Google examines ransomware scheme that utilizes fake LinkedIn profiles and Microsoft bugs

A threat actor is using Microsoft’s own tools against it.

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

What you need to know

What you need to know

Microsoft’s security teams routinely report on bad happenings going on in the cybercriminal world, including when such happeningsaffect the competition. But this time around, it’s Google highlighting how Microsoft’s services and products are being used by bad guys for bad purposes.

Googlereleased a reportexposing the operations of a group nicknamed “Exotic Lily,” an Initial Access Broker (IAB). IABs infiltrate networks then auction that access to whichever cybercriminal will pay the most.

Exotic Lily’s methods for infiltration are a bit more personal and crafty than those of the usual threat actor, according to Google. Here’s the play: The group creates fake social media profiles, including LinkedIn profiles, utilizing easily obtainable data on employees so that the illegitimate duplicates appear authentic. They also utilize spoofed email accounts and then begin engaging with targets, establishing rapport.

Once there’s an opening to do so, the group uses a file-sharing service such asOneDriveto deliver and mask the origins of the payload needed to set the scene for ransomware attacks. The group also exploited a now-defunctzero-day vulnerabilityin Windows-linked MSHTML in conjunction with its efforts to circulatemalicious Office documentsdesigned to trick users into welcoming dangerous content onto their devices.

In short, Exotic Lily has used a wide range of Microsoft services and products for maleficent purposes, and threats like fake LinkedIn profiles remain a danger. With that being said, Microsoft addressed the aforementioned MSHTML zero-day and Google has guidance in its report for what to look out for, as well as more details on the technical aspects of Exotic Lily’s operations should you want to dig deeper.

Get the Windows Central Newsletter

Get the Windows Central Newsletter

All the latest news, reviews, and guides for Windows and Xbox diehards.

Robert Carnevale is the News Editor for Windows Central. He’s a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author ofCold War 2395. Have a useful tip? Send it to robert.carnevale@futurenet.com.