CyberheistNews Vol 15 #15 [HEADS UP] North Korea Expands Its Fraudulent IT Worker Operations

[HEADS UP] North Korea Expands Its Fraudulent IT Worker Operations

North Korea's fraudulent employment operations have expanded to hit countries around the world, with a particular focus on Europe, according to researchers at Google's Threat Intelligence Group.

While the United States remains a key target, the expansion to other countries is likely driven by increased awareness and a recent crackdown by the U.S. Justice Department.

These scams involve North Korean nationals fraudulently obtaining remote positions at foreign companies in order to earn money for the DPRK government.

"In late 2024, one DPRK IT worker operated at least 12 personas across Europe and the United States," the researchers explain. "The IT Worker actively sought employment with multiple organizations within Europe, particularly those within the defense industrial base and government sectors.

"This individual demonstrated a pattern of providing fabricated references, building a rapport with job recruiters and using additional personas they controlled to vouch for their credibility.

"Separately, additional investigations uncovered other IT worker personas seeking employment in Germany and Portugal, alongside login credentials for user accounts of European job websites and human capital management platforms.”

In addition to stealing a paycheck from their employers, these workers may also conduct espionage or extortion.

"Alongside global expansion, DPRK IT workers are also evolving their tactics,” Google says. "Based on data from multiple sources, GTIG assesses that since late October 2024, IT workers have increased the volume of extortion attempts and gone after larger organizations.

"In these incidents, recently fired IT workers threatened to release their former employers' sensitive data or to provide it to a competitor. This data included proprietary data and source code for internal projects.”

Human risk management gives your organization an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/north-korea-expands-its-fraudulent-it-worker-operations

[Live Demo] Supercharge Your Anti-Phishing Defense with AI

Cybercriminals are weaponizing AI, driving a 1,265% surge in phishing attacks since 2022. This isn't just about attack volume — these threats are smarter, more personalized and increasingly evade traditional Secure Email Gateways.

With 92% of polymorphic attacks now utilizing AI, you need a new approach to outsmart these threats!

KnowBe4's PhishER Plus is your single-pane-of-glass incident response platform that identifies and acts upon threats to keep your users safe where the most dangers lie: their inboxes. Combining AI analysis with human intelligence from a community of 13+ million users worldwide, PhishER Plus revolutionizes your email security posture.

Easily search, find and remove email threats with PhishRIP, while transforming real threats into training opportunities with PhishFlip.

In this live 30-minute demo of PhishER Plus, the #1 Leader in the G2 Grid Report for SOAR Software, you'll discover how you can:

• Automate email investigation and quickly remove phishing threats, saving your team 85% - 99% of time spent on manual review
• Systematically remove threats from all user inboxes with PhishRIP technology
• Transform every employee into an active threat sensor with seamless, one-click reporting with the Phish Alert Button (PAB)
• Convert malicious emails into training opportunities with PhishFlip, identifying who would have fallen victim
• Gain complete visibility into your email security posture with clear ROI metrics

Join us to see how organizations are transforming their security posture with PhishER Plus, turning potential vulnerabilities into proactive defense.

Date/Time: TOMORROW, Wednesday, April 16th @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/phisher-demo-1?partnerref=CHN

The Real Deal: How Cybercriminals Exploit Legitimate Domains

By James Dyer

When it comes to secure email gateways (SEGs), the narrative is quite simple. For years, organizations have relied on SEGs as the foundation of their email security.

However, as Microsoft has rapidly advanced its native security capabilities, there is now significant overlap in detection and functionality. As a result, it is in cybercriminals' best interest to bypass the signature and reputation based detection technology that both rely on.

Over time, attackers have utilized and tested varying tactics to ensure deliverability with one inevitable result: phishing emails are more advanced and sophisticated than ever.

Our latest Phishing Threat Trend Report confirms that phishing attacks are not only increasing—up 17.3% from September 15, 2024, to February 14, 2025 versus the previous six months—but more are also evading detection. In 2024, the Threat Labs team observed a 47.3% rise in attacks successfully bypassing Microsoft and SEGs.

