CyberheistNews Vol 14 #43 North Korean IT Worker Threat: 10 Critical Updates to Your Hiring Process

CyberheistNews Vol 14 #43 | October 22nd, 2024

North Korean IT Worker Threat: 10 Critical Updates to Your Hiring Process Stu Sjouwerman SACP

KnowBe4 was asked what changes were made in the hiring process after the North Korean (DPRK) fake IT worker discovery. Here is the summary, and we strongly suggest you talk this over with your own HR department and make these same changes or similar process updates.

Question: What remediations were put in place from this incident?

Answer: Please note that our cybersecurity controls in this matter were effective at quickly detecting, stopping and remediating the incident in a very timely manner (under 30 minutes). There are still many companies out there who are unaware a DPRK IT worker is in their environment after months.

Question: We would like to know more detail about changes in the recruitment process itself. For instance, are you interviewing in person now?

Answer: We are not requiring in-person interviews for all hiring, as this is a process that will not scale and we do not have all staff in-office. This is also not a requirement of many other tech companies that hire remote workers, one of which reached out to me after reading our article on the topic to discuss their challenges and what they implemented on their side as well to prevent the threat.

Question: What has KnowBe4 changed in their hiring process?

Answer: We have made the following 10 immediate changes to our hiring and recruitment process. Some of these changes include recommendations provided by threat intelligence partners and other security companies facing the same issues:

[CONTINUED ON THE KNOWBE4 BLOG (too long for the newsletter)]
https://blog.knowbe4.com/north-korean-it-worker-threat-10-critical-updates-to-your-hiring-process

Lights, Camera, Hacktion! The Inside Scoop on Creating 'The Inside Man'

Over the last five years, KnowBe4's binge-worthy series "The Inside Man" has been revolutionizing the way organizations think about security awareness training. Now, we invite you behind the scenes to learn from the creators, and find out what makes "The Inside Man" such a success in organizations around the world.

Join us for this can't-miss webinar where we're spilling all the tea with the masterminds behind "The Inside Man." You'll hear from Jim Shields, Director of "The Inside Man," Rich Leverton, Director of Content at Twist & Shout, and Perry Carpenter, Executive Producer and Chief Human Risk Management Strategist at KnowBe4 as they share:

Insights on how the concept came to be, and behind the scenes antics from the cast and crew
The secret sauce that makes "The Inside Man" even more addictive than your favorite Netflix show
Why storytelling is your new superpower in the fight against cybercriminals and making your security culture stick

We'll also be dropping some juicy teasers about the upcoming season that'll leave you on the edge of your seat. Whether you're a die-hard fan or new to "The Inside Man" party, you won't want to miss this!

Date/Time: Wednesday, October 30 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot:
https://info.knowbe4.com/inside-man-webinar?partnerref=CHN

What Spending 3 Hours in IKEA Taught Me About Cybersecurity Awareness

By Javvad Malik

It was a Saturday morning, and I had grand plans. By "grand plans," I mean sitting on the sofa, watching reruns of "The IT Crowd," and pretending I didn't hear the lawn mower calling my name.

But my wife had other ideas. "We're going to IKEA," she announced, with our kids excitedly agreeing in the background. I groaned internally. The Swedish furniture labyrinth was the last place I wanted to be.

Little did I know, I was about to stumble into a masterclass on user experience and awareness that would open my eyes. Who knew that between the MALM dressers and POÄNG chairs, I'd find the techniques that can be used to make any security awareness program more engaging.

As we entered the blue and yellow kingdom, it's hard to miss the clear path laid out before us. It was like following the yellow brick road, but instead of Oz, it led to affordable furniture and meatballs. "Create a clear path," I muttered to myself, thinking about most convoluted security policies.

If IKEA could guide thousands of customers daily without confusion, surely I could create a clearer path for our employees to follow security best practices. Then came the assembly instructions. As I stared at a diagram for the BILLY bookcase, it hit me, the simple and wordless instructions visually showed how to assemble the furniture.

