News: 1721797034

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Security biz KnowBe4 hired fake North Korean techie, who got straight to work ... on evil

(2024/07/24)


Security awareness and training provider KnowBe4 hired a fake North Korean IT worker for a software engineering role on its AI team, and only realized its mistake once the worker started using his company-provided computer for evil.

KnowBe4 'fessed up to the hire in a Tuesday [1]post from CEO Stu Sjouwerman. He explained that his HR team conducted four video interviews with the candidate, confirmed their appearance matched a photo included with a job the application, and conducted background checks.

Everything checked out OK, the faker was hired, and a Mac dispatched so they could start work.

[2]

Which is when the trouble started.

[3]

[4]

"We sent them their Mac workstation, and the moment it was received, it immediately started to load malware," Sjouwerman wrote.

It turns out the new hire used a stolen US-based ID and a stock photo – modified with AI – to fake their identity.

[5]

Thankfully, KnowBe4's security software detected the malware, leading to a probe that uncovered the faker.

When the security operation center (SOC) called the employee to address the malware, things "got dodgy fast."

The attacker claimed he was simply troubleshooting a speed issue with his router, and that it may have caused a compromise. KnowBe4's help desk tried to call the worker, but he soon became unresponsive.

[6]

An investigation revealed the attacker had manipulated session history files, transferred potentially harmful files, and executed unauthorized software.

"No illegal access was gained, and no data was lost or compromised on any KnowBe4 systems," the somewhat chastened security biz clarified. The time from KnowBe4's security operations center identifying the malware to the Mac being neutered was around 25 minutes.

KnowBe4 reckons the laptop was sent to an "IT mule laptop farm" – facilities in North Korea or China where fake workers ply their trade, using VPNs to hide their location.

[7]Three cuffed for 'helping North Koreans' secure remote IT jobs in America

[8]North Korea building cash reserves using ransomware, video games

[9]New Nork-ish cyberespionage outfit uncovered after three years

[10]RIP Kevin Mitnick: Former most-wanted hacker dies at 59

"The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs," wrote Sjouwerman.

The FBI has been alerted. Sjouwerman suggested others could avoid such incidents by monitoring devices that offer remote access, and better vetting to confirm a candidate's location. Use of VOIP numbers and lack of digital footprint for provided contact information should be a red flag, as should conflicting personal information and sophisticated use of VPNs.

North Korea's attempts to have its citizens pose as tech workers to earn money, and find malware targets, is [11]well [12]documented – but not something the average employer runs across every day.

However, infiltration is quite an admission from a business that aims to help organizations manage the ongoing problem of social engineering.

Infosec luminary Brian Krebs [13]praised KnowBe4's transparency. "Kudos to them for publishing this. If it can happen to a security awareness company, it can happen to anyone." ®

Get our [14]Tech Resources



[1] https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZqDQupU7C0V72M0l2qAmwwAAAMQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqDQupU7C0V72M0l2qAmwwAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZqDQupU7C0V72M0l2qAmwwAAAMQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqDQupU7C0V72M0l2qAmwwAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZqDQupU7C0V72M0l2qAmwwAAAMQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2024/05/17/three_arrested_for_helping_north_korea/

[8] https://www.theregister.com/2024/05/29/north_korea_using_ransomware_and/

[9] https://www.theregister.com/2024/05/31/new_norkish_cyberespionage_outfit_uncovered/

[10] https://www.theregister.com/2023/07/20/kevin_mitnick_obit/

[11] https://www.theregister.com/2024/02/15/north_korea_turns_to_designing/

[12] https://www.theregister.com/2024/03/28/japan_nk_arrests/

[13] https://www.linkedin.com/posts/bkrebs_wild-true-story-from-the-security-awareness-activity-7221653099797512192-VItc/

[14] https://whitepapers.theregister.com/



Is not even theReg safe from the pronoun police :o

Anonymous Coward

> Stu Sjouwerman. He explained that his HR team conducted four video interviews with the candidate, confirmed their appearance matched a photo ..

Apparently, yes.

Anonymous Coward

I hate to disappoint you, but the use of "their" is perfectly normal English in that sentence, and has been for decades. Use of "their" in that position is fine even if the gender has already been identified - you don't have to bash the specific pronoun in everywhere.

Re: Is not even theReg safe from the pronoun police :o

phuzz

"They" is perfectly appropriate, because the company don't know if the candidate was male, female, or even if they exist.

But maybe elReg needs to start putting content warnings on articles that contain any pronouns, just to avoid scaring readers like OP?

hmm

BartyFartsLast

If they are suggesting the use of VoIP numbers is a red flag or that an established telephone number is somehow a marker of authenticity we are in for some interesting times as we transition from POTS to fully VoIP networks

sitta_europea

"...If it can happen to a security awareness company, it can happen to anyone."

I take issue with that.

I would never hire anybody I hadn't met in person.

For a security company to do it is just plain crazy.

Don't tell me you can't get the staff when what you mean is you don't want to pay them the going rate.

Real location

IanRS

KnowBe4 reckons the laptop was sent to an "IT mule laptop farm" – facilities in North Korea or China where fake workers ply their trade, using VPNs to hide their location.

You cannot hide a physical delivery address behind a VPN. Perhaps the North Korea as the final line of the address should have raised concerns?

Where can I get more of that scam?

that one in the corner

> The scam is that they are actually doing the work, getting paid well

If the "scammer" is actually doing the work, can we get some more of, please?

Maybe in one or two companies whose QA tes we have recently suspected are understaffed (and/or the staff are underperforming).

Ok, not this particular guy, with his penchant for malware.

Just a strange use of the word "scam". Fraudulent ID, yes.[1]

[1] Which raises another question: if they were going to have a video call, why use (pseudo)AI to modify a stock photo? Couldn't find a camera and a blank wall to stand against? Or some people have just fallen for the "AI" hype, even in. N. Korea.

Not much of a security company

The Man Who Fell To Earth

The cost of flying someone out to interview is trivial compared to what you will be paying them over the course of the first year. To not eventually interview in person before making a candidate an offer is not just cheap, it's downright stupid. Especially for a "Security Company". I'd never hire these clowns or knowingly use their products.

On the plus side..

Anonymous Coward

.. at least they're using Macs. No Crowdstrike problems :)

An excellence-oriented '80s male does not wear a regular watch. He wears
a Rolex watch, because it weighs nearly six pounds and is advertised
only in excellence-oriented publications such as Fortune and Rich
Protestant Golfer Magazine. The advertisements are written in
incomplete sentences, which is how advertising copywriters denote excellence:

"The Rolex Hyperion. An elegant new standard in quality excellence and
discriminating handcraftsmanship. For the individual who is truly able
to discriminate with regard to excellent quality standards of crafting
things by hand. Fabricated of 100 percent 24-karat gold. No watch parts
or anything. Just a great big chunk on your wrist. Truly a timeless
statement. For the individual who is very secure. Who doesn't need to
be reminded all the time that he is very successful. Much more successful
than the people who laughed at him in high school. Because of his acne.
People who are probably nowhere near as successful as he is now. Maybe
he'll go to his 20th reunion, and they'll see his Rolex Hyperion.
Hahahahahahahahaha."
-- Dave Barry, "In Search of Excellence"