At a glance.
- Security researchers targeted by North Korean actors.
- Mimecast says Solorigate actor accessed customer credentials.
- SAP exploit published on GitHub.
- Attackers accidentally expose stolen credentials.
Security researchers targeted by North Korean actors.
Google's Threat Analysis Group (TAG) warns that a North Korean state-sponsored actor is targeting security researchers via fake profiles on Twitter, LinkedIn, Telegram, Discord, and Keybase. The attackers purported to be analyzing a vulnerability and invited the researchers to work with them:
"The actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains."
In one case, the actor made a YouTube video that appeared to show successful exploitation of the recently patched Windows Defender vulnerability CVE-2021-1647, although observant viewers determined that the video had been faked.
The attackers also set up a research blog that used an apparently unknown vulnerability to install backdoors on visitors' systems. Google's researchers note, "At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. At this time we’re unable to confirm the mechanism of compromise, but we welcome any information others might have. Chrome vulnerabilities, including those being exploited in the wild (ITW), are eligible for reward payout under Chrome's Vulnerability Reward Program."
TAG has published a list of the attackers' social media accounts, infrastructure, and IOCs. The researchers advise, "If you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties, and your own security research."
Cisco Talos confirmed that its researchers had been targeted by this campaign, although they "did not engage to the point where the malicious files were provided." Talos notes that "the attacker has a good grasp of the English language and made contact within the normal working hours for the researcher based on their time zone, denoting some care regarding the quality of the lure." ZDNet cites numerous other researchers who shared that they had been targeted.
Mimecast says Solorigate actor accessed customer credentials.
Mimecast confirmed today that the Solorigate threat actor was indeed behind the theft of a Mimecast-issued certificate. The company initially disclosed the breach two weeks ago, and suspected that this actor was responsible. Mimecast has also determined that the threat actor was able to access credentials for Mimecast customers in the US and UK:
"Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes.
"Although we are not aware that any of the encrypted credentials have been decrypted or misused, we are advising customers hosted in the United States and United Kingdom to take precautionary steps to reset their credentials."
The company added that, "we advised affected customers to break and re-establish their connections with newly issued keys. The vast majority of these customers have taken this action, and Microsoft has now disabled use of the former connection keys for all affected Mimecast customers."
SAP exploit published on GitHub.
Onapsis has identified a publicly available exploit that takes advantage of CVE-2020-6207 in SAP Solution Manager. The vulnerability, which received a CVSS score of 10.0, was patched in March 2020. Users are urged to patch their systems immediately. The researchers note "A successful attack exploiting this vulnerability would put an organization’s mission-critical SAP applications, business process and data at risk—impacting cybersecurity and regulatory compliance. While exploits are released regularly online, this hasn't been the case for SAP vulnerabilities, for which publicly available exploits have been limited."
Attackers accidentally expose stolen credentials.
Check Point and Otorio outline a phishing campaign that mistakenly exposed more than a thousand stolen credentials on the internet. The attackers used fake Xerox notifications with HTML attachments to trick victims into entering credentials for various websites. The social engineering aspect of the campaign grew more sophisticated over time, and the emails successfully evaded most security filters. However, the attackers unknowingly stored the stolen credentials on publicly accessible servers. The researchers write, "We found that once the users’ information was sent to the drop-zone servers, the data was saved in a publicly visible file that was indexable by Google. This allowed anyone access to the stolen email address credentials with a simple Google search."