No language barriers, no room for misinterpretation. Like those well-designed infographics which share volumes of research in one simple to understand image.

As we meandered through the store, my wife and kids tested every chair, opened every cabinet, and lay on every bed. I realized IKEA was offering hands-on experience with their products. I began to envision a "cybersecurity playground" where employees could safely interact with phishing simulations and security tools.

An Allen key is pretty much the only thing you need to assemble most IKEA furniture. But I did see a little box sold with a screwdriver, nails, screws and a few other fixing items. Basically a few essential tools that were simple to use and could assemble any item within the store. Which got me thinking about equipping staff with the right security software and resources.

Finally, as we loaded our car with far more than the single bookshelf we came for, I marveled at IKEA's self-service model. They provided the showroom inspiration, the tools, and the support staff, but ultimately, customers assembled their purchases themselves. "Self-service with support," I said out loud, causing my wife to ask if I was feeling okay.

As we drove home, our car packed tighter than a SMÅSTAD storage combination, I couldn't help but smile. I had entered IKEA dreading the experience but left with a trunk full of furniture and a mind full of ideas.

The five steps to user-centric security design that can help foster and create a stronger security culture, can be summed up as follows:

Create a Clear Path: Just as IKEA designs a clear path through its stores, create a clear, intuitive path for cybersecurity practices. Guide users through security processes as smoothly as IKEA guides you from sofas to kitchenware.
Use Visual Instructions: Replace text-heavy security policies with visual guides. Think IKEA's wordless assembly instructions — simple, universal and effective.
Offer Hands-On Experience: Set up "cybersecurity showrooms" where employees can interact with security tools and practices in a safe, sandbox environment. It's like IKEA's room setups, but for digital safety.
Provide Essential Tools: Equip users with the right "tools" for cybersecurity, just as IKEA provides that essential Allen key. This could be password managers, ways to securely back up data or two-factor authentication apps.
Encourage Self-Service with Support: Foster a culture where users can "assemble" their own secure environment, with expert help readily available — like IKEA's helpful staff scattered throughout the store.

Blog post with links:
https://blog.knowbe4.com/-spending-3-hours-ikea-taught-about-cybersecurity-awareness

Identify Weak User Passwords In Your Organization With the Newly Enhanced Weak Password Test

Cybercriminals never stop looking for ways to hack into your network, but if your users' passwords can be guessed, they've made the bad actors' jobs that much easier.

Verizon's Data Breach Investigations Report showed that 81% of hacking-related breaches use either stolen or weak passwords.

The Weak Password Test (WPT) is a free tool to help IT administrators know which users have passwords that are easily guessed or susceptible to brute force attacks, allowing them to take action toward protecting their org.

Weak Password Test checks the Active Directory for several types of weak password-related threats and generates a report of users with weak passwords.

Here's how Weak Password Test works:

Connects to Active Directory to retrieve password table
Tests against 10 types of weak password related threats
Displays which users failed and why
Does not display or store the actual passwords
Just download, install and run. Results in a few minutes!

Don't let weak passwords be the downfall of your network security. Take advantage of KnowBe4's Weak Password Test and gain invaluable insights into the strength of your password protocols.

Download Now:
https://info.knowbe4.com/weak-password-test-chn

North Korean Hackers Continue to Target Job Seekers

A North Korean threat actor is launching social engineering attacks against job seekers in the tech industry, according to researchers at Palo Alto Networks' Unit 42.

The hackers are impersonating job recruiters and attempting to trick job seekers into installing malware as part of the phony interview process.

"In this campaign, the attackers targeted job-seeking individuals on LinkedIn, luring them to download and execute malware that masquerades as a legitimate video call application," the researchers write. "This campaign is a continuation of activity we initially reported in November 2023."

The threat actors set up convincing online personas impersonating technical recruiters and reach out to software developers with enticing employment offers. The hackers convince the job seeker to install a malicious version of a legitimate video-conferencing application in order to conduct an online interview.

