Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
In today’s technology world, as the digital “value” and “importance” of our working lives continue to grow, cyber attackers continue to develop their techniques and targets. As long as that value and importance remain critical, we will see cyber attackers more frequently and more effectively. An incident that we can cite as an example of this took place recently.
According to a post titled “New campaign targeting security researchers” published by Google’s Threat Analysis Group (TAG) on 25 January 2021, a critical attack was carried out targeting vulnerability researchers working at various companies and organisations. Yes, you heard correctly. It was determined that cyber attackers had professionally and deliberately targeted cybersecurity experts with their attacks.
In the first phase, we see that the group carrying out the attack took their first step by contacting cybersecurity researchers via Twitter, LinkedIn, Telegram, Discord, Keybase and Email. Having reached cybersecurity researchers through social networks and messaging applications, the attackers created numerous fake Twitter profiles to gain trust, and even launched a fake research blog (https://blog.br0vvnn[.]io) fed by these accounts.
The cyber attackers, who published analyses and articles about public vulnerabilities on this fake research blog, can be seen acting like a cybersecurity researcher. It also emerged that they copied the writings of real security researchers in order to lend credibility to the blog content, effectively assuming the identity of a genuine security researcher.
Their actual goal was to reach security researchers and carry out a cyber attack against them. The first leg of the cyber attack began with a “Microsoft Malware Protection Engine” video uploaded to YouTube on 12 January 2021. A video had been published purporting to show that the RCE vulnerability coded “CVE-2021-1647” had been exploited and was functional.
In the video, the attackers were able to run the exploit and obtain a Cmd.exe Shell. Numerous comments under the video naturally pointed out that it was fake. However, the cyber attackers went further, posting on the numerous fake Twitter accounts they had created to insist that the video was not fake and that the vulnerability was indeed functional.
In the second step, they began making contact with targets using social engineering techniques. The attackers reached out to researchers they could contact and proposed “collaborating on a joint project”, expressing their wish to conduct research together. They then shared a Visual Studio Project with the cybersecurity researchers, ostensibly embarking together on a security research project.
It is worth noting that this was a masterful social engineering technique. The Visual Studio Project came bundled with a malicious DLL file.
The Visual Studio Project contained the exploit source code along with a DLL file. This DLL file was used for the next stage of the cyber attack. It was determined that the DLL file was actually malware that ran within Visual Studio Build Events and established communication with the attacker’s command-and-control server.
Cybersecurity researchers had in fact fallen victim to this cleverly and deliberately crafted social engineering attack. Although the exact number is not known, it is reported that many cybersecurity researchers were affected by this attack.
Of course, the cyber attackers did not stop there. In addition to the attack, it also emerged that malicious services began running on the systems of people who visited the fake security researcher blog they had set up at https://blog.br0vvnn[.]io, and that a backdoor to a command-and-control server was opened on their systems.
During these visits, the researchers’ systems were reported to be running up-to-date, patched Windows 10 with the latest version of Chrome. In other words, we can safely say that zero-day attacks were among the techniques they used.
Google was unable to confirm the mechanism that allowed the Chrome system to be compromised. Google stated that it offers cash rewards through its “Chrome’s Vulnerability Reward Program” to anyone with information on this matter or who discovers a Chrome vulnerability. The resulting serious and critical situation is enough to make the mere suggestion that Google’s Chrome browser contains a zero-day vulnerability unnerving for security researchers.
The Twitter, LinkedIn and KeyBase accounts used by the attackers were closed when this incident came to light. We nonetheless strongly advise against visiting the attacker’s blog page or command-and-control servers from any browser until a definitive statement is made. For cybersecurity professionals who were exposed to or suspect they may have been exposed to this attack, we recommend examining the following indicators of compromise.
If there is a process on your system that has communicated with any of the following command-and-control servers, accessed registry keys, or created any of the files listed below, you may have been exposed to this attack.
Command-and-Control Domains
Registry Keys
File Paths
Beyond this remarkable scenario and cleverly crafted social engineering attack, the most important point is actually that the cyber attackers were able to execute commands through the browser. Although this aspect has not been discussed extensively, the mere thought of cyber attackers operating with such a vulnerability is alarming.
If commands can be executed on systems through a browser using this vulnerability, we can assume that many people are currently infected. If you notice that you have visited a website you do not recall visiting before, we recommend examining your system. Although this attack is said to have been carried out using a vulnerability believed to exist in Chrome, it is worth considering that a similar vulnerability may also exist in other browsers.
Of course, the most important question that remains in everyone’s mind is: what was the purpose of the cyber attackers in targeting security researchers?
You May Be Interested In These
