sb-as logo
Story image

Cyber attacks use LinkedIn to target companies and employees

Researchers at ESET have uncovered cyber attacks that use LinkedIn messaging as a starting point for achieving financial gain.

The attacks, which ESET researchers have called Operation In(ter)ception, took place from September to December 2019 and are notable for using LinkedIn-based spearphishing.

According to ESET, the attackers employ effective tricks to stay under the radar and supposedly have financial gain, in addition to espionage, as a goal.

The LinkedIn message describes a believable job offer, seemingly from a well-known company in a relevant sector. Files were sent directly via LinkedIn messaging, or via email containing a OneDrive link.

For the latter option, the attackers created email accounts corresponding with their fake LinkedIn personas.

Dominik Breitenbacher, the ESET malware researcher who analysed the malware and led the investigation, states the LinkedIn profile was fake, and the files sent within the communication were malicious.

Once the recipient opened the file, a seemingly innocent PDF document with salary information related to the fake job offer was displayed. Meanwhile, malware was silently deployed on the victim's computer.

In this way, the attackers established an initial foothold and reached a solid persistence on the system, ESET states.

Following this, the attackers performed a series of steps. Among the tools the attackers utilised was custom multistage malware that often came disguised as legitimate software, and modified versions of open-source tools.

In addition, they leveraged ‘living off the land’ tactics, including abusing preinstalled Windows utilities to perform various malicious operations.

The attacks we investigated showed all the signs of espionage, with several hints suggesting a possible link to Lazarus group.

Breitenbacher states, despite this neither the malware analysis nor the investigation allowed the ESET team to gain insight into what files the attackers were aiming for.

Besides espionage, ESET researchers found evidence that the attackers attempted to use the compromised accounts to extract money from other companies.

Among the victims emails, the attackers found communication between the victim and a customer regarding an unresolved invoice. They followed up the conversation and urged the customer to pay the invoice of course, to a bank account of their own.

However, the customer of the company became suspicious and reached out to the company owner for assistance, thwarting the attackers attempt to conduct a so-called business email compromise attack.

Breitenbacher says, “This attempt to monetise the access to the victims network should serve as yet another reason for both establishing strong defenses against intrusions and providing cybersecurity training for employees.

“Such education could help employees recognise even lesser-known social engineering techniques, like the ones used in Operation In(ter)ception.”

ESET has released a whitepaper on the attack titled Operation In(ter)ception: Targeted attacks against European aerospace and military companies.

Story image
Exploits on organisations doubling every two to three hours after news of Microsoft Exchange’s four zero-day vulnerabilities
The race has started between hackers and security professionals following the disclosure of vulnerabilities on Microsoft Exchange Servers, according to Check Point Research.More
Story image
Claroty discovers vulnerabilities in Ovarro TBox RTUs
The vulnerabilities could enable attackers to break into the systems and run code, crash systems, and meddle with configuration files, amongst other malicious actions.More
Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More
Story image
Cybersecurity budgets still not keeping up with threats — report
Executive teams are failing to recognise the level of damage cyber-threats pose to organisations, according to Sophos — many of them taking a ‘conservative approach’ to cybersecurity expenditure.More
Story image
New wormable Android malware discovered through auto-replies in WhatsApp
Check Point Research has discovered new malware on Google’s Play Store that could spread through WhatsApp messages. More
Link image
Virtual demo: Diagnose network cabling problems with the LinkIQ Cable+Network Tester
If you’re finding it difficult to install access points and cabling, or if you can’t pinpoint an issue with a video camera or end user, the LinkIQ Cable+Network Tester could be exactly what you need. Try a free, fully interactive demo now.More