Cybersecurity researchers uncover first-ever use of LinkedIn to spread malware

LinkedInCybersecurity researchers have uncovered what is believed to be the first-ever case of hackers using LinkedIn to infect the computers of targeted users with viruses, according to a new report. The hackers appear to have been sponsored by government and to have targeted employees of carefully selected military contractors in central Europe, according to sources.

The existence of the alleged cyberespionage operation was revealed on Wednesday by researchers at ESET, a cybersecurity firm based in Bratislava, Slovakia, which is known for its firewall and anti-virus products. The researchers said that the operation was carried out in 2019 by hackers who impersonated employees of General Dynamics and Collins Aerospace, two leading global suppliers of aerospace and defense hardware.

ESET researchers said that the hackers made use of the private messaging feature embedded in LinkedIn to reach out to their targets. After making initial contact with their intended victims, the hackers allegedly offered their targets lucrative job offers and used the LinkedIn private messenger service to send them documents that were infected with malware. In many cases, the targets opened the documents and infected their computers in the process.

The use of the LinkedIn social media platform by hackers to make contact with their unsuspecting victims is hardly new. In 2017, German intelligence officials issued a public warning about what they said were thousands of fake LinkedIn profiles created by Chinese spies to gather information about Western targets. Germany’s Federal Office for the Protection of the Constitution (BfV) said it had identified 10,000 German citizens who had been contacted by Chinese spy-run fake profiles on LinkedIn in a period of just nine months. And in 2018, a report by France’s two main intelligence agencies, the General Directorate for Internal Security (DGSI) and the General Directorate for External Security (DGSE), warned of an “unprecedented threat” to security after nearly 4,000 leading French civil servants, scientists and senior executives who were found to have been accosted by Chinese spies on LinkedIn.

Tricking a target into accessing a virus-infected document file is not a new method either. However, according to the researchers at ESET, this was the first case where LinkedIn was used to actually deliver the malware to the victims. As for the identity of the hackers, there appears to be no concluding information. However, ESET said the attacks appeared to have some connections to Lazarus, a group of hackers with North Korean links. Lazarus has been linked to the 2014 Sony Pictures hack and the 2016 Central Bank of Bangladesh cyber heist, which was an attempt to defraud the bank of $1 billion.

LinkedIn told the Reuters news agency that it had identified and terminated the user accounts behind the alleged cyberespionage campaign. Citing client confidentiality, ESET said it could not reveal information about the victims of the attacks. Meanwhile, General Dynamics and Raytheon Technologies, which owns Collins Aerospace, have not commented on this report.

Author: Joseph Fitsanakis | Date: 18 June 2020 | Permalink

North Korea-linked hackers growing in reach and sophistication, McAfee warns

Computer hackingA computer hacking group with links to the North Korean government has a wider reach and is more sophisticated than was initially believed, according to the computer security firm McAfee. The group, dubbed Lazarus by cybersecurity experts, is believed to be connected with Guardians of Peace, the hacker team that orchestrated the 2014 attacks on Sony Pictures Entertainment. The company drew the ire of the North Korean government for producing The Interview, a black comedy based on a fictional attempt by two Americans to assassinate North Korean leader Kim Jong-un. Known collectively as ‘the Sony Pictures hack’, the attacks included the compromise of internal documents and unreleased copies of films produced by Sony, as well as personal attacks on Sony executives and members of their families. There were also attempts to damage Sony’s digital infrastructure, which cost the company an undisclosed amount in damages, believed to be in the millions of dollars.

In February of last year, the computer security software company McAfee said that Lazarus was behind an ongoing campaign targeting global banks and bitcoin users. On Sunday, the California-based firm said that Lazarus was responsible for what its experts call Operation SHARPSHOOTER, a widespread effort to compromise key industries across several continents. Speaking at the RSA IT security conference in San Francisco, McAfee experts said that SHARPSHOOTER began as early as September of 2017, and that it was first detected in December of 2018. By that time, said McAfee, around 80 firms and organizations had been targeted by Lazarus. But in recent months, it has become clear that SHARPSHOOTER is “more extensive in complexity, scope and duration” than previously thought, according to McAfee experts. They added that they drew this conclusion based on “command-and-control serve code” data that was made available to them by an unnamed “government entity”. This is the type of forensic data that is customarily seized by government agencies and is rarely made available to cybersecurity researchers in the private sector, said the McAfee representatives. This “non-typical access” afforded McAfee technical experts “a rare opportunity” to examine “the inner workings [of Lazarus’] cyberattack infrastructure”, they added.

As a result, the company’s “confidence levels are now much higher” that Lazarus is targeting key agencies and industries, including government organizations involved with national defense, energy and critical infrastructure. Most of Lazarus’ targets are in the United States, Germany and Turkey. But smaller attacks have been detected in Asia and Africa, in countries such as the Philippines and Namibia. Many attacks begin with so-called ‘spearphishing’ attempts, which target particular employees of agencies or firms. These attacks center on emails that are “masked as extremely convincing job recruitments”. The emails contain links to Microsoft Word or Adobe PDF files on popular file-sharing platforms like DropBox, which are infected with malware, said McAfee.

Author: Joseph Fitsanakis | Date: 05 March 2019 | Permalink