant, especially on machines or user accounts with elevated permissions, is important for all individuals, regardless of their profession, Loden said.
"Even if you're running a fully patched system and browser, zero-day exploits can be used against you. It's best to keep an open eye for paranoia, and perhaps use an unprivileged virtual machine (or a Chromebook or the like) without special access for any type of leisurely surfing, separate from any work systems that might allow a dedicated malicious actor access to a company's internal resources."
Additionally, Loden recommended proactive employee training and routine testing.
"It's on IT and security teams to enable and empower users to both understand how to keep themselves secure and to build a better, more direct and desirable path for them. If an employee gets social engineered, don't blame them. Look in the mirror and understand what caused the employee to cut a corner and how you can encourage them. In practice, this means providing easily usable technical solutions to those researchers to ensure they can better protect themselves from successful social engineering campaigns by segmenting any security research work from day-to-day activities."
Tobac said this attack was a wake-up call for many people. "Ultimately, we're going to see impacts from this attack for years to come."