siber guvenlik arastirmacilari 1024x615 1

Cybersecurity Experts Under Fire: A Stark Warning for Our Digital World!

Cybersecurity Experts Under Fire

In our tech-savvy world, as our digital lives become more valuable, cyber attackers are upping their game. The more critical our digital work becomes, the more frequent and effective cyber attacks we’ll see. A recent example of this was highlighted in Google’s Threat Analysis Group (TAG) article, “New campaign targeting security researchers,” published on January 25, 2021. The article revealed a critical attack targeting vulnerability researchers across various companies and organizations. Yes, you read that right. Cyber attackers are now professionally and systematically targeting cybersecurity experts.

The Initial Approach

The attacking group made first contact with cybersecurity researchers through Twitter, LinkedIn, Telegram, Discord, Keybase, and Email. Using social networks and messaging apps, the attackers reached out to cybersecurity researchers, creating numerous fake Twitter profiles to gain trust. They even set up a fake research blog (blog.br0vvnn.io) to feed these accounts. This fake blog featured analyses and articles on public vulnerabilities, mimicking a genuine cybersecurity researcher. Additionally, the attackers copied articles from real security researchers to make the blog content appear trustworthy, effectively impersonating a real security researcher.

Social Engineering Techniques

The attackers’ goal was to reach security researchers and launch a cyber attack. The first step began on January 12, 2021, with a video uploaded to YouTube titled “Microsoft Malware Protection Engine.” The video demonstrated the exploitation of a Remote Code Execution (RCE) vulnerability coded as CVE-2021-1647. The attackers showed that they could execute the exploit and obtain a Cmd.exe Shell. Although many comments under the video pointed out that it was fake, the attackers persisted. They used their fake Twitter accounts to claim that the video was genuine and that the vulnerability indeed worked.

In the second step, the attackers employed social engineering techniques to contact their targets. They offered to collaborate on a joint project, suggesting they work together on the research. Subsequently, they shared a Visual Studio Project with the cybersecurity researchers, ostensibly to conduct joint security research. This project included a malicious DLL file, which was part of the Visual Studio Build Events. This DLL file was malware that communicated with the attacker’s command and control server. The cybersecurity researchers fell victim to this meticulously planned social engineering attack. Although the exact number is unknown, it is reported that many cybersecurity researchers were affected by this attack.

The Aftermath

The attackers did not stop there. In addition to the attack, visiting the fake security researcher blog resulted in malicious services running on the visitors’ systems, opening a backdoor to the command and control server. During these visits, it was reported that the researchers’ systems were running up-to-date and patched Windows 10 with the latest version of Chrome. This suggests that the attackers used Zero-Day exploits in their techniques. Google could not confirm the mechanism that allowed the Chrome system to be compromised. However, Google has stated that it offers monetary rewards to individuals with knowledge of this issue or those who find Chrome vulnerabilities through the Chrome’s Vulnerability Reward Program.

The mere suggestion of a Zero-Day vulnerability in Google’s Chrome browser is enough to unsettle security researchers. The Twitter, LinkedIn, and KeyBase accounts used by the attackers were closed when this incident came to light. However, until a definitive statement is made, we strongly advise against visiting the attackers’ blog page or command and control servers from any browser.

Control Mechanisms

For cybersecurity experts who suspect they may have been exposed to this attack, we recommend examining the following control mechanisms. If your system has a process that communicates with one of the following command and control servers, accesses registry keys, or creates one of the files listed below, you may have been affected by this attack.

Command and Control Domains

  • angeldonationblog.com
  • codevexillium.org
  • investbooking.de
  • krakenfolio.com
  • opsonew3org.sg
  • transferwiser.io
  • transplugin.io
  • trophylab.com
  • www.colasprint.com
  • www.dronerc.it
  • www.edujikim.com
  • www.fabioluciani.com

Registry Keys

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionKernelConfig
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionDriverConfig
  • HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSSL Update

File Directories

  • C:WindowsSystem32Nwsapagent.sys
  • C:WindowsSystem32helpsvc.sys
  • C:ProgramDataUSOShareduso.bin
  • C:ProgramDataVMwarevmnat-update.bin
  • C:ProgramDataVirtualBoxupdate.bin

The Bigger Picture

Beyond this ingeniously crafted social engineering attack, the most critical point is that cyber attackers can execute commands through the browser. Although this aspect has not been widely discussed, the mere thought of attackers exploiting such a vulnerability is chilling. If a vulnerability allows commands to be executed on systems through a browser, we can assume that many individuals may already be infected. If you notice that you have visited a website you have never been to before, we recommend conducting a thorough examination of your system.

While this attack is believed to have exploited a vulnerability in Chrome, similar vulnerabilities could exist in other browsers. The most pressing question remains: what was the attackers’ motive in targeting security researchers?

Similar Posts