Search This Blog

Showing posts with label Linkedin. Show all posts

Zinc APT is Conducting an Attack Against Victims in Critical Sectors

During recent months, Microsoft has detected cyberattacks targeted at security researchers by an actor tracked as ZINC, who is also called the author of these attacks. Originally, the campaign was brought to the attention after Microsoft Defender for Endpoints detected an attack that was taking place in the background. 

As a consequence, seven groups have been identified as being targeted, including pen testers, private offensive security researchers, and employees of security and technology companies. Based on the observations made by MSTIC, which is a Microsoft Threat Intelligence Center, we can attribute this campaign with high confidence to ZINC, which is a DPRK-affiliated and state-sponsored group, given its tradecraft, infrastructure, malware patterns, and account affiliations.

Campaigns designed to attack 

Using a high degree of confidence, Microsoft Threat Prevention and Defense has linked these recent attacks to a threat group identified as Zinc. The group is allegedly associated with recent attacks on LinkedIn. In addition, the group is also linked with one of the groups of the Lazarus movement.

• During their experiments, researchers noticed Zinc using a wide variety of open-source software, including KiTTY, TightVNC, Sumatra PDF Reader, PuTTY, and muPDF/Subliminal Recording software installers.

• As far as Microsoft is concerned, there are around five methods for trojanizing open-source applications, including packing with commercial software protection Themida, hijacking DLL Search orders, using custom encryption methods, encoding victim information in parameters associated with common keywords, and using SSH clients.

• A number of these applications are bundled with malicious shellcodes and malicious payloads that belong to the ZetaNile malware family that researchers have been tracking.

Is there anyone who has been affected by the crisis?

There has been a recent rash of attacks caused by Zinc on employees of various companies located in the United Kingdom, the United States, Russia, and India. These companies operate in different industries such as defense, aerospace, IT services, and media.

The tactical approach to the spread of infection 

A LinkedIn security team discovered Zinc impersonating recruiters from defense, technology, and media companies. This was malware that was delivered from LinkedIn to WhatsApp. Despite this, LinkedIn immediately suspended accounts linked to suspicious or fraudulent behavior as per its policies and the accounts spotted in these attacks.

Earlier this month, Mandiant reported about an ongoing campaign related to the weaponized version of PuTTY being used by some hackers; the operation Dream Job campaign was initiated by attackers to extract information about jobs on LinkedIn using job lures.

In essence, throughout its attack campaign, Zinc targets victims all over the world with a wide range of platforms and open-source software, making it one of the most dangerous cyber threats for businesses globally. 

To prevent such abuses, individuals and organizations that use open-source software should therefore ensure that they are vigilant. Whenever possible, it is highly recommended that you leverage a threat intelligence platform to find threats that are tailored to your needs.

Fake CISO Profiles of Corporate Giants swamps LinkedIn


LinkedIn has recently been flooded with fake profiles for the post of Chief Information Security Officer (CISO) at some of the world’s largest organizations. 

One such LinkedIn profile is for the CISO of the energy giant, Chevron. One might search for the profile, and find the profile for Victor Sites, stating he is from Westerville, Ohio, and is a graduate of Texas A&M University. When in reality, the role of Chevron is currently occupied by Christopher Lukas, who is based in Danville, Calif. 

According to KrebsOnSecurity, upon searching the profile of “Current CISO of Chevron” on Google, they were led to the fake CISO profile, for it is the first search result returned, followed by the LinkedIn profile of the real Chevron CISO, Christopher Lukas. It was found that the false LinkedIn profiles are engineered to confuse search engine results for the role of CISOs at major organizations, and the profiles are even considered valid by numerous downstream data-scraping sources. 

Similar cases could be seen in the LinkedIn profile for Maryann Robles, claiming to be the CISO of another energy giant, ExxonMobil. LinkedIn was able to detect more such fabricated CISO profiles since the already detected fake profile suggested 1 view a number of them in the “People Also Viewed” column. 

Who is Behind the Fake Profiles? 

Security experts are not yet certain of the identity of the threat actors behind the creation and operation of these fake profiles. Likewise, the intention leading to the cyber security incident also remains unclear.  

LinkedIn, in a statement given to KrebsOnSecurity, said its team is working on tracking the fake accounts and taking down the con men. “We do have strong human and automated systems in place, and we’re continually improving, as fake account activity becomes more sophisticated,” the statement reads. “In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scam,” said LinkedIn. 

What can LinkedIn do?  

LinkedIn could take simple steps that could inform the user about the profile they are looking at, and whether to trust the given profile. Such as, adding a “created on” date for every profile, and leveraging the user with filtered searches. 

