sb-eu logo
Story image

Cyber attacks use LinkedIn to target companies and employees

Researchers at ESET have uncovered cyber attacks that use LinkedIn messaging as a starting point for achieving financial gain.

The attacks, which ESET researchers have called Operation In(ter)ception, took place from September to December 2019 and are notable for using LinkedIn-based spearphishing.

According to ESET, the attackers employ effective tricks to stay under the radar and supposedly have financial gain, in addition to espionage, as a goal.

The LinkedIn message describes a believable job offer, seemingly from a well-known company in a relevant sector. Files were sent directly via LinkedIn messaging, or via email containing a OneDrive link.

For the latter option, the attackers created email accounts corresponding with their fake LinkedIn personas.

Dominik Breitenbacher, the ESET malware researcher who analysed the malware and led the investigation, states the LinkedIn profile was fake, and the files sent within the communication were malicious.

Once the recipient opened the file, a seemingly innocent PDF document with salary information related to the fake job offer was displayed. Meanwhile, malware was silently deployed on the victim's computer.

In this way, the attackers established an initial foothold and reached a solid persistence on the system, ESET states.

Following this, the attackers performed a series of steps. Among the tools the attackers utilised was custom multistage malware that often came disguised as legitimate software, and modified versions of open-source tools.

In addition, they leveraged ‘living off the land’ tactics, including abusing preinstalled Windows utilities to perform various malicious operations.

The attacks we investigated showed all the signs of espionage, with several hints suggesting a possible link to Lazarus group.

Breitenbacher states, despite this neither the malware analysis nor the investigation allowed the ESET team to gain insight into what files the attackers were aiming for.

Besides espionage, ESET researchers found evidence that the attackers attempted to use the compromised accounts to extract money from other companies.

Among the victims emails, the attackers found communication between the victim and a customer regarding an unresolved invoice. They followed up the conversation and urged the customer to pay the invoice of course, to a bank account of their own.

However, the customer of the company became suspicious and reached out to the company owner for assistance, thwarting the attackers attempt to conduct a so-called business email compromise attack.

Breitenbacher says, “This attempt to monetise the access to the victims network should serve as yet another reason for both establishing strong defenses against intrusions and providing cybersecurity training for employees.

“Such education could help employees recognise even lesser-known social engineering techniques, like the ones used in Operation In(ter)ception.”

ESET has released a whitepaper on the attack titled Operation In(ter)ception: Targeted attacks against European aerospace and military companies.

Story image
Cryptomining trojan malware discovered by ESET researchers
The malware, primarily targeting victims in Czechia and Slovakia, prioritises subterfuge through deployment of multiple techniques to avoid detection, and leans heavily on the Tor network and BitTorrent protocol to achieve its goals.More
Story image
Exabeam and Code42 partner up to launch insider threat solution
The solution will give customers a fuller picture of their environment, and will leverage automated incident response to obstruct insider threat before data loss occurs.More
Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More
Story image
Sophos named mobile security Leader in IDC MarketScape
Sophos Intercept X for Mobile has capabilities in protecting Android, iOS and Chrome OS users from known and never before seen mobile threats.More
Story image
High-tech heist: why fending off ransomware attacks is more challenging than ever in 2020
The COVID-19 crisis has unleashed a wave of sophisticated and disruptive ransomware attacks, and the onus is on businesses to ramp up their security measures if they’re to avoid falling victim, writes Attivo Networks regional director for A/NZ Jim Cook.More
Story image
How security awareness training can safeguard companies from cyber-attacks
Training goes a long way in embedding a culture of cybersecurity compliance within the company.More