But how are cybercriminals achieving this? In this blog, we will explore one of the many tactics cybercriminals use to bypass detection: the exploitation of legitimate domains.

Using Microsoft to Send Phishing Attacks

In 2025, our Threat Labs team identified the top five legitimate platforms used for phishing attacks: DocuSign, PayPal, Microsoft, Google Drive and Salesforce, with a 67.4% increase in the use of third-party platforms for phishing.

Similar to sending an email from a compromised account, legitimate platforms serve as a fantastic vehicle to lower recipient suspicion and bypass reputation-based detection in SEGs.

Reputation-based detection relies on factors like domain age, authentication checks (SPF, DKIM, DMARC) and previous interactions. Since Microsoft and DocuSign domains are typically allowlisted and have valid authentication, emails sent from these platforms are seen as legitimate by most SEGs.

Additionally, the users' familiarity with these domains increases the chances of successful attacks, as people are more likely to trust and engage with emails from these well-known platforms.

In fact, the Threat Labs team has analyzed two examples of campaigns that have successfully bypassed Microsoft and SEGs by using third-party platforms:

From January 1 to March 7, 2025, there was a 36.5% increase in the use of popular accounting software QuickBooks to send phishing emails. Cybercriminals create free accounts, which are provisioned with email-sending privileges. From there, they simply create their attacks within the platform and hit "send."

Of particular concern is an example where an attacker has hijacked a legitimate Microsoft invoice, combining social engineering techniques and mail-flow rules to avoid breaking authentication checks.

Obfuscating the Payload with Legitimate Domains

From September 15, 2024, to February 14, 2025, versus the previous six months there was a 22.7% increase in the use of technical measures to obfuscate attacks and payloads.

One key obfuscation technique involves hijacking a legitimate hyperlink, where attackers host a malicious payload on a trusted site or use a legitimate link to disguise the final destination.

[CONTINUED] with a list of the top domains to smuggle malicious payload:
https://blog.knowbe4.com/the-real-deal-how-cybercriminals-exploit-legitimate-domains

Agentic AI Ransomware: What You Need to Know

Brace yourself for agentic AI ransomware — a terrifying fusion of cutting-edge tech and malicious intent that's set to redefine cyber threats as we know them. Unlike traditional ransomware, which follows pre-programmed rules, agentic AI ransomware can adapt its behavior in real time based on its environment and the defenses it encounters. Is your organization prepared?

Join us for this mind-blowing webinar where Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, pulls back the curtain on the looming threat of AI-powered ransomware. Don't let your organization become a case study in what NOT to do when faced with this new breed of ransomware!

You'll discover:

• Agentic AI and why it's keeping cybersecurity experts up at night
• A glimpse into the future: what agentic AI malware looks like and how it operates
• The terrifying mechanics behind agentic AI Ransomware
• Battle-tested strategies to fortify your defenses against this AI-driven attack
• How to stay one step ahead with next-generation defense tactics against evolving AI threats

Don't be caught with your defenses down. Join us and arm yourself with strategies you need to protect your organization in this new era of AI-powered cyber warfare and earn CPE credit for attending!

Date/Time: Wednesday, April 23 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot:
https://info.knowbe4.com/agentic-ai-ransomware?partnerref=CHN

Beware the Tax Trap: Seasonal Urgency Drives a Spike in Tax Phishing Scams

Cybercriminals are quick to exploit seasonal events — and tax season is no exception. It's a yearly honeypot for cybercriminals, who take advantage of heightened stress, tight deadlines and sensitive financial data.

With deadlines looming across the U.S. and EU, our Threat Labs team observed a 27.9% increase in phishing attacks in March 2025 compared to the previous month — many of which contained financial-themed payloads.

These emails used social engineering tactics, finance-related language and advanced obfuscation techniques in attempts to steal sensitive information or manipulate recipients into sending money.

In particular, KnowBe4 Defend identified a sharp spike in tax-related phishing activity on March 14, 2025, with 16% of all phishing emails processed that day containing the word "tax” in the subject line. Interestingly, only 4.3% of these tax-themed phishing emails were sent from free email services.

