sb-as logo
Story image

Cyber attacks use LinkedIn to target companies and employees

Researchers at ESET have uncovered cyber attacks that use LinkedIn messaging as a starting point for achieving financial gain.

The attacks, which ESET researchers have called Operation In(ter)ception, took place from September to December 2019 and are notable for using LinkedIn-based spearphishing.

According to ESET, the attackers employ effective tricks to stay under the radar and supposedly have financial gain, in addition to espionage, as a goal.

The LinkedIn message describes a believable job offer, seemingly from a well-known company in a relevant sector. Files were sent directly via LinkedIn messaging, or via email containing a OneDrive link.

For the latter option, the attackers created email accounts corresponding with their fake LinkedIn personas.

Dominik Breitenbacher, the ESET malware researcher who analysed the malware and led the investigation, states the LinkedIn profile was fake, and the files sent within the communication were malicious.

Once the recipient opened the file, a seemingly innocent PDF document with salary information related to the fake job offer was displayed. Meanwhile, malware was silently deployed on the victim's computer.

In this way, the attackers established an initial foothold and reached a solid persistence on the system, ESET states.

Following this, the attackers performed a series of steps. Among the tools the attackers utilised was custom multistage malware that often came disguised as legitimate software, and modified versions of open-source tools.

In addition, they leveraged ‘living off the land’ tactics, including abusing preinstalled Windows utilities to perform various malicious operations.

The attacks we investigated showed all the signs of espionage, with several hints suggesting a possible link to Lazarus group.

Breitenbacher states, despite this neither the malware analysis nor the investigation allowed the ESET team to gain insight into what files the attackers were aiming for.

Besides espionage, ESET researchers found evidence that the attackers attempted to use the compromised accounts to extract money from other companies.

Among the victims emails, the attackers found communication between the victim and a customer regarding an unresolved invoice. They followed up the conversation and urged the customer to pay the invoice of course, to a bank account of their own.

However, the customer of the company became suspicious and reached out to the company owner for assistance, thwarting the attackers attempt to conduct a so-called business email compromise attack.

Breitenbacher says, “This attempt to monetise the access to the victims network should serve as yet another reason for both establishing strong defenses against intrusions and providing cybersecurity training for employees.

“Such education could help employees recognise even lesser-known social engineering techniques, like the ones used in Operation In(ter)ception.”

ESET has released a whitepaper on the attack titled Operation In(ter)ception: Targeted attacks against European aerospace and military companies.

Story image
Exabeam and Code42 partner up to launch insider threat solution
The solution will give customers a fuller picture of their environment, and will leverage automated incident response to obstruct insider threat before data loss occurs.More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More
Story image
SMBs in SEA region threatened by vastly increasing rates of cryptomining
According to Kaspersky's latest report, the global cybersecurity company has detected 1,726,799 mining attempts in the first half of this year targeting SMBs in SEA.More
Story image
Kaspersky finds red tape biggest barrier against cybersecurity initiatives
The most common obstacles that inhibit or delay the implementation of industrial cybersecurity projects include the inability to stop production (34%), and bureaucratic steps, such as a lengthy approval process (31%) and having too many decision-makers (23%). More
Story image
OT networks warned of vulnerabilities in CodeMeter software
Manufacturers using the Wibu-Systems CodeMeter third-party licence management solution are being urged to remain vigilant and to urgently update the solution to CodeMeter version 7.10.More
Story image
Cohesity announces integrated, automated disaster recovery
The new solution is integrated with the company’s existing backup and continuous data protection capabilities.More