The former CISO Mason of LinkedIn says it could also experiment with offering the user something similar to Twitter’s ‘verified mark’ to those who chose to validate that they can respond to email at the domain linked with their stated current employer. Mason also added LinkedIn needs a more streamlined process allowing employers to remove phony employee accounts.

Ducktail Spear-Phishing Campaign Targets Facebook Business Accounts Via LinkedIn


An ongoing spear-phishing campaign dubbed “Ducktail” is targeting admin profiles of enterprise networks via LinkedIn, with the motive of taking over Facebook Business accounts and exploiting the Ads function to run malvertising campaigns. 

According to researchers at WithSecure, a popular global IT-security firm, the hackers are of Vietnamese origin and have been active since 2018. 

Modus operandi 

The Ducktail operators have a limited targeting scope and carefully choose their victims, seeking those with administrative access to their employer's social media accounts. The hacker contacts employees on LinkedIn who may have access to Facebook business accounts, such as those described as working in "digital media" and "digital marketing." 

Subsequently, the hacker lures the potential victim to download a file hosted on legitimate cloud hosting services like Dropbox or iCloud. The downloaded file contains JPEG image files and a PDF document relevant to the topic discussed between the hacker and the potential victim during the convincing stage.

Security researchers reported that the entire file is a .NET Core malware that can infect any operating system by running on computers without having to install the .NET runtime. Once it has compromised the system the malware collects browser cookies from Chrome, Edge, Firefox, and additional sensitive information to steal Facebook credentials. 

“The malware directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account,” researchers explained. 

The malware is then deployed to other Facebook pages owned by the victim and collects multiple tokens, IP addresses, account information, geolocation data, and other valuables to disguise itself as a legitimate admin. 

After getting access to the victim’s business profile the malware steals advertising limits, credit card details, client lists, currency, payment cycle, and more sensitive details, and finally, the stolen data is exfiltrated through Telegram bots when the malware exits or crashes. 

The phishing campaign operates on an infinite loop in the background which allows continuous exfiltration of new cookies and any update to the victim’s Facebook account. The motive is to interact with the victim’s account, and ultimately create an email account managed by the hacker with the highest privilege role; that is, admin access and finance editor roles.

Hackers Sneak 'More_Eggs' Malware Into Resumes Sent to Corporate Hiring Managers


A year after potential candidates looking for work on LinkedIn were tempted with weaponized job offers, a new series of phishing assaults carrying the more eggs malware has been detected attacking corporate hiring supervisors with false resumes as an infection vector. 

Keegan Keplinger, eSentire's research and reporting lead said in a statement, "This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake resumes instead of targeting job seekers with fake job offers."
Four separate security events were identified and disrupted, according to the Canadian cybersecurity firm, three of which happened towards the end of March. A U.S.-based aerospace company, a U.K.-based accounting firm, a legal firm, and a hiring agency, all based in Canada, are among the targets. 

The malware, which is thought to have been created by a threat actor known as Golden Chickens (aka Venom Spider), is a stealthy, modular backdoor suite capable of stealing sensitive data and lateral movement across a hacked network. 

Keplinger stated, "More_eggs achieves execution bypassing malicious code to legitimate windows processes and letting those windows processes do the work for them."
The goal is to leverage the resumes as a decoy to launch the malware and sidestep detection. Apart from the role reversal in the mode of operation, it's unclear what the attackers were after, given that the attacks were stopped before they could carry out their intentions. However, it's worth noting that, once deployed, more eggs might be used as a launchpad for further assaults like data theft and ransomware. 

"The threat actors behind more_eggs use a scalable, spear-phishing approach that weaponizes expected communications, such as resumes, that match a hiring manager's expectations or job offers, targeting hopeful candidates that match their current or past job titles," Keplinger stated.

Giant User Theft and Bot Attacks Target on Job Seekers


Job seekers are viable targets for social manipulation efforts because applicants are emotionally weak and eager to provide any information to help them win the job. Cybercriminals are finding it easier to find the next victim now the "Great Resignation" is in full armor. 

A job posting portal with a location in six countries was the sufferer in this instance. The goal of the attack was to collect job seeker information from the website. 

Since February 1, experts have seen a 232 percent increase in phishing email attacks imitating LinkedIn, seeking to deceive job seekers into handing up private credentials. The emails contained subject lines including "Searching for a suitable candidate online," "You mentioned in 4 searches this week," and even "You have 1 new message," as per the Egress team. 

