Man
Professional
- Messages
- 3,085
- Reaction score
- 623
- Points
- 113
The website of the non-existent company SecuriElite
In January 2021, Google Threat Analysis Group (TAG) experts reported an attack on IT security researchers around the world. Now some details of this unusual operation have been published.
The attackers used new 0-days that work in the latest versions of Windows 10 and Chrome. In addition, the researchers were offered to participate in a joint Visual Studio project and, upon their request, were provided with a DLL allegedly containing the exploit code (DLL hash on VirusTotal). This is the first time such a social engineering vector has been encountered in the world.
As the investigation revealed, the hacker group contacted security researchers through fake accounts on Twitter and LinkedIn.
Fake LinkedIn and Twitter user profiles
Moreover, they created a fake company called SecuriElite, which is based in Turkey and allegedly invites security experts. The company reportedly offers offensive security services, including “penetration tests, software security assessments, and exploits.”
In total, Google identified eight Twitter accounts and seven LinkedIn profiles that were involved in the operation. The blog with interesting information on the topic of information security to attract the target audience was launched in 2020. Blog
with interesting information to attract security researchers
For the operation, profiles were registered on a number of platforms, including Telegram, Keybase, and Discord, to communicate with researchers and gain their trust.
On January 14, 2021, the attackers published a video on Twitter and YouTube demonstrating an exploit for a recently patched vulnerability in Windows Defender (CVE-2021-1647).
If any security researchers took the bait, they were offered to participate in a joint Visual Studio project. This is a new social engineering method that has not been seen before.
The hackers promised that the Visual Studio project would contain the exploit code shown in the video and provided a DLL that was executed via Visual Studio Build Events. Immediately after that, it established a connection to the remote command server.
The SecuriElite website was launched on March 17, 2021. Before that, the attack was carried out only through the blog.
Korean colleagues have already identified a 0-day vulnerability through which the exploit worked in Internet Explorer. There is no information about other browsers yet.
In addition to the website, the attack was carried out through the official blog blog.br0vvnn[.]io. It was previously reported that the exploit works in the latest versions of Windows 10 and Chrome with all patches. Now antiviruses have already begun to recognize it.
If selected victims are individually invited to an infected site, then this is targeted phishing. If the victim himself found a “new interesting site”, then this is a bit like a watering hole attack (when a real site used by the target group is hacked). In this case, we can probably talk about hybrid technology.
It is still unclear for what purpose backdoors were installed on the specialists' computers. Perhaps the attackers were looking for information about new 0-days. This is a valuable commodity on the black market. Information about bugs in popular software is sold for hundreds of thousands of dollars. Vulnerabilities are exploited for several months or years until they become known to the general public. If a hacker finds a serious vulnerability in Windows or iOS, he can ensure a comfortable existence for years to come and lifelong authority in the community.
Theoretically, anyone can become a victim of a targeted attack, even a security expert, if he does not use a separate computer to access the Internet. Antivirus programs will not help here, rather the opposite: they often increase the attack surface and worsen the security of the system.
Google Threat Analysis Group has published a list of social media accounts, C&C server addresses (including hacked third-party servers that were used as C&Cs), VS Project DLL hashes, and indicators of compromise (IOCs).
Source
