Cybercriminals Inducing Insiders to Plant Malware

Those who manage insider threat programs just got a healthy reminder from researchers at Abnormal Security who detailed how their deployed tools detected a new insider recruitment tactic—this time involving ransomware.

Insider recruitment, be it sponsored by a nation-state, competitor or criminal enterprise, is not new. The means by which the adversary approaches the target to induce them to break trust is what is always evolving. Crane Hassold, director of threat intelligence at Abnormal Security, hooked an adversary and adroitly played the line, keeping the fish in play, to learn more about the bad actor’s strategy to coerce an insider to place ransomware on his employer’s network.

LinkedIn Harvesting

What they learned should be widely shared with all employees, whether your organization is a tiny startup or a mega-multinational corporation. First, the adversary mines the profiles of companies and their employees from LinkedIn, the professional social network. Those LinkedIn profiles, created by individuals, tend to be accurate, especially in the “contact” department. LinkedIn makes connections as individuals move from job to job, corporate entity to entity, conveniently tracking who is associated with which entity—no heavy lifting required on the part of the cybercriminal.

In this instance, the cybercriminal admitted they were operating from Nigeria. The Abnormal Security analysis of the social engineering methodologies used noted their similarity to those used in business email compromise scenarios. The cybercriminal’s goal was straightforward: Compromise an entity with resources sufficient to pay the ransom by having a willing insider place the malware (ransomware).

Engaging the Target

These blind inducements have a high failure rate. Depending upon the sophistication of the emails themselves, they’re often filtered by various apps designed to stave these exact types of fraud, malware and spam emails. In this instance, the pitch is unambiguous: “If you can install & launch our Demonware Ransomware in any computer/company main windows server physically or remotely […]”. In return, the employee is offered 40% or one million dollars, payable in Bitcoin. Interestingly, the bad actor markets the offer as a “partnership affiliate offer.”

Clearly, access to the “Windows server” is key in this engagement, as not many senior-level personnel will have regular access to their network servers. IT departments need to ask themselves: If malware is launched from a user’s device, (or from the server) how will that impact their operations?

While this specific attempt at infiltration landed in the hands of a cybersecurity professional, one whose company’s product filters email looking for phishing, malware and fraud, what happens if/when a vulnerable or disgruntled employee receives such an inducement?

Hooking a Trusted Insider

There is no denying it, the COVID pandemic has caused many companies to undergo reductions in pay, work and ongoing infrastructure maintenance. While this bad actor was ham-handed in his approach, it’s certain that more successful (and more subtle) entities operating ransomware-as-a-service have duly noted Abnormal Security’s writeup of this engagement.

The Nigerian criminal used LinkedIn’s own tools to identify targets. Nation-states, competitors and more technically savvy criminal actors will put together more sophisticated targeting packages designed to float the specific target’s boat. We saw this in the unsuccessful approach to a Tesla engineer last year by a Russian criminal entity. That approach was warm—nothing cold about it—an individual who had made prior contact was used to make the pitch. Thankfully, the employee reported it and the FBI engaged.

The takeaway here is that companies should expect to see more of these types of pitches, both cold and warm, via email and other communication mediums. Why? Because they are effective, even if the batting average is below .200. The cost for cybercriminals to engage is low, and every success produces an attractive ROI. Provide your employees with triage training and a path to report when that proverbial knock sounds at their door.

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 186 posts and counting.See all posts by burgesschristopher