Nearly half of all identified attacks (48.8%) originated from compromised business email accounts, while 7.8% leveraged the legitimate QuickBooks service, as observed in previous incidents. Additionally, the majority of these attacks were sent from aged domains (100 days or older), employing tactics specifically designed to enhance legitimacy and bypass traditional security filters, such as secure email gateways (SEGs).

All attacks analyzed from this campaign were identified and neutralized by KnowBe4 Defend and analyzed by our Threat Labs team.

Tax-Related Phishing Attack Example:

In this example, the cybercriminal has impersonated a lawyer from a reputable law firm to deliver a fake tax return. The phishing attack is designed to harvest Personally Identifiable Information (PII), specifically targeting sensitive data such as addresses and Social Security Numbers.

A link embedded within a QR code directs victims to a fraudulent form crafted to capture this information and facilitate identity theft. To enhance the email's legitimacy and deliverability, attackers employ a variety of tactics, including QR code obfuscation, polymorphic elements and lookalike domains.

[CONTINUED] Blog post with screenshots and links:
https://blog.knowbe4.com/beware-tax-trap-seasonal-urgency-drives-spike-in-tax-related-phishing

2025 Phishing Threat Trends Report

Our Phishing Threat Trends Reports bring you the latest insights into the hottest topics in the phishing attack landscape. In 2025, it's been in with the old and in with the new, as cybercriminals use new techniques to "revive” the efficacy of existing attacks.

Download this latest edition to discover:

• What's driving a resurgence in ransomware delivered by phishing emails
• How cybercriminals have achieved a 47% increase in attacks evading Microsoft's native security and secure email gateways
• Which jobs cybercriminals are most likely to apply for in your organization
• How 92% of polymorphic attacks utilize AI to achieve unprecedented scale — and change the phishing landscape for good
• Plus other top phishing stats for 2025

Download Now:
https://info.knowbe4.com/phishing-threat-trends-report-chn

Shadow AI: A New Insider Risk for Cybersecurity Teams to Tackle Now

By James McQuiggan

Disclaimer: Don't get me wrong, I love using generative AI daily for research and writing. This is about how other users could be using it when they don't know what they don't know and are accidental in their actions to hurt the organization where they work.

Shadow IT has always lived in the background of organizations' environments with unapproved apps, rogue cloud services and forgotten BYOD systems. Like all technology, the Shadow IT ecology is evolving. It's evolved into something more challenging to detect and even more complex to control, and that's Shadow AI.

As employees lean on AI to get their work done faster, they may introduce risk without realizing it.

From marketing teams using Claude to research and write content to developers pasting proprietary code into Gemini, the line between productivity and exposure is thin. These tools promise speed and convenience but can become a growing liability without governance.

Nearly 74% of ChatGPT usage in corporate environments happens through personal accounts. That means enterprise controls like data loss prevention (DLP), encryption, or logging are nowhere in sight. Combine that with the 38% of employees who admit to inputting sensitive work data into AI tools without permission, and you've got a significant insider threat. While accidental, it's no less dangerous than a user clicking on a link in a phishing email.

[CONTINUED] with graphs, examples and mitigation suggestions:
https://blog.knowbe4.com/shadow-ai-a-new-insider-risk-for-cybersecurity-teams-to-tackle

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Seeing (and Hearing) Isn't Believing: Perry Carpenter's SEC Presentation on AI-Driven Scams:
https://blog.knowbe4.com/seeing-and-hearing-isnt-believing-my-sec-presentation-on-ai-driven-scams

PPS: Your KnowBe4 Compliance Plus Fresh Content Updates from March 2025:
https://blog.knowbe4.com/knowbe4-cmp-content-updates-march-2025

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-15-heads-up-north-korea-expands-its-fraudulent-it-worker-operations

Report: Attackers Find New Ways To Misuse AI Tools

Researchers at Palo Alto Networks' Unit 42 have published a report on prompt attacks, a relatively new method for manipulating generative AI tools into performing malicious activities. While legