Explore the website

Get email updates with every new article published

Looking for something?

No posts to display

Explore the website

Get email updates with every new article published

Looking for something?

No posts to display

Sunday, December 22, 2024

Tech News, analysis, updates, comments, reviews

Explore the website

Get email updates with every new article published

Lazarus attackers mimic job recruiters

Cyberattackers are impersonating a type of person who’s difficult to ignore: a recruiter saying that you’re just the right person for a new, impressive job.

At this year’s virtual ESET World conference, Jean-Ian Boutin, director of threat research at the AV provider ESET, reviewed a series of recent attempts to lure target organizations—specifically aerospace and defense companies—with bogus LinkedIn profiles and “better, high-paying” job – offers.

The impersonations are believed to be cyber-espionage efforts from the North Korea-linked hacker group, Lazarus. Lazarus cyberattackers have been suspected of sending malware since at least 2014. In 2020, McAfee discovered a series of malware-containing postings meant to lure defense-contractor targets into downloading a data-gathering implant. In February of this year, Qualys revealed how the cyber-criminal group has been targeting job-seekers with fake Lockheed Martin job offers.

In the cases presented by Boutin, the primary motivation from the Lazarus group appears to be the exfiltration of aerospace and defense data.

“They’re doing cyber-espionage in this field to actually try to close the technical gap that they might have in some of their technology, because they don’t have the means to acquire it,” Boutin said in a Q&A at ESET 2022 after his presentation.

Campaign season. Boutin detailed two new campaigns in his presentation, which was titled, “Worldwide Aerospace and Defense Contractors Under Attack by Lazarus”:

Sep. 2021: An attacker posing as an Amazon recruiter approached a defense-contractor employee in the Netherlands, according to Boutin’s report (and ESET’s telemetry information). An attached job application from the Amazon faker, in fact, contained a malicious remote template.

Jan. 2022: Using a LinkedIn profile to impersonate a job recruiter from BAE Systems, an attacker targeted a defense company in Turkey. The attack used an encrypted archive known as an RAR file to send the malicious components, and the downloader payload itself was hosted on GitHub—an intriguing choice, said Boutin. “The use of GitHub is interesting, because it just shows that the threat actor is trying to use all legitimate services and abuse them as much as they can to make their campaign as legitimate as they can be,” Boutin said during the presentation.

Top insights for IT pros

From cybersecurity and big data to software development and gaming. Our IT Brew newsletter delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

Appealing to the ego. A job opening offers an enticing window for attackers lately.

In May of this year, a team at eSentire witnessed a reversal of the ESET findings: A phony job applicant serving malware to the unsuspecting employer.

The endorphin rush of a compliment from a recruiter goes a long way and makes job-specific attacks especially successful, according to Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance.

“When somebody sends you an email or hits you up on LinkedIn and says, ‘Hey, I really like your résumé or your profile,’ you know, ‘I’m interested in talking to you,’ what’s the first emotion you feel? It’s a little ego boost, right?” Plaggemier explained to IT Brew.

Another effective aspect of the phishing strategy: Employees may not want to tell their employers that a security problem arose because they were looking for a new gig.

“If, as an employee, you were clicking on things you shouldn’t, and then, on top of that, were trying to apply for another job, reporting the security incident is something that you will think twice before doing,” Boutin said, during the ESET Q&A.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Get notified whenever we post something new!

Continue reading

Salesforce Flaw Allows Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications, which could potentially lead to a full account takeover. The flaw was identified during a penetration test and is tied to misconfigurations within Salesforce Communities, specifically within the Salesforce Lightning...

Concerns about the ICT Bill 2024 in Kenya

THis post has been updated after the attention it is gannering. The original post can be found here: https://web.archive.org/web/20240813033032/https://blog.blancorpsolutions.com/kenya/concerns-about-the-ict-bill-2024-in-kenya/ Kenya's tech industry has been a beacon of innovation and growth, thanks in part to a regulatory environment that has allowed...

What are the real intentions of tracking IMEI numbers?

Imagine if you had a magic map that could show you where all your favorite toys were at any time. Sounds pretty? Well, in Kenya, the government wants to do something similar, but with people’s phones. They plan to...

Enjoy exclusive discounts

Use the promo code SDBR002 to get amazing discounts to our software development services.

Exit mobile version