Instead of getting exploit PoC, they're getting something a lot more sinister:
It's common practice for researchers to publish a PoC [Proof-of-Concept] of recently patched flaws on code repositories, such as GitHub. That way, they can test different solutions among themselves and force admins to apply the fixes as soon as possible.
When Microsoft patched two remote code execution vulnerabilities, tracked as CVE-2022-24500 and CVE-2022-26809, a few PoCs popped up on GitHub, one of them coming from an account named "rkxxz".
However, the PoC turned out to be bogus, and what it did instead was install Cobalt Strike beacons on the researchers' endpoints. [...]
Fake Windows exploits target infosec community with Cobalt Strike:
This is not the first time threat actors have targeted vulnerability researchers and pentesters.
In January 2021, the North Korean Lazarus hacking group targeted vulnerability researchers through social media accounts and zero-day browser vulnerabilities.
In March 2021, North Korean hackers again targeted the infosec community by creating a fake cybersecurity company called SecuriElite (located in Turkey).
In November, the Lazarus hacking conducted another campaign using a trojanized version of the IDA Pro reverse engineering application that installed the NukeSped remote access trojan.
By targeting the infosec community, threat actors not only gain access to vulnerability research the victim may be working on but may also potentially gain access to a cybersecurity company's network.
(Score: 0, Troll) by Anonymous Coward on Sunday May 29 2022, @11:22PM
Crackers are going after those that come after them?
Is that ... like ... unexpected? I suppose these are like special force super elite crackers?
(Score: 4, Insightful) by anubi on Monday May 30 2022, @12:08AM (3 children)
We are getting to be a society based on enforced ignorance ( drm/patent/copyright/trade secret, whatever).
This is what we get.
Who knows who is telling the truth?
A unverifiable lie carries as much credibility as the truth.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Monday May 30 2022, @02:01AM
And even the truth, which you can't verify, carries the same credibility as a lie!
(Score: 5, Interesting) by jb on Monday May 30 2022, @03:49AM (1 child)
The whole point of source code repositories are that you do know that's in them.
There are really only two possibilities here. Either:
1. the exploit was in the clear, right there in the source code, but these "experts" didn't even bother to read it before building & running it; or
2. the "source" repo contained some sort of binary -- which should send up a big enough red flag for any infosec guy to run it only on a suitably instrumented VM (itself on an air-gapped host) for analysis.
Short version: the words "experts" and "Windows" never belong in the same sentence (unless separated by "don't run").
(Score: 0) by Anonymous Coward on Tuesday May 31 2022, @04:25PM
I'm sure "good people" never make mistakes. Why would somebody trip over a cord? It sounds unpleasant. [xkcd.com]
For that matter, we have no evidence that this successfully exploited somebody. The articles are just saying that they are TRYING to exploit, which I think is a good thing to spread around as a further security measure for people to be careful.
(Score: 2) by inertnet on Monday May 30 2022, @08:43AM
Researchers should know how not to be vulnerable and to use separate honeypot systems for their research. Security researchers getting pwned on their own systems: you're holding it wrong.
(Score: 2) by loonycyborg on Tuesday May 31 2022, @10:48AM
I assume name Lazarus won't be actually used by a Korean group. They wouldn't even care about Lazarus. It's jewish/christian mythology. That's a foreign assigned codename?