The OWASP Foundation classifies web scraping as an operational threat (OAT-011), which is defined as gathering accessible data or processing output from an application. While web scraping walks a delicate line among reporting and data privacy violations, it is still one of the most common automated hacks affecting businesses today, according to Imperva.

Imperva didn't name the company, but it said it received 400 million bot requests from 400,000 network Interfaces over four days in an attempt to harvest all of its job seekers' information. Similar strategies can be employed in "scalping" attacks, which are aimed to purchase in-demand, limited-edition products in order to resell them at a greater price later. Imperva neutralized one such operation on a retailer's website around Black Friday week, which had nine million bot queries in only 15 minutes — 2500 percent above its normal traffic rate.

Several people are accustomed to receiving regular authentic LinkedIn communications – and may unintentionally click without double-checking. Individual users are still responsible for being aware of the data they provide socially and how it can be used to deceive users into clicking a malicious link.

Recently Patched Confluence Vulnerability Abused in the Wild


A significant vulnerability in Confluence's team collaboration server software is on the edge of exploitation after the company released the patch a week ago. 

Threat actors were found abusing the major vulnerability tracked as CVE-2021-26084 which affects Confluence Server and Confluence Data Center software, which is often installed on Confluence self-hosted project management, wiki, and team communication platforms. 

The vulnerability is hidden in OGNL (Object-Graph Navigation Language), a basic scripting language for interfacing with Java code, which is the fundamental technology used to build most Confluence software. 

When Atlassian released the fix on August 25, the firm that owns the Confluence software family, stated the vulnerability could be used by threat actors to circumvent authentication and implant malicious OGNL instructions that allow attackers to take control of the system. 

As an outcome, the vulnerability received a severity rating of 9.8 out of 10, indicating that it could be exploited remotely over the internet and building a weaponized exploit would be relatively simple.

Exploitation begins a week after fixes are released

Attackers and professional bug bounty hunters are investigating Confluence systems for functionalities vulnerable to CVE-2021-26084 exploits, according to Vietnamese security researcher Tuan Anh Nguyen, who stated on Tuesday that widespread scans for Confluence servers are already ongoing. 

Soon after the issue was discovered in the open, two security researchers, Rahul Maini and Harsh Jaiswal released a detailed explanation of the flaw on GitHub, along with various proof-of-concept payloads. Maini explained the procedure of creating the CVE-2021-26084 attack as “relatively simpler than expected,” thus proving the bug's high severity level of 9.8. 

Confluence is a widely used team collaboration software among some of the world's top businesses, and the CVE-2021-26084 vulnerability is highly effective from a threat actor's standpoint, criminal gangs are anticipated to increase their assaults in the next few days. 

As Confluence flaws have previously been widely weaponized, a similar exploitation strategy is probable this time. 

Atlassian states that Confluence is used by over 60,000 clients, including Audi, Hubspot, NASA, LinkedIn, Twilio, and Docker, according to its website.

With Safari Zero-Day Attacks, Russian SVR Hackers Targeted LinkedIn Users


Google security experts revealed details on four zero-day vulnerabilities that were undisclosed until they were exploited in the wild earlier this year. After discovering exploits leveraging zero-day vulnerabilities in Google Chrome, Internet Explorer, and WebKit, the engine used by Apple's Safari web browser, Google Threat Analysis Group (TAG), and Google Project Zero researchers discovered the four security issues. 

CVE-2021-21166 and CVE-2021-30551 in Chrome, CVE-2021-33742 in Internet Explorer, and CVE-2021-1879 in WebKit were the four zero-day exploits found by Google researchers earlier this year while being abused in the wild. "We tie three to a commercial surveillance vendor arming govt backed attackers and one to likely Russian APT," Google Threat Analysis Group's Director Shane Huntley said. "Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020," Google researchers added. "While there is an increase in the number of 0-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend." 

Despite the fact that the zero-day flaws for Chrome and Internet Explorer were developed and sold by the same vendor to customers all over the world looking to improve their surveillance capabilities, they were not employed in any high-profile operations. The CVE-2021-1879 WebKit/Safari bug, according to Google, was used "to target government officials from Western European countries by sending them malicious links," via LinkedIn Messaging. 

The attackers were part of a likely Russian government-backed actor employing this zero-day to target iOS devices running older versions of iOS (12.4 through 13.7), according to Google experts. While Google did not link the exploit to a specific threat group, Microsoft claims it is Nobelium, the state-sponsored hacking group responsible for the SolarWinds supply-chain attack that resulted in the compromise of numerous US federal agencies last year. 

