Active North Korean campaign targeting security researchers

APT 10个月前 admin
808 0 0

In January 2021, Threat Analysis Group (TAG) publicly disclosed a campaign from government backed actors in North Korea who used 0-day exploits to target security researchers working on vulnerability research and development. Over the past two and a half years, TAG has continued to track and disrupt campaigns from these actors, finding 0-days and protecting online users. Recently, TAG became aware of a new campaign likely from the same actors based on similarities with the previous campaign. TAG is aware of at least one actively exploited 0-day being used to target security researchers in the past several weeks. The vulnerability has been reported to the affected vendor and is in the process of being patched.
2021 年 1 月,威胁分析组织 (TAG) 公开披露了朝鲜政府支持的行为者发起的一项活动,他们利用 0-day 漏洞来针对从事漏洞研究和开发的安全研究人员。在过去的两年半里,TAG继续跟踪和破坏这些参与者的活动,寻找0天并保护在线用户。最近,TAG意识到一项新的活动可能来自相同的参与者,基于与以前的活动相似之处。TAG知道在过去几周内至少有一次被积极利用的0-day被用来针对安全研究人员。该漏洞已报告给受影响的供应商,并且正在修补过程中。

While our analysis of this campaign continues, we are providing an early notification of our initial findings to warn the security research community. We hope this post will remind security researchers that they could be targets of government backed attackers and to stay vigilant of security practices.

Security researcher targeting

Similar to the previous campaign TAG reported on, North Korean threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package.
与TAG报道的先前活动类似,朝鲜威胁行为者使用X(前身为Twitter)等社交媒体网站与目标建立融洽的关系。在一个案例中,他们进行了长达数月的对话,试图与安全研究人员就共同感兴趣的话题进行合作。在通过X进行初步联系后,他们转向了加密的消息应用程序,如Signal,WhatsApp或Wire。一旦与目标研究人员建立了关系,威胁行为者就会发送一个恶意文件,该文件在流行的软件包中至少包含一个 0 天。

image of an actor-controlled X / Twitter profile

Actor-controlled Twitter profile

Upon successful exploitation, the shellcode conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain. The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits.
成功利用漏洞后,shellcode 会执行一系列反虚拟机检查,然后将收集到的信息以及屏幕截图发送回攻击者控制的命令和控制域。此漏洞利用中使用的shellcode的构造方式与以前的朝鲜漏洞利用中观察到的shellcode类似。

The vulnerability has been reported to the affected vendor and is in the process of being patched. Once patched, we will release additional technical details and analysis of the exploits involved in line with our disclosure policies.

Potential secondary infection vector

In addition to targeting researchers with 0-day exploits, the threat actors also developed a standalone Windows tool that has the stated goal of ‘download debugging symbols from Microsoft, Google, Mozilla and Citrix symbol servers for reverse engineers.’ The source code for this tool was first published on GitHub on September 30, 2022, with several updates being released since. On the surface, this tool appears to be a useful utility for quickly and easily downloading symbol information from a number of different sources. Symbols provide additional information about a binary that can be helpful when debugging software issues or while conducting vulnerability research.
除了针对研究人员的 0-day 漏洞利用外,威胁参与者还开发了一个独立的 Windows 工具,其既定目标是“为逆向工程师从 Microsoft、谷歌、Mozilla 和 Citrix 符号服务器下载调试符号”。该工具的源代码于 2022 年 9 月 30 日首次发布在 GitHub 上,此后发布了多个更新。从表面上看,此工具似乎是一个有用的实用程序,用于快速轻松地从许多不同的来源下载符号信息。符号提供有关二进制文件的其他信息,这些信息在调试软件问题或进行漏洞研究时非常有用。

But the tool also has the ability to download and execute arbitrary code from an attacker-controlled domain. If you have downloaded or run this tool, TAG recommends taking precautions to ensure your system is in a known clean state, likely requiring a reinstall of the operating system.
但该工具还能够从攻击者控制的域下载和执行任意代码。如果您已下载或运行此工具,TAG 建议采取预防措施以确保您的系统处于已知的干净状态,可能需要重新安装操作系统。

screenshot of Github repository for GetSymbol

Github repository for GetSymbol

Protecting the community 保护社区

As part of our efforts to combat serious threat actors, TAG uses the results of our research to improve the safety and security of Google’s products. Upon discovery, all identified websites and domains are added to Safe Browsing to protect users from further exploitation. TAG also sends all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity and encourages potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated.
作为我们打击严重威胁行为者的努力的一部分,TAG 利用我们的研究结果来提高 Google 产品的安全性。发现后,所有已识别的网站和网域都会添加到安全浏览功能中,以保护用户免受进一步利用。TAG 还会向所有目标 Gmail 和 Workspace 用户发送政府支持的攻击者警报,通知他们有关活动,并鼓励潜在目标启用 Chrome 增强型安全浏览功能,并确保所有设备都已更新。

We are committed to sharing our findings with the security community to raise awareness, and with companies and individuals that might have been targeted by these activities. We hope that improved understanding of tactics and techniques will enhance threat hunting capabilities and lead to stronger user protections across the industry.

Actor controlled sites and accounts

原文始发于Clement Lecigne、Maddie Stone:Active North Korean campaign targeting security researchers

版权声明:admin 发表于 2023年9月8日 上午8:43。
转载请注明:Active North Korean campaign targeting security researchers | CTF导航