Microsoft: hackers use open source software and fake jobs in phishing attacks
Microsoft warns that hackers are using open source software and fake social media accounts to trick software engineers and IT support staff with fake job postings that actually lead to malware attacks.
According to threat analysts from Microsoft’s Advanced Persistent Threat (APT) Research Group, a team of hackers linked to the North Korean armed forces used trojanized open-source applications and LinkedIn recruitment bait to hit employees of the technology industry.
The Microsoft Threat Intelligence Center (MSTIC, pronounced “Mystic”) has seen the group use PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks since late April, according to the blog. MSTIC.
Also: The Scary Future of the Internet: How Tomorrow’s Technology Will Pose Even Greater Cybersecurity Threats
The hacking group targeted media, defense and aerospace and IT workers in the US, UK, India and Russia. The group was also behind the massive attack on Sony Pictures Entertainment in 2014.
Also known as Lazarus and tracked by Microsoft as ZINC, Google Cloud Mandiant threat analysts saw the group target spear phishing in the tech and media sectors with fake job postings in July , using WhatsApp to share a trojanized instance of PuTTY.
“Microsoft researchers have observed spear phishing as ZINC players’ primary tactic, but they have also been observed using strategic trade-offs on websites and social engineering on social media to achieve their goals,” MSTIC notes. .
“ZINC targets employees of companies it attempts to infiltrate and seeks to coerce these individuals into installing seemingly benign programs or opening weaponized documents containing malicious macros. Targeted attacks have also been carried out against security researchers on Twitter and LinkedIn.”
The group engages in espionage, data theft, hacking into crypto exchanges and banking systems, and destroying networks. It is also followed as Labyrinth Chollima and Black Artemis.
A Microsoft-owned LinkedIn security team also saw these actors create fake profiles to pose as recruiters for companies in the tech, defense and media entertainment industries.
Also: The White House warns: Do these 8 things now to boost your security ahead of potential Russian cyberattacks
According to Microsoft, the targets were taken from LinkedIn to WhatsApp to share malware, and included IT and IT support employees at companies in the US, UK and India. Google’s Threat Analysis Group (TAG) discovered that the group was using Twitter, Discord, YouTube, Telegram, Keybase, and email with similar tactics last January.
US authorities warned US and European companies to be wary of IT contractors applying for support and developer positions last year.
LinkedIn’s Threat Prevention and Defense team shut down fake accounts.
“ZINC primarily targeted engineers and technical support professionals working in media and information technology companies located in the UK, India and the US,” MSTIC warned.
“Targets were provided with outreach tailored to their profession or background and encouraged to apply for a vacant position at one of several legitimate companies. In accordance with their policies, for accounts identified in these attacks, LinkedIn promptly terminated all accounts associated with inauthentic or fraudulent behavior.