Hackers have been impersonating security researchers to advertise bogus zero day exploits laced with malware and dupe real researchers into downloading malicious code targeting Linux and Windows from GitHub. The criminals pretend to represent fake security companies to promote their repositories on Twitter.
The campaign began in early May, advertising fake vulnerabilities in Google’s Chrome, chat app Discord and Microsoft Exchange email servers, according to researchers at security company VulnCheck. Zero day exploits are previously unknown vulnerabilities in software, which can prove particularly dangerous in the wrong hands and as such are of great interest to security analysts.
Bogus zero day exploits laced with malware to scam researchers
The cybercriminals behind the attacks used a fake security company called High Sierra as cover to post the fake zero days on GitHub. Each post contains a malicious repository claiming to be an exploit for a well-known product, but actually containing malware which can be activated on the Windows or Linux operating systems.
A list of fake accounts can be found here, and the attacker has six GitHub accounts and a handful of associated Twitter profiles, all claiming to be part of High Sierra. To add further confusion, the profile pictures for the fake accounts seem to have been stolen from researchers at real security vendors. “It appears the attacker is not only making efforts to make the profiles look legitimate, but also using headshots of actual security researchers,” the report warns.
“The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware,” says the VulnCheck report. “It’s unclear if they have been successful, but given that they’ve continued to pursue this avenue of attacks, it seems they believe they will be successful.”
Regardless of the success of the scam, researchers should take this to be a warning that they may be increasingly in the firing line of cybercriminals. “Security researchers should understand they are useful targets for malicious actors and should be careful when downloading code from GitHub,” the report says. “Always review the code you are executing and don’t use anything you don’t understand.”
Security researchers on Twitter beware
This is not the first time researchers have fallen foul of targeted attacks like this. Last year, Tech Monitor uncovered a scam where researchers who were investigating online criminal gangs were being targeted through a Twitter loophole.
The ransomware gang REvil was using fraudulent emergency data requests on Twitter to demand private information of researchers investigating them, to threaten them and their families.
“Threat actors are now turning this sort of low-tech tactic onto those who investigate and expose their illegal activities,” Louise Ferrett, researcher at Searchlight Security, explained at the time. “Twitter is an easy target because that’s where a lot of researchers gather.”