Volexity, a cybersecurity firm, also attributed the attacks to SVR operators based on strategies used in earlier attacks dating back to 2018. In April, the US government charged the Russian Foreign Intelligence Service (aka SVR) for conducting "a broad-scale cyber-espionage campaign" through its hacking group known as APT29, The Dukes, or Cozy Bear. The attacks were designed to "collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo and send them via WebSocket to an attacker-controlled IP," according to Google.

Data of 700 Million LinkedIn Users Has Been Compromised


A massive breach has purportedly compromised the data of over 700 million LinkedIn users. LinkedIn has a total of 756 million users, which means that this new hack has exposed the data of more than 92 percent of its users. An anonymous hacker is reported to have gotten a fresh dataset including personal information about LinkedIn users. Reportedly, the data exposed includes phone numbers, physical addresses, geolocation data, and inferred salaries. 

The data advertised by the hacker is “both authentic and up-to-date,” according to a recent investigation by the publication, with data points ranging from 2020 to 2021. The article goes on to say that the data breached comprises a lot of information. LinkedIn reported a data breach impacting 500 million customers in April, in which personal information such as email addresses, phone numbers, workplace information, complete names, account IDs, links to social network profiles, and gender characteristics were exposed online. 

According to LinkedIn, the information was obtained through skimming the network rather than a data breach. In an emailed statement, LinkedIn said, "While we're still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service and we are constantly working to ensure our members' privacy is protected." 

The hacker has also uploaded a sample set of 1 million users for purchasers on the Dark Web, where the new dataset of 700 million users is also on sale. RestorePrivacy was the first to notice this listing on the Dark Web, and 9to5Google double-checked the sample data. 

User information such as email addresses, full names, phone numbers, physical addresses, geolocation records, LinkedIn username, and profile URL, inferred salaries, personal and professional experience/background, gender, and social media accounts and usernames are included in the sample dataset that has been published on the Dark Web. 

9to5Google reached out to the hacker who says that the data was obtained through hacking the LinkedIn API to gather the information that people upload to the site. Although the data does not include passwords, it is nevertheless extremely valuable and might be used in identity theft or phishing attempts.

US Soldiers Exposed Information About the Nuclear Weapons Stockpile


According to a new report, U.S. soldiers stationed at several bases in Europe accidentally revealed confidential data connected to America's nuclear weapons arsenal while using inadequately secured flashcard apps to memorize those secrets. 

The soldiers accidentally revealed “not just the bases” where the nukes were stored, but also “the exact shelters with ‘hot' vaults that likely contain nuclear weapons,” writes Foeke Postma, a researcher with the OSINT-focused investigative team Bellingcat, in what appears to be a mind-boggling mishandling of America's most sensitive national security information. They also gave a slew of other information, including secret codes, passwords, and security layouts in various locations. 

According to Postma's investigation, the troops utilized common study apps like Chegg, Cram, and Quizlet to save highly classified data on European nuclear bases, then forgot to change the applications' settings from public to private. 

Some of the same soldiers allegedly made their usernames public, which “included the full identities of the persons who established them,” and used the same images they had on their LinkedIn pages, making them easier to track down. 

Postma believes that he was able to find a lot of this information by Googling official words and acronyms related to the US nuclear weapons development. When he did, he discovered a set of 70 public-facing flashcards titled "Study!" that disclosed details on the alleged nuclear inventory at Volkel Air Base in the Netherlands (a long-rumored locale of a U.S. nuke stockpile). Postma further alleges that subsequent open-source searches uncovered further flashcard caches, which revealed “details about vaults at all the other facilities in Europe that supposedly host nuclear weapons.” 

"Some flashcards detailed the number of security cameras and their positions at various bases, information on sensors and radar systems, the unique identifiers of restricted area badges (RAB) for Incirlik, Volkel, and Aviano as well as secret duress words and the type of equipment carried by response forces protecting bases," Postma said. 

"The scale to which soldiers have uploaded and inadvertently shared security details represents a massive operational security failure,” said Postma. “Due to the potential implications around public safety, Bellingcat contacted NATO, US European Command (EUCOM), the US Department of Defence (DoD), and the Dutch Ministry of Defence (MoD) four weeks in advance." The flashcards linked to these disclosures have been taken down since then, according to Postma.

“LinkedIn Private Shared Document” Shared Via Phishing Email by Hackers


LinkedIn seems to have become a popular destination for phishing attacks and users have been attacked with phishing emails in the recent scam on the site. With the public becoming more familiar with the standard tactics used to attack them, cybercriminals had to adopt new tactics in order to prevent identification. 

