Skip to main content

Hackers Target Defense Contractors' Employees By Posing as Recruiters

 

Job-Offer-hacking

The United States Cybersecurity and Infrastructure Security Agency (CISA) has published a new 
report warning companies about a new in-the-wild malware that North Korean hackers are reportedly using to spy on key employees at government contracting companies.

Dubbed 'BLINDINGCAN,' the advanced remote access trojan acts as a backdoor when installed on compromised computers.

According to the FBI and CISA, North Korean state-sponsored hackers Lazarus Group, also known as Hidden Cobra, are spreading BLINDINGCAN to "gather intelligence surrounding key military and energy technologies."

To achieve this, attackers first identify high-value targets, perform extensive research on their social and professional networks, and then pose as recruiters to send malicious documents loaded with the malware, masquerading as job advertisements and offerings.
However, such employment scams and social engineering strategies are not new and were recently spotted being used in another similar cyber espionage campaign by North Korean hackers against Israel's defense sector.

"They built fake profiles on Linkedin, a social network that is used primarily for job searches in the high-tech sector," the Israel Ministry of Foreign Affairs said.

"The attackers impersonated managers, CEOs and leading officials in HR departments, as well as representatives of international companies, and contacted employees of leading defense industries in Israel, with the aim of developing discussions and tempting them with various job opportunities.

"In the process of sending the job offers, the attackers attempted to compromise the computers of these employees, to infiltrate their networks and gather sensitive security information. The attackers also attempted to use the official websites of several companies in order to hack their systems."

The CISA report says that attackers are remotely controlling BLINDINGCAN malware through compromised infrastructure from multiple countries, allowing them to:


  • Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
  • Create, start, and terminate a new process and its primary thread
  • Search, read, write, move, and execute files
  • Get and modify file or directory timestamps
  • Change the current directory for a process or file
  • Delete malware and artifacts associated with the malware from the infected system.


Cybersecurity companies Trend Micro and ClearSky also documented this campaign in a detailed report explaining:
"Upon infection, the attackers collected intelligence regarding the company's activity, and also its financial affairs, probably in order to try and steal some money from it. The double scenario of espionage and money theft is unique to North Korea, which operates intelligence units that steal both information and money for their country."

According to this report, North Korean attackers did not just contact their targets through email, but also conducted face-to-face online interviews, mostly on Skype.

"Maintaining direct contact, beyond sending phishing emails, is relatively rare in nation-state espionage groups (APTs); however, as it will be shown in this report, Lazarus have adopted this tactic to ensure the success of their attacks," the researchers said.

CISA has released technical information to aid in detection and attribution, as well as recommended a variety of preventive procedures to lower the possibility of this kind of attack significantly.

Comments

Popular posts from this blog

Applications and Threats Content Release Notes

  Threat Intelligence Report Top Attacks and Breaches The biochemical systems at an Oxford university research lab currently studying the Covid-19 pandemic has been  breached . Clinical research was not affected by the incident. Breached systems include machines used to prepare biochemical samples, and hackers are currently attempting to  sell  their access to those machines. Twitter has permanently  suspended  multiple accounts found to be part of four disinformation campaign networks, most likely operated by state-sponsored actors associated with Iran, Russia and Armenia. The Iranian infrastructure was previously used to disrupt the 2020 US presidential campaign discourse. Gmail accounts of global pro-Tibet organizations have been  targeted  by the Chinese APT TA413, an espionage group known for its operations against civil dissidents. The campaign leverages a customized malicious Mozilla Firefox browser extension to gain control over the victims’ Gmail accounts. Npower, a British ga

Cisco Releases Security Updates for Cisco ASA 5506-X, 5508-X, 5516-X and Firepower// Cisco Bug IDs: CSCvp36425

A vulnerability in the cryptographic driver for Cisco Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reboot unexpectedly. The vulnerability is due to incomplete input validation of a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) ingress packet header. An attacker could exploit this vulnerability by sending a crafted TLS/SSL packet to an interface on the targeted device. An exploit could allow the attacker to cause the device to reload, which will result in a denial of service (DoS) condition. Note:  Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. A valid SSL or TLS session is required to exploit this vulnerability. Cisco has rel

Site-to-site IPsec VPN with two FortiGates

In this example, you will allow transparent communication between two networks that are located behind different FortiGates at different offices using route-based IPsec VPN. The VPN will be created on both FortiGates by using the VPN Wizard's   Site to Site - FortiGate   template. In this example, one office will be referred to as HQ and the other will be referred to as Branch. 1. Configuring the HQ IPsec VPN On the HQ FortiGate, go to  VPN > IPsec Wizard . Select the  Site to Site  template, and select  FortiGate . In the  Authentication  step, set  IP Address  to the IP of the Branch FortiGate (in the example,  172.20.120.135 ). After you enter the gateway, an available interface will be assigned as the  Outgoing Interface . If you wish to use a different interface, select it from the drop-down menu. Set a secure  Pre-shared Key . In the  Policy & Routing  step, set the  Local Interface . The  Local Subnets  will be added automatically. Set  Remote