Tuesday, May 21, 2024

Tech News, analysis, updates, comments, reviews

Lazarus attackers mimic job recruiters

Cyberattackers are impersonating a type of person who’s difficult to ignore: a recruiter saying that you’re just the right person for a new, impressive job.

At this year’s virtual ESET World conference, Jean-Ian Boutin, director of threat research at the AV provider ESET, reviewed a series of recent attempts to lure target organizations—specifically aerospace and defense companies—with bogus LinkedIn profiles and “better, high-paying” job – offers.

The impersonations are believed to be cyber-espionage efforts from the North Korea-linked hacker group, Lazarus. Lazarus cyberattackers have been suspected of sending malware since at least 2014. In 2020, McAfee discovered a series of malware-containing postings meant to lure defense-contractor targets into downloading a data-gathering implant. In February of this year, Qualys revealed how the cyber-criminal group has been targeting job-seekers with fake Lockheed Martin job offers.

In the cases presented by Boutin, the primary motivation from the Lazarus group appears to be the exfiltration of aerospace and defense data.

“They’re doing cyber-espionage in this field to actually try to close the technical gap that they might have in some of their technology, because they don’t have the means to acquire it,” Boutin said in a Q&A at ESET 2022 after his presentation.

Campaign season. Boutin detailed two new campaigns in his presentation, which was titled, “Worldwide Aerospace and Defense Contractors Under Attack by Lazarus”:

Sep. 2021: An attacker posing as an Amazon recruiter approached a defense-contractor employee in the Netherlands, according to Boutin’s report (and ESET’s telemetry information). An attached job application from the Amazon faker, in fact, contained a malicious remote template.

Jan. 2022: Using a LinkedIn profile to impersonate a job recruiter from BAE Systems, an attacker targeted a defense company in Turkey. The attack used an encrypted archive known as an RAR file to send the malicious components, and the downloader payload itself was hosted on GitHub—an intriguing choice, said Boutin. “The use of GitHub is interesting, because it just shows that the threat actor is trying to use all legitimate services and abuse them as much as they can to make their campaign as legitimate as they can be,” Boutin said during the presentation.

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

Appealing to the ego. A job opening offers an enticing window for attackers lately.

In May of this year, a team at eSentire witnessed a reversal of the ESET findings: A phony job applicant serving malware to the unsuspecting employer.

The endorphin rush of a compliment from a recruiter goes a long way and makes job-specific attacks especially successful, according to Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance.

“When somebody sends you an email or hits you up on LinkedIn and says, ‘Hey, I really like your résumé or your profile,’ you know, ‘I’m interested in talking to you,’ what’s the first emotion you feel? It’s a little ego boost, right?” Plaggemier explained to IT Brew.

Another effective aspect of the phishing strategy: Employees may not want to tell their employers that a security problem arose because they were looking for a new gig.

“If, as an employee, you were clicking on things you shouldn’t, and then, on top of that, were trying to apply for another job, reporting the security incident is something that you will think twice before doing,” Boutin said, during the ESET Q&A.


Please enter your comment!
Please enter your name here

Get notified whenever we post something new!


Migrate to the cloud

Make yourself future-proof by migrating your infrastructure and services to the cloud. Become resilient, efficient and distributed.

Continue reading

Google I/O 2024 Unveils the Future?

Google I/O 2024 was an impressive showcase of how Google continues to push the envelope with artificial intelligence. This year's event introduced significant advancements across multiple services and platforms, demonstrating Google's commitment to an AI-first future. Below, I try...

On-Premises vs. Cloud Security

As usual, we begin by championing cybersecurity. It stands as the foremost concern for organizations striving to safeguard their sensitive data and digital assets. Among the many strategies available, two dominant paradigms have emerged: on-premises security and cloud security....

Regulation Insights from Starlink’s in Zimbabwe

In recent times, the journey of Starlink, Elon Musk's ambitious satellite internet venture under SpaceX, has been marked by regulatory challenges, particularly in Zimbabwe. Meanwhile the Posts and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) issued a directive instructing Starlink...

Enjoy exclusive discounts

Use the promo code SDBR002 to get amazing discounts to our software development services.