This week’s hack of Axios, a widely used software package, has been traced to an elaborate AI deepfake from suspected North Korean hackers that was convincing enough to trick a developer into installing malware.
On Thursday, lead developer Jason Saayman, published a post-mortem of the breach, which resulted in Axios briefly circulating a new version that could install malware on PCs, no matter the OS. We already knew the hackers hijacked Saayman’s account for NPM, where Axios downloads are hosted, even though he had two-factor authentication enabled. But in the post-mortem, Saayman revealed the attackers also had access to his PC after they tricked him into installing a remote access Trojan sometime last month.
Saayman then revealed he fell for a scheme from a North Korean hacking group, dubbed UNC1069, which involves sending out phishing messages and then hosting virtual meetings that use AI deepfakes to clone the face and voices of real executives. The virtual meetings will then create the impression of an audio problem, which can only be “solved” if the victim installs some software or runs a troubleshooting command. In reality, it’s an effort to execute malware.
The North Koreans have been using the tactic repeatedly, whether it be to phish cryptocurrency firms or to secure jobs from IT companies.
This Tweet is currently unavailable. It might be loading or has been removed.
Saayman said he faced a similar playbook. “They reached out masquerading as the founder of a company, they had cloned the company’s founders likeness as well as the company itself,” he wrote. “They then invited me to a real Slack workspace. This workspace was branded to the companies ci [corporate identity] and named in a plausible manner. The Slack was thought out very well, they had channels where they were sharing LinkedIn posts. The LinkedIn posts I presume just went to the real company’s account, but it was super convincing etc.”
The hackers then invited him to a virtual meeting on Microsoft Teams. “The meeting had what seemed to be a group of people that were involved. The meeting said something on my system was out of date. I installed the missing item as I presumed it was something to do with Teams, and this was the RAT [remote access Trojan],” he added. “Everything was extremely well coordinated, looked legit and was done in a professional manner.”
Recommended by Our Editors
Google and other security providers have since concluded that UNC1069 was likely behind the Axios hack, pointing to the malware used. The group has been around since at least 2018 and has been known to target the cryptocurrency sector.
The Axios incidents underscores how phishing attempts have become extremely elaborate, thanks to the proliferation of cutting-edge AI tools. Fortunately, the hackers were only able to circulate a malicious version of Axios for about three hours. Still, any software projects or apps that automatically incorporated new versions of Axios would have delivered malware to victim PCs. As a result, the security community has published various advisories on how developers and companies can root out the threat.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Our Expert
Michael Kan
Senior Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
Click Here For The Original Source.
