Google examines ransomware scheme that uses fake LinkedIn profiles

Source: Daniel Rubino / Windows Central

Microsoft’s security teams routinely report on bad happenings going on in the cybercriminal world, including when such happenings affect the competition. But this time around, it’s Google highlighting how Microsoft’s services and products are being used by bad guys for bad purposes.

Google released a report exposing the operations of a group nicknamed “Exotic Lily,” an Initial Access Broker (IAB). IABs infiltrate networks then auction that access to whichever cybercriminal will pay the most.

Exotic Lily’s methods for infiltration are a bit more personal and crafty than those of the usual threat actor, according to Google. Here’s the play: The group creates fake social media profiles, including LinkedIn profiles, utilizing easily obtainable data on employees so that the illegitimate duplicates appear authentic. They also utilize spoofed email accounts and then begin engaging with targets, establishing rapport.

Once there’s an opening to do so, the group uses a file-sharing service such as OneDrive to deliver and mask the origins of the payload needed to set the scene for ransomware attacks. The group also exploited a now-defunct zero-day vulnerability in Windows-linked MSHTML in conjunction with its efforts to circulate malicious Office documents designed to trick users into welcoming dangerous content onto their devices.

In short, Exotic Lily has used a wide range of Microsoft services and products for maleficent purposes, and threats like fake LinkedIn profiles remain a danger. With that being said, Microsoft addressed the aforementioned MSHTML zero-day and Google has guidance in its report for what to look out for, as well as more details on the technical aspects of Exotic Lily’s operations should you want to dig deeper.