Unit 42 notes that North Korean state-sponsored threat actors often conduct both cyber espionage and financial theft during their operations. In this case, the malware was designed to steal cryptocurrency, as well as potentially giving the hackers access to sensitive corporate information.

"North Korean threat actors are known to conduct financial crimes for funds to support the DPRK regime," the researchers write. "This campaign may be financially motivated, since the BeaverTail malware has the capability of stealing 13 different cryptocurrency wallets....Another important risk that this campaign poses is potential infiltration of the companies who employ the targeted job seekers.

"A successful infection on a company-owned endpoint could result in collection and exfiltration of sensitive information. It is essential for individuals and organizations to be aware of such advanced social engineering campaigns."

Human risk management gives your organization an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/north-korean-hackers-continue-to-target-job-seekers

Registration is Open for KB4-CON 2025!

Exciting news — registration for KB4-CON 2025 is now open! Join us April 7-9, 2025, at the beautiful Gaylord Palms Resort in sunny Orlando, Florida.

KB4-CON is the premier annual conference for KnowBe4 customers, partners and the broader cybersecurity community, bringing together thousands of attendees from across the industry. For three days, you'll explore the world of human risk management, AI and effective security strategies. In addition, get exclusive insights into KnowBe4's product roadmap and upcoming features.

We're designing an engaging experience that will transform your approach to managing human risk in the ever-changing cybersecurity landscape.

The best part? You can now secure your spot for KB4-CON 2025 with a limited time special in honor of Cybersecurity Awareness Month for $199 through October 31! Note that the regular price is $399, so register now! If you need help with approval to attend, download our travel justification letter here.

Save your spot at the cybersecurity event of the year!

Save My Spot:
https://knowbe4.cventevents.com/00nVrz?RefId=emregoppros

Chinese Threat Actor Targets OpenAI With Spear Phishing Attacks

OpenAI has disclosed that its employees were targeted by spear phishing attacks launched by a suspected Chinese state-sponsored threat actor. The phishing attempts were unsuccessful. Notably, the threat actor also abused OpenAI's own products to assist in the campaign.

"We identified and banned accounts, which based on an assessment from a credible source likely belonged to a suspected China-based adversary, that were attempting to use our models to support their offensive cyber operations while simultaneously conducting spear phishing attacks against our employees and governments around the world," OpenAI says.

"Publicly tracked as SweetSpecter, this adversary emerged in 2023. We understand this is the first time their targeting has publicly been identified to include a U.S.-based AI company, with their previous activity reported as having focused on political entities in the Middle East, Africa, and Asia."

The threat actor sent phishing emails to corporate and personal email addresses of OpenAI employees, asking for help with ChatGPT errors. The emails contained attachments designed to install malware.

"In these emails, SweetSpecter posed as a ChatGPT user asking for support from the targeted employees," the company says. "The emails included a malicious attachment called 'some problems.zip', containing an LNK file. This file contained code that would, if opened, present a DOCX file to the user that listed various apparent error and service messages from ChatGPT.

"In the background, however, Windows malware known as SugarGh0st RAT would be decrypted and executed. The malware is designed to give SweetSpecter control over the compromised machine and allow them to do things like execute arbitrary commands, take screenshots, and exfiltrate data."

Blog post with links:
https://blog.knowbe4.com/chinese-threat-actor-targets-openai-with-spear-phishing-attacks

Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [IMPORTANT BLOG POST] Meet SmartRisk Agent™: Unlock Your New Human Risk Management:
https://blog.knowbe4.com/meet-smartrisk-agent-unlock-your-new-human-risk-management

Quotes of the Week

"Those who cannot remember the past are condemned to repeat it."
- George Santayana - Philosopher (1863 - 1952)

"Life shrinks or expands in proportion to one's courage."
- Anais Nin - Writer (1903 - 1977)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-14-43-north-korean-it-worker-threat-ten-critical-updates-to-your-hiring-process

Security News

Cybercriminals Exploit Interest in the U.S. Presidential Election

Criminal threat actors are targeting users in the United States with social engineering attacks that impersonate U.S. presidential candidates and their campaigns, according to a new report from Fortinet.

