Today’s Topics:
- Infiltration by Resume: How Fake North Korean Workers Tricked Over 300 U.S. Companies
- Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware
- How can Netizen help?
Infiltration by Resume: How Fake North Korean Workers Tricked Over 300 U.S. Companies
Google’s Mandiant team recently uncovered a scheme where an American collaborator helped fake North Korean IT workers land jobs at U.S. companies, raking in roughly $6.8 million over three years. The operation, known as UNC5267, involved stealing identities and using fake resumes to infiltrate over 300 companies between 2020 and 2023.
According to Mandiant, North Korea is behind the effort, using these jobs to generate revenue, dodge sanctions, and fund its nuclear and missile programs. The IT workers, mostly based in China and Russia, use clever evasion tactics, such as fake companies and money laundering, to juggle multiple jobs at once. One individual even used over 60 stolen identities to keep the operation going.
These workers gain access to U.S. companies through “laptop farms” run by paid facilitators, who remotely manage company devices using tools like GoToRemote, AnyDesk, and TeamViewer. The workers connect from abroad via VPNs like Astrill and avoid video chats, often producing below-average work, making them difficult to spot without strict vetting.
In one case, security firm KnowBe4 caught a North Korean operative trying to install malware just 25 minutes after getting hired. Mandiant warns that while espionage hasn’t been confirmed yet, the high-level access these workers gain could be leveraged in the future. The report also found that many of the profiles feature AI-generated photos and fake credentials, making it tricky for employers to identify the scam during the hiring process.
To counter these risks, Mandiant advises companies to tighten their background checks with biometric verification and ensure on-camera interviews are conducted. They also recommend monitoring remote tools and VPN usage while training HR and IT teams to spot potential hiring fraud.
Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware
A sophisticated cyber-espionage campaign, believed to be orchestrated by Chinese hackers, has been targeting government organizations and industries across the Asia-Pacific (APAC) region. According to research conducted by Trend Micro, the attacks exploited a recently patched vulnerability in OSGeo GeoServer GeoTools, and introduced a new malware strain dubbed EAGLEDOOR. The threat actor behind these activities, known as Earth Baxia, has been active since July 2024.
The campaign focused on government agencies, telecommunication companies, and energy organizations in countries like Taiwan, South Korea, Vietnam, Thailand, and the Philippines. Researchers also discovered lure documents written in Simplified Chinese, suggesting that sectors within China may have been targeted as well, though more evidence is needed to confirm this.
The identified method of intrusion involved spear-phishing emails and exploitation of a critical vulnerability in GeoServer (CVE-2024-36401, with a CVSS score of 9.8). This flaw, if exploited, allows attackers to deliver a combination of Cobalt Strike—a common tool used in post-exploitation frameworks—and the newly discovered EAGLEDOOR malware.
EAGLEDOOR is designed for information gathering and remote control, using multiple methods to communicate with its command-and-control (C2) servers over DNS, HTTP, TCP, and even Telegram. While the first three protocols serve to monitor victim status, the core malware capabilities are driven by Telegram Bot API, allowing attackers to upload and download files, execute commands, and further infiltrate compromised systems.
Researchers highlighted that Earth Baxia used the GrimResource and AppDomainManager injection techniques, paired with decoy files, to maintain persistence and deploy additional malware. One notable payload, dubbed RIPCOY, was hidden within a ZIP archive attachment, masquerading as a legitimate file.
Interestingly, Earth Baxia’s tactics mirror those observed in campaigns attributed to APT41, a notorious Chinese cyber-espionage group. Both groups leveraged similar spear-phishing techniques and utilized Cobalt Strike with domains mimicking public cloud providers like Amazon Web Services (AWS) and Microsoft Azure. These domains, such as “s3cloud-azure” and “s3bucket-azure,” helped obscure their malicious activities and made detection more difficult.
Japanese cybersecurity company NTT Security Holdings recently uncovered a cluster of activity that shares many characteristics with the Earth Baxia campaign, specifically targeting military and energy sectors in Taiwan, the Philippines, and Vietnam.
The sophistication of these attacks highlights the evolving tactics used by Earth Baxia and other Chinese-linked APT groups. By exploiting critical vulnerabilities in software and leveraging public cloud services like AWS and Microsoft Azure, these groups can infiltrate systems while maintaining a low profile. The deployment of customized malware, such as EAGLEDOOR, underscores their adaptability and intent to exfiltrate sensitive data from high-value targets.
While the specific end goal of these operations may still be unclear, the elevated system access gained through EAGLEDOOR and Cobalt Strike presents a significant risk for future exploitation or potential espionage.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.