Posted on May 27, 2022 at 7:08 AM

Hackers target Windows security researchers with fake exploits

Proof-of-concept (PoC) networks have been rising over the past year. However, the growing popularity of these networks has also made them vulnerable to hacking attacks, which have put users in jeopardy.

Cybersecurity researchers analyzing PoC exploits published on GitHub recently discovered a major attack on PoC. Following this exploit, the researchers became victims of a cyberattack facilitated by Cobalt.

Hackers target Windows security experts

Cybersecurity researchers usually publish a proof-of-concept containing only recently patched flaws. The PoC is usually published on code repositories like GitHub. This way, it is easy for users to test the available solutions and mandate the admins to adopt a solution to these vulnerabilities with speed and ease.

Microsoft had fixed the flaws of two remote code executions. The flaws were tracked as CVE-2022-24500 and CVE-2022-26809, and when the Microsoft team patched the vulnerabilities, several PoCs appeared on GitHub. One of these vulnerabilities came from an account known as “rkxxz.”

However, the PoC that popped up turned out to be malicious. Instead, the PoC installed Cobalt Strike beacons to the researchers’ endpoints. Researchers from Cyble said that the malicious PoC was falsely represented to conceal the identity because, in reality, it was a .NET application that installed a PowerShell script.

The application then runs a gzip-compressed PowerShell script malshare. This one installs the beacon to the device memory. Cobalt Strike is not malware on its own. Instead, it is a legitimate tool used to conduct penetration testing.

Despite Cobalt Strike being a legit tool used by cybersecurity researchers, cybercriminals have also largely exploited it. It is one of the most used weapons by cybercriminals because it hides user identities and enables stealth movement across the targeted network.

After the cybersecurity researchers discovered they were being exploited, they got rid of the fake PoC. The account distributing this malware was also removed from the network to prevent it from deploying more fake PoCs.

Cybersecurity researchers are also targets

This is not the first time that hackers have targeted cybersecurity researchers. Cybersecurity researchers are usually tasked with identifying threats and patching flaws before being exploited. However, in some cases, cybersecurity researchers are the victims of these attacks.

In the cyber world, those who look for vulnerabilities become the targets of attacks. In January, people working for the Google Threat Analysis Group (TAG) were also the victims of a similar attack.

The TAG security researchers detected a cyberattack originating from North Korea. The attack targeted them as they tried to implement a patch that could solve the flaw and lower the risk of a threat.

The extent of the threat posed by the North Korean hackers was massive. The hackers engaged with the researchers in many ways, including blog posts, fake social media accounts and email accounts. The attackers used these tools and platforms to reach the security researchers and make them victims of an attack.

In most cases, cybersecurity researchers have advanced protection mechanisms to mitigate major attacks. However, the tools and strategies used by threat actors have evolved over the past year, and it has become a challenge to wade off these attacks, especially when analyzing systems that have unpatched flaws.

Two months after the incident with the TAG researchers happened, there was also another discovered campaign that included threat actors from North Korea. The second attack was more severe because it used a coordinated strategy.

In the second attack, the threat actors created a bogus cybersecurity firm called SecuriElite. They used this firm to invite other researchers for partnerships and to work together to wade off attacks.

However, instead of partnering with the researchers to investigate attacks and detect flaws in popular systems, the attackers attempted to infect the researchers’ endpoints with malware. The move could have caused massive damage to the researchers if the attackers’ intentions were not discovered in time.

Moreover, attackers have also misused the tools used by researchers to access systems and conduct tests that will detect security vulnerabilities. For instance, the attackers used the Cobalt Strike tool to launch the attacks in the recent case.

Cobalt Strike is a popular tool in the cybersecurity world, and while it can be exploited for bad intentions, it can be used for good. Given the growing risk of cybersecurity attacks and the evolving ways of an attacker, it is always crucial to patch flawed systems before they are exploited.