JB Bowers, a security investigator, found that hackers use LinkedIn to target users to give up their login credentials. The scheme attempts to get dubious users to open a "LinkedIn Private Shared Document," after which their login credentials are requested to access the falsified LinkedIn page. The message prompts the receiver to follow a reference from a third party to access a document.

Any user who obtains an unwanted message through the internal messaging system of LinkedIn via an unidentified contact must be extremely careful. In particular, this is true if users are requested to enter their login details. Users who mistakenly input their login credentials could often receive phishing messages which their LinkedIn contacts can also see. 

As to why hackers attack LinkedIn users, it may be because regular LinkedIn users have strong revenue than normal and are perceived as higher-value targets. Or since LinkedIn links to another Microsoft service, such as Office 365, it could contribute to more identity leakage if a LinkedIn account is hacked. As the name suggests, Phishing attempts to lure users to send confidential details. This could take the form of emails offering a free smartphone or something more formal, as in the aforementioned case. Further targets of phishing attacks are- colleges and businesses. Hackers are now getting more advanced and will send you a bogus email that appears to have originated from your employers since LinkedIn tells them who you are dealing with. Phishing pages are hosted in sites where there are also legitimate business purposes, such as Firebase and, making access by companies unlikely. 

“The sites use major ASNs including Fastly, Google, and Microsoft, making basic network traffic analysis for the end-user also not so useful,” Bowers stated.

Employees must be advised to identify this form of intrusion leading to a broader breach of enterprise processes and networks. A further alternative is to block the usage of social media/networks on working devices, but it might not be good for workers. The victims will be made aware of the deception and have to let their LinkedIn friends also know about it. In some instances, some of them will find themselves fooled and have to go through the same method. 

“If you see any more LinkedIn messages like this […] you’ll want to let that person know out of band that their account has been compromised and that they should update their LinkedIn password, as well as report the abuse to LinkedIn,” Bowers advised.

How China uses LinkedIn to recruit spies

One former senior foreign policy official in the Obama administration received messages from someone on LinkedIn offering to fly him to China and connect him with “well paid” opportunities.

A former Danish Foreign Ministry official got LinkedIn messages from someone appearing to be a woman at a Chinese headhunting firm wanting to meet in Beijing. Three middle-aged men showed up instead and said they could help the former official gain “great access to the Chinese system.”

A former Obama White House official and career diplomat was befriended on LinkedIn by a person who claimed to be a research fellow at the California Institute of Technology, with a profile page showing connections to White House aides and ambassadors. No such fellow exists.

Foreign agents are exploiting social media to try to recruit assets, with LinkedIn as a prime hunting ground, Western counterintelligence officials say. Intelligence agencies in the United States, Britain, Germany and France have issued warnings about foreign agents approaching thousands of users on the site. Chinese spies are the most active, officials say.

“We’ve seen China’s intelligence services doing this on a mass scale,” said William R. Evanina, director of the National Counterintelligence and Security Center, a government agency that tracks foreign spying and alerts companies to possible infiltration. “Instead of dispatching spies to the U.S. to recruit a single target, it’s more efficient to sit behind a computer in China and send out friend requests to thousands of targets using fake profiles.”

The use of social media by Chinese government operatives for what American officials and executives call nefarious purposes has drawn heightened scrutiny in recent weeks. Facebook, Twitter and YouTube said they deleted accounts that had spread disinformation about the Hong Kong pro-democracy protests. Twitter alone said it removed nearly 1,000 accounts.

It was the first time Facebook and Twitter had taken down accounts linked to disinformation from China. Many governments have employed similar playbooks to sow disinformation since Russia used the tactic to great effect in 2015 and 2016.

99 Iranian websites used for hacking were seized by Microsoft


According to a report by Associated Press, Microsoft has seized 99 Iranian websites that were supposedly stealing information and launching cyber attacks. The report also said that it had been tracking the group of hackers since 2013.

The hackers were targeting people in the middle east to steal sensitive information by using the malicious websites that were disguised as Microsoft, Linkedin, Outlook and Windows products. Microsoft confirmed in a court filing that this group was stealing information about reporters, activists, political people including “ protesting oppressive regimes”.

The hackers are from Iran but the Tehran government has denied any hacking activity from their end. In the past also Iran government has denied any hacking attempts from their end.

Allison Wikoff, a security researcher at Atlanta-based SecureWorks told Associated Press that according to her observation it is one of the “more active Iranian threat groups”. She further added that Microsoft analyze fake domains through analyzing traffics to protect against fake domains and the practice is popularly called as “sinkholing”.In the past also, Microsoft has used “sinkholing” to seize fake domains made by Russian hackers back in 2016.