Thirst for workers leads to poisoned resumés

HR-targeted attacks are just one trending global threat, experts said at the Tuesday keynote at RSA 2022.

SAN FRANCISCO — Human resources: They’re so nice down there. So obliging! So eager to be helpful! So hungry for CVs from the technorati! … Or, well, really, from anybody with even half a brain, these days. 

That’s a dangerous combination. Niceness paired with eagerness to open documents/aka potentially malware-boobytrapped PDFs or Word docs from strangers = a big bulls-eye on the backs of corporate hiring managers. That’s according to Dmitri Alperovitch, chairman of the Silverado Policy Accelerator: a dot-org designed to transform fresh policy ideas into actionable policy initiatives, including the modernization of U.S. cyberstrategy, with an eye to enhancing deterrence, defense against cyberattacks, and protecting intellectual property and national security. 

North Korean threat actors, for example, are “really pushing the envelope in terms of techniques” such as going after HR, Alperovitch said in Tuesday’s keynote at RSA 2022, “Global Threat Brief: Hacks and Adversaries Unveiled.” He joined the stage with Mandiant Intelligence Executive Vice President Sandra Joyce to enlighten attendees about what’s hot in the cybercrook arsenal, rigged resumés being just one flavor. 

North Korea wants to work with you (or on you)

One interesting thing about malicious actors linked to North Korea is that after a spate of attempts to steal research related to COVID vaccines and treatments, they’re now “truly back,” coming up with “incredible innovation” in their efforts to infiltrate targets, he noted, including how to penetrate organizations and to leverage the information they get. 

One such: North Korea-linked scammers have been posing as U.S. job candidates to try to infiltrate crypto startups, to get IT jobs and to collect paychecks (a red flag: “pay in cryptocurrency, please!”). Alperovitch: “[One thing] that's been really interesting to watch is their attempts to infiltrate organizations remotely by trying to actually get hired inside of these companies, particularly in the web3 crypto space, where they're responding to advertisements,” he continued. “They're saying they're willing to do remote development work. They're saying they're from ‘a’ Bay Area, although in many of the interviews they failed to identify even the most common locations in ‘the’ [San Francisco] Bay Area.” 

They’re still having a tough time actually passing these interviews, but they don’t have to pose as Bay Area natives when it comes to packing resumés with malware. One example: In April, eSentire research showed that new phishing attacks, targeting corporate hiring managers, were delivering the more_eggs malware, tucked into bogus CVs. These campaigns sprang up a year after potential candidates looking for work on LinkedIn were lured with weaponized job offers: The offers dangled malicious ZIP archive files with the same name as that of the victims' job titles, as lifted from their LinkedIn profiles.

Warn those nice-niks, STAT!

That’s a new one on me, said attendee Sandy Buchanan, chief security officer at Mirai Security. 

Take a look at Mirai’s site: Like just about every site for every company under the sun these days, the top-most text reads “We’re hiring.” Buchanan’s main takeaway from the keynote: warn the HR department. In fact, that’s what he did during the presentation, and that’s what he said he planned to do with regards to Mirai’s customers. 

Mirai Security CSO Sandy Buchanan reached out to warn his HR department
about boobytrapped resumés while attending the keynote.

If you’re not in HR, you may wonder why organizations don’t just stop accepting resumés as attachments. Why don’t they just use web forms instead?

Because that “means fewer people will apply,” Buchanan said. The hunger for warm bodies is too sharp to allow potential candidates to stumble and grumble away from a web form, he remarked. 

Rub hackers for hire off your phone: Reboot!

Another trend in global threats: Hackers-for-hire groups targeting smartphones. Alperovitch granted that yes, it’s hard, but we should get Google Voice numbers or other VoIP numbers so that malicious texts — including ones that plant military-grade spyware such as Pegasus on phones — get diverted away from infecting your actual phone. 

“You get people to make phone calls to you, and then have that redirect to your real number,” he advised. “Don't give up your real number, because oftentimes these … implants will use the iMessage protocol. [They] use some of these other baseband exploits to try to get into your device surreptitiously. You will not even know that it's happening. There will be nothing shown on your device.” 

Besides making sure that the real number attached to your phone through your telco is known by as few people as possible, rebooting your phone frequently also helps, Alperovitch advised. Given that it’s hard for many malicious implants to get persistence on the device, they can be brushed off fairly easily, at least sometimes. “Oftentimes when they land on the device, while the device is running, they can collect information, they can communicate, they can activate the microphone, but once you reboot, the flag goes away, and unless you’re retargeted, you'll be free of the malware,” he said. 

Alperovitch recommends that at least once a day, before you go to sleep, reboot your phone. If you’re a high-value target — one with data that might interest nation state actors — you might also want to contact the Citizen Lab out of the University of Toronto: The Lab has conducted multiple investigations and has excellent tools for running forensics on devices. 

Audience reaction: We’re rebooting now!

Tim Hurley, EVP Matter Communications, rebooted his phone following Alperovitch's recommendation. He also praised emphasis on building resistance to all of the threats covered in the talk, as stressed by Mandiant's Sandra Joyce.

The power of being bouncy

The keynote covered a blizzard of other new threats, including from malicious actors associated with nation states such as Iran, Russia, China or North Korea, et al. But when it comes to hardening your organization against the onslaught, there was a common thread: namely, businesses have to build resilience. 

… And not panic. 

“There's going to be a bit of evolution on the part of threat actors who are … going to get better,” Joyce said. They're going to evolve, But so too will their targets, she predicted. “Whether or not there is malware attached, or ransomware, or data theft with extortion, [those threats are all] going to be with us for a very long time.” 

It’s not time to panic, she cautioned. Mandiant responds to over 1,000 incidents every year, watching organizations go through “just tremendously challenging situations.” Then, the threat experts watch those businesses resolve the incidents, get back on their feet and press on. 

“We need to be resilient,” Joyce repeated. “Really, the message here is preparedness, resiliency and taking care of defenders,” — as in, very likely, YOU, dear reader. “You know, we can't take for granted the fact that defenders like you are working day in and day out,” she said. “Appreciate them. Take care of them, because if you do, they can take care of the mission.”

Hallelujah to that. Oh, and one last thing: Don’t let the lawyer get to the communications before you do.  

Write a press release before you need it

Alperovitch has observed that companies that have done well — even though they may have suffered severe breaches — are the ones that are transparent. “They're communicating rapidly and revealing information about what has happened and what they're doing to respond and make things better,” he said. 

They're the ones that people often respect and understand the simple fact that everyone's getting hit. It’s unavoidable, but how you respond is actually going to make all the difference. 

He recommends the tabletop practice of actually writing the press release that you're going to put out in the event of a leak or an event of a ransomware attack. The logic: Inevitably, it takes days for people to get their arms around what they're going to say publicly. 

“They involve way too many lawyers,” Alperovitch said. 

Ask a communications expert whether that sounds right. Matter Communications EVP Tim Hurley, an attendee, loved, loved, loved the advice. “The lawyers are going to slow down the process. You should get it written out, and get it out there as soon as possible,” he concurred. 

The threats are manifold, but the general preparedness is direct: Be fast. Be transparent. Be ready.