CyberheistNews Vol 15 #09 | March 4th, 2025
[NEW] KnowBe4 Interviews a Fake North Korean Employee
By Roger Grimes
You would think with all the global press we have received because of our public announcement of how we mistakenly hired a North Korean fake employee in July 2024, followed by our multiple public presentations and a whitepaper on the subject, that the North Korean fake employees would avoid applying for jobs at KnowBe4.
You would be wrong.
It is apparently not in their workflow to look up the company they are trying to fool along with the words 'North Korea fake employees' before they apply for jobs.
We get North Korean fake employees applying for our remote programmer/developer jobs all the time. Sometimes, they are the bulk of the applicants we receive. This is not unusual these days. This is the same with many companies and recruiter agencies I talk with. If you are hiring remote-only programmers, pay attention a little bit more than usual.
Recapping the North Korean Fake Employee Industry
In short, North Korea has thousands of North Korean employees deployed in a nation-state-level industrial scheme to get North Koreans hired in foreign countries to collect paychecks until they are discovered and fired.
[Note: Due to UN sanctions, it is illegal to knowingly hire a North Korean employee throughout much of the world.]
To accomplish this scheme, North Korean citizens apply for remote-only programming jobs offered by companies around the world. The North Koreans apply using all the normal job-seeking sites and tools that a regular applicant would avail, such as the company's own job hiring website and dedicated job sites like Indeed[.]com.
The North Koreans work as part of larger teams, often consisting of dozens to over a hundred fake applicants. They are usually located in countries outside of North Korea that are friendly to North Koreans, such as China, Russia, and Malaysia.
This is because North Korea does not have a good enough infrastructure (e.g., Internet, electricity, etc.) to best sustain the program, and it is easy for adversarial countries to detect and block North Korean Internet traffic.
[CONTINUED] At the KnowBe4 blog, a very interesting read!:
https://blog.knowbe4.com/our-interview-of-a-north-korean-fake-employee
Ridiculously Easy AI-Powered Security Awareness Training and Phishing
Phishing and social engineering are the #1 cyber threat to your organization. 68% of all data breaches are caused by human error.
Join us for a live demonstration of KnowBe4 in action. See how we safeguard your organization from sophisticated social engineering threats using the most comprehensive human risk management platform.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
- NEW! Artificial Intelligence Defense Agents allows you to personalize security training, reduce admin burden, and elevate your human risk management strategy
- NEW! SmartRisk Agent provides actionable data and metrics to help you lower your organization's human risk score
- NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
- Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
- Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test
Find out how nearly 70,000 organizations have mobilized their end users as their human firewall.
Date/Time: TOMORROW, Wednesday, March 5 @ 2:00 PM (ET)
Save My Spot!
https://info.knowbe4.com/en-us/kmsat-demo-3?partnerref=CHN2
Viral but Vulnerable: The Hidden Risks of Cybersecurity Misinformation on Social Media
By Martin Kraemer
It's no surprise that 18–29-year-olds are turning to social media for cybersecurity information. As digital natives, this age group naturally gravitates toward platforms where information is fast, accessible, and constantly updated.
But how effectively are they absorbing these short snippets—and are they likely to share it forward? More importantly, what happens if that cybersecurity information is inaccurate?
How do people consume cybersecurity information?
In our recent report, "Cybersecurity Information Sharing as an Element of Sustainable Security Culture", Dr. William Seymour, Lecturer in Cybersecurity at King's College London and I found that while employers remain a key source of cybersecurity information across all age groups, respondents also frequently relied on:
- social media (age group 18–29)
- websites (age group 30-39 and 60-69)
- direct sharing (age group 40-49)
- broadcasts and podcasts (age group 50-59) as additional sources of information
One conclusion from this research was that onward sharing of cyber information amongst colleagues, family and friends is a positive cyber habit that creates a strong security culture at work and at home. But one thing we do not address is what happens when even those with the best intentions end up spreading false or harmful advice.
Social Media Pitfalls: Misinformation at Your Fingertips
From the nature of the content to gaps in regulation, multiple factors contribute to cybersecurity misinformation on social media platforms like Instagram, TikTok, and even LinkedIn:
- Oversimplified Content
- Echo Chambers and Algorithm Bias
- Exposure to Fraudulent Schemes
- Limited Source Credibility
- Absence of Oversight
- Prioritization of Virality Over Accuracy
[CONTINUED] at the KnowBe4 Blog with links:
https://blog.knowbe4.com/viral-but-vulnerable-the-hidden-risks-of-cybersecurity-misinformation-on-social-media
[Case Study] How Personalized Security Transforms Endeavour Mining's Cyber Defense
With 98% of social engineering attacks coming via email, personalized security defenses and training are crucial. These tailored strategies are the most effective way to reduce human risk and protect your people, organizations and data.
