Researchers from security firm Mandiant has uncovered a multi-layered phishing campaign led by a North Korean threat actor group, with the intent to gain a foothold in the inner workings of multiple organizations. It’s believed the attackers have been targeting security researchers in an effort to gain access to the sensitive data these individuals hold.
To spread their malicious software, the North Korean hackers are using spearphishing emails with job recruitment themes as well as exploiting genuine but fake LinkedIn accounts claiming to be recruitment professionals. After establishing contact, the hackers attempt to phase the conversations to WhatsApp or email, where they deploy backend malware such as Plankwalk, LISDHT and LISDSH that are delivered into machines via ZIP archives or MS Word macros.
Mandiant analysed the malicious payloads used by UNC2970 and found they were mainly targeting a US-based technology company customer. The researchers discovered the cybercriminals were using compromised WordPress sites as their control systems and also using Microsoft’s Intune application as part of their stealth techniques.
The security firm has identified several measures to take in order to counter such attacks against security researchers and organizations:
– Multi-factor authentication;
– Cloud-only accounts to access Azure Active Directory;
– A separate account for sending emails, web browsing and similar activities;
– Dedicated admin account for sensitive administrative functions;
– Block macros;
– Privileged identity management;
– Conditional access policies;
– Security restrictions in Azure AD;
– Requiring multiple admins to approve Intune transactions.
In response to the campaign, Mandiant has issued a blog post about the North Korean attackers and alerting organizations about the techniques being used by the hackers. It’s important for targets of such attacks to be aware of the risks and to take appropriate precautions. Organizations need to be proactive and stay alert in order to protect themselves and their data from these kinds of malicious activities.
Are you concerned about UNC2970’s recent campaign targeting security researchers? Share your thoughts in the comments.