Crooks are peddling phishing kits designed to easily spin up phishing pages targeting both Trump and Harris supporters. "In one recent post, we observed an interesting project featuring phishing pages designed to impersonate political leaders Donald Trump and Kamala Harris," the researchers write.

"The [threat actor] is offering two separate phishing kits for $1,260 each—one targeting Donald Trump supporters and the other targeting Kamala Harris supporters. These kits are designed to harvest personal information, including names, addresses, and credit card (donation) details.

"The consequences of these phishing threats are significant, as they can lead to the widespread theft of personal information, including names, addresses, and credit card details. This puts individuals at risk of financial fraud and undermines trust in the political process."

The researchers have also observed over a thousand domains that may be used in election-themed phishing attacks.

"More than 1,000 new potentially malicious domains have been registered since the beginning of 2024 that follow particular patterns and incorporate election- related content and candidates, suggesting that threat actors are leveraging the heightened interest surrounding the election to lure unsuspecting targets and potentially conduct malicious activities," Fortinet says.

Fortinet recommends employee training as a layer of defense against social engineering attacks. "Conduct regular training sessions for election officials, political campaign staff, and volunteers to educate them about the risks of phishing attacks," the researchers write.

"Raise awareness about common phishing tactics, such as deceptive emails and fake websites, and teach employees how to identify and report suspicious emails."

KnowBe4 enables your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Fortinet has the story:
https://www.fortinet.com/corporate/about-us/newsroom/press-releases/2024/fortinet-fortiguard-labs-observes-darknet-activity-targeting-the-2024-united-states-presidential-election

FBI Warns Scammers Are Targeting Law Firms for Phony Debt Collections

The U.S. FBI warns that scammers are attempting to trick law firms into transferring money as part of a phony debt collection scheme.

The scam "may focus on any type of representation where a lawyer is hired to assist in the transfer or collection of money, e.g. real estate, collection matters, collaborative law agreements in family matters, etc."

The schemes typically take the following steps:

A law firm is contacted regarding representation in an alleged debt collection matter by what appears to be a legitimate prospective client ("the Creditor")
The law firm agrees to help and sends a demand letter to the alleged debtor ("Debtor")
The Debtor immediately agrees to pay the debt and sends what appears to be a valid cashier's check to the law firm
The law firm deposits the check into their client trust account and transfers the value to the Creditor via wire, less any legal fees agreed upon
The law firm's bank then discovers that the check is actually fraudulent and the trust account is charged back the value of the check
Because the wire has already been sent to the Creditor, the law firm is left to suffer the financial loss

The FBI outlines some recommendations to help organizations avoid falling for these scams:

"Be suspicious of requests or pressure to take action quickly. A number of potential victims were able to successfully identify the fraudulent check by adhering to policies which required a delay or hold on the funds until confirmation that the debtor's check had indeed cleared into their client trust accounts.
Consider additional financial security procedures, such as two-step verification or telephone calls (subjects tend to prefer written correspondence), to verify transaction details and identity information, prior to wiring funds.
Contact your financial institution immediately and request that they contact the financial institution where any wire transfer was sent to determine if it is able to be recalled or the funds frozen in the deposit account."

New-school security awareness training gives your organization an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day.

Blog post with links:
https://blog.knowbe4.com/scammers-targeting-law-firms-for-phony-debt-collections

What KnowBe4 Customers Say

"Hello Stu, nice to hear from you! Is this a kind of phishing test?

Actually I have just positive comments about the platform, since it's exactly what we were looking for, that is a completely autonomous training platform with all kinds of helping solutions inside including reports for our HR.

Rare to find this kind of completeness in products, if not developed or led by people that experienced the same needs, in the field.

Thank you and best regards, Grazie e buon lavoro."

- V.E., IT Infrastructure Manager

The 10 Interesting News Items This Week