Gain insights from industry leaders in this webinar featuring a fireside chat between Alexis Ternoy, CIO at Endeavour Mining, and Sudeep Venkatesh, SVP Global Customer Implementation and Success at KnowBe4. Learn how Endeavour Mining is revolutionizing its approach to cybersecurity with personalized security in their fight against human risk.
Join us to explore:
- Key human risk trends shaping cybersecurity in 2025
- Emerging email security threats and how to combat them
- Why Endeavour Mining replaced their existing email security and training platforms with KnowBe4
- How KnowBe4 delivers personalized email security and training to lower human risk
- Real-world results and ROI achieved by Endeavour Mining
Don't miss this opportunity to transform your organization's security defenses. Register now to learn how personalized security can dramatically reduce your human risk.
Date/Time: Wednesday, March 12 @ 2:00 PM (ET)
Save My Spot:
https://info.knowbe4.com/case-study-endeavour-mining?partnerref=CHN
[Warning] Russian Threat Actors Are Targeting Signal Accounts With Malicious QR Codes
Several Russian state-sponsored threat actors are using QR code phishing (quishing) to compromise Signal accounts, according to researchers at Google's Threat Intelligence Group.
The QR codes are designed to grant access to the account via Signal's Linked Devices feature.
"The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app's legitimate 'linked devices' feature that enables Signal to be used on multiple devices concurrently," the researchers explain.
"Because linking an additional device typically requires scanning a quick response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance.
"If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim's secure conversations without the need for full-device compromise."
These phishing attacks are currently targeting individuals related to the war in Ukraine, but Google warns that this technique will likely be adopted by additional threat actors to target people around the world.
"Signal's popularity among common targets of surveillance and espionage activity—such as military personnel, politicians, journalists, activists, and other at-risk communities—has positioned the secure messaging application as a high-value target for adversaries seeking to intercept sensitive information that could fulfill a range of different intelligence requirements," the researchers write.
"More broadly, this threat also extends to other popular messaging applications such as WhatsApp and Telegram, which are also being actively targeted by Russian-aligned threat groups using similar techniques."
Google says users should "exercise caution when interacting with QR codes and web resources purporting to be software updates, group invites, or other notifications that appear legitimate and urge immediate action."
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Blog post with links:
https://blog.knowbe4.com/warning-russian-threat-actors-are-targeting-signal-accounts-with-malicious-qr-codes
Do Users Put Your Organization at Risk with Browser-Saved Passwords?
Is the popularity of password dumpers, malware that allows cybercriminals to find and "dump" passwords your users save in web browsers, putting your organization at risk?
KnowBe4's Browser Password Inspector (BPI) is a complimentary IT security tool that allows you to analyze your organization's risk associated with weak, reused and old passwords your users save in Chrome, Firefox and Edge web browsers.
BPI checks the passwords found in the browser against active user accounts in your Active Directory. It also uses publicly available password databases to identify weak password threats and reports on affected accounts so you can take action immediately.
With Browser Password Inspector you can:
- Search and identify any of your users that have browser-saved passwords across multiple machines and whether the same passwords are being used
- Quickly isolate password security vulnerabilities in the browser and easily identify weak or high-risk passwords being used to access your organization
- Better manage and strengthen your organization's password hygiene policies and security awareness training efforts
Get your results in a few minutes!
Find Out Now:
https://info.knowbe4.com/browser-password-inspector-chn
[Announcing] Audiocasts - A New Podcast-Like Training Content Type
We are very excited to announce the addition of audiocasts, a new content type now available in the ModStore to help strengthen your security culture through an engaging audio format.
This new content type takes advantage of the popular media format, podcasts. Audiocasts are different from podcasts (thus the slightly different name) in that they are not available via a podcast app but can be assigned as mandatory or optional training like all of our other popular content types.
They are learning-focused, rather than just for entertainment, and a lot shorter than your average podcast – most are under ten minutes. They track completion (just like our video modules) when someone has listened to the episode and not just fast-forwarded to the end. Features include a full, built-in transcript and our standard access for keyboard-only controls.
Blog post with links:
https://blog.knowbe4.com/announcing-audiocasts-a-new-podcast-like-training-content-type?
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: KnowBe4 Named #1 Security Product and #2 Overall Software Product in G2's 2025 Best Software Awards:
https://blog.knowbe4.com/knowbe4-named-1-security-product-and-2-overall-software-product-in-g2s-2025-best-software-awards
- Oscar Wilde - Writer (1854 -1900)
- Arthur Conan Doyle – Writer (1859–1930)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-09-new-knowbe4-interviews-a-fake-north-korean-employee
Phishing Attack Leads to Lateral Movement in Just 48 Minutes
Researchers at ReliaQuest have published a report on a phishing breach in the manufacturing sector that went from initial access to lateral movement in just 48 minutes. The attackers began by swamping users with spam emails, then posed as tech support and offered assistance in stopping the flood of spam.
"To gain entry into the organization's network, the threat actor used social engineering and end-user manipulation," the researchers write. "More than 15 users were targeted with a flood of spam emails. Next, the threat actor sent a Teams message using an external 'onmicrosoft.com' email address.
"These domains are simple to set up and exploit the Microsoft branding to appear legitimate. The threat actor posed as an IT help-desk employee, likely pretending to assist users with the flood of emails that was preventing them from working—a common tactic used by ransomware groups like Black Basta."
After this, the attackers contacted the targeted employees via Microsoft Teams and convinced them to use the Windows tool Quick Assist to grant the attackers remote access to the computer.
"The threat actor then used Teams to call at least two users and convinced them to open the remote-access tool Quick Assist, join a remote session, and grant control of their machines," the researchers write. "Quick Assist, native to Windows hosts, is often used in these attacks because attackers can easily convince users to open it and join a remote session using a code.
"In this incident, one user granted the threat actor control of their machine for over 10 minutes, giving the threat actor ample time to progress their attack."
ReliaQuest notes that this social engineering technique can bypass security filters since it tricks the user into performing a malicious action without clicking a link or downloading an attachment. The attack also uses legitimate tools to gain access, rather than malware.
"This tactic of using email spam instead of malicious links or attachments is particularly effective because the emails themselves aren't inherently malicious, leaving security tools with nothing to detect," the researchers write.
"Moreover, the end user doesn't need to interact with the email directly. Instead, the flood of spam makes the target's inbox unusable, giving the threat actor a plausible reason to pose as IT staff offering to resolve the issue.
"This low-tech but highly effective method allows threat actors to gain initial access and convince users to grant them control of their machines. Given its success, it's likely that other threat groups will adopt this technique in the near future."
KnowBe4 enables your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Ars Technica has the story:
https://arstechnica.com/security/2025/02/notorious-crooks-broke-into-a-company-network-in-48-minutes-heres-how/
Protect Yourself from Job Termination Scams
ESET warns of a wave of phishing attacks informing employees that they've been fired or let go. The emails are designed to make the user panic and act quickly to see if they've actually lost their job.
If a user falls for the attack, they'll be tricked into downloading malware or handing over their login credentials.
"Social engineering tactics used in phishing aim to create a sense of urgency in the victim, so that they act without thinking things through first," the researchers write. "And you can't get more urgent than a notice informing you that you have been dismissed. It could arrive in the form of an email from HR, or an authoritative third-party outside the company.
"It may tell you that your services are no longer required. Or it may claim to include details about your colleagues that are too hard to resist reading. The end goal is to persuade you to click on a malicious link or open an attachment, perhaps by claiming that it includes details of severance payments and termination dates."
ESET says users should be on the lookout for the following red flags associated with phishing attacks:
- An unusual sender address that doesn't match the stated sender. Hover your mouse over the "from" address to see what pops up. It may be something completely different, or it could be an attempt to mimic the impersonated company's domain, using typos and other characters (e.g., m1crosoft[.]com, @microsfot[.]com)
- A generic greeting (e.g., 'dear employee/user'), which is certainly not the tone a legitimate termination letter would take
- Links embedded in the email or attachments to open. These are often a tell-tale sign of a phishing attempt. If you hover over the link and it doesn't look right, all the more reason not to click
- Links or attachments that don't open immediately, but request you to enter logins. Never do so in response to an unsolicited message
- Urgent language. Phishing messages will always try to rush you into making a rash decision
- Misspellings, grammatical or other mistakes in the letter. These are becoming rarer as cybercriminals adopt generative AI tools to write their phishing emails, but they're still worth looking out for
Going forward, be on your guard for AI-aided schemes where scammers could use deepfake audio and video likenesses of actual people (that of your boss, perhaps) to trick you into giving up confidential corporate information.
Blog post with links:
https://blog.knowbe4.com/protect-yourself-from-job-termination-scams
What KnowBe4 Customers Say
Great job making things go right! Unsolicited shout-out for Les D.
"I have worked with Les D several times already and it has been a wonderful experience, and my confidence in KnowBe4 has been restored. Thank you so much for your assistance in this matter. I am once again a very happy customer."
- R.A., Information Systems Manager
- Botnet targets Microsoft 365 accounts with password spraying attacks that can bypass multifactor authentication:
https://www.infosecurity-magazine.com/news/chinese-botnet-mfa-microsoft/ - Quarter of Brits Report Deepfake Phone Scams:
https://www.infosecurity-magazine.com/news/quarter-brits-report-deepfake-calls/ - A Chinese government-backed group is spoofing legitimate medical software to hijack hospital patients' computers, infecting them with backdoors, credential-swiping keyloggers, and cryptominers:
https://www.msn.com/en-us/health/other/china-s-silver-fox-spoofs-medical-imaging-apps-to-hijack-patients-computers/ar-AA1zKMrA - Google is dropping SMS authentication for QR codes:
https://www.itpro.com/security/google-is-dropping-sms-authentication-for-qr-codes - A Disney Worker Downloaded an AI Tool. It Led to a Hack That Ruined His Life:
https://www.wsj.com/tech/cybersecurity/disney-employee-ai-tool-hacker-cyberattack-3700c931?st=hX4b9y&reflink=article_email_share - FBI confirms Lazarus hackers were behind $1.5 Billion Bybit crypto heist:
https://www.bleepingcomputer.com/news/security/fbi-confirms-lazarus-hackers-were-behind-15b-bybit-crypto-heist/ - Microsoft names cybercriminals behind AI deepfake network:
https://www.bleepingcomputer.com/news/microsoft/microsoft-names-cybercriminals-behind-ai-deepfake-network/ - EncryptHub threat actor used social engineering to breach at least 618 organizations:
https://www.bleepingcomputer.com/news/security/encrypthub-breaches-618-orgs-to-deploy-infostealers-ransomware/ - Chinese cyber espionage operations surged by 150% last year:
https://www.infosecurity-magazine.com/news/chinese-cyber-espionage-jumps-150/ - Chinese APT targets healthcare firms with Trojanized medical applications:
https://www.forescout.com/blog/healthcare-malware-hunt-part-1-silver-fox-apt-targets-philips-dicom-viewers/
- Virtual Vaca #1 to Casablanca, Morocco in 4K HDR ULTRA HD 60 FPS Dolby Vision Drone Video:
https://youtu.be/jzdY46nM_2Q - Virtual Vaca #2 to Venice, Italy by 4K drone:
https://youtu.be/vhD0MqCi__w - Need some space? Fantastic 4K 60 fps HDR Video - Dolby Vision:
https://youtu.be/zcYcJ27xZxU - Tom Crosbie: PENN & TELLER FOOLED by White Rubik's Cube & Pure Skill!:
https://youtu.be/8UqBYMGxvaQ - Visualizing America's $29 Trillion Economy by State:
https://www.visualcapitalist.com/visualizing-americas-29-trillion-economy-by-state/? - Watch history unfold as 1,150 Teslas illuminate the night in Belgium, setting a world record for the largest synchronized Tesla light show!
https://www.flixxy.com/world-record-tesla-light-show-1150-cars-in-perfect-sync.htm?utm_source=4 - LockPickingLawyer: Unbreakable, Unpickable, & Bulletproof? (TED Tooling's Unusual Lock):
https://youtu.be/DX1KaFmER2s - Superhuman's Pushing What's Possible:
https://youtu.be/zs1NOD-RfUc - Why China is Building a New Road to Russia:
https://youtu.be/yajklD0QvAI - Srishti Sharma defies gravity and shatters records as she limbo skates 50 meters under descending poles in just 9.59 seconds.
https://www.flixxy.com/fastest-limbo-skating-ever-srishti-sharmas-record-breaking-feat.htm?utm_source=4 - The Fascinatingly Odd Dymaxion Concept by Buckminster Fuller:
https://youtu.be/YYRUJTVeGBc - For Da Kids #1 - Cat Keeps Stealing Things From The Neighbors:
https://youtu.be/g-bNjGlFKQU - For Da Kids #2 - Wild Baby Kangaroo Makes Breakfast And Cuddles With This Girl:
https://youtu.be/M7ehOGSgwSQ - For Da Kids #3- Baby Foxes Go Wild When See Their "Mom":
https://youtu.be/4rYSMxzPtz4 - For Da Kids #4 - Tiny Spider Keeps Returning So She Built Him A Cozy Home:
https://youtu.be/kxWoVUAClk0 - For Da Kids #5 - Dog Has The Best Job In The World: Walking With Elephants!:
https://youtu.be/tZd0qr02o4c