- Apr 24, 2016
A threat actor targeted security researchers with fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor.
Whoever is behind these attacks took advantage of recently patched Windows remote code execution vulnerabilities tracked as CVE-2022-24500 and CVE-2022-26809.
When Microsoft patches a vulnerability, it is common for security researchers to analyze the fix and release proof-of-concept exploits for the flaw on GitHub.
These proof-of-concept exploits are used by security researchers to test their own defenses and to push admins to apply security updates.
However, threat actors commonly use these exploits to conduct attacks or spread laterally within a network.
This is not the first time threat actors have targeted vulnerability researchers and pentesters.
In January 2021, the North Korean Lazarus hacking group targeted vulnerability researchers through social media accounts and zero-day browser vulnerabilities.
In March 2021, North Korean hackers again targeted the infosec community by creating a fake cybersecurity company called SecuriElite (located in Turkey).
In November, the Lazarus hacking conducted another campaign using a trojanized version of the IDA Pro reverse engineering application that installed the NukeSped remote access trojan.
By targeting the infosec community, threat actors not only gain access to vulnerability research the victim may be working on but may also potentially gain access to a cybersecurity company's network.
As cybersecurity companies tend to have sensitive information on clients, such as vulnerability assessments, remote access credentials, or even undisclosed zero-day vulnerabilities, this type of access can be very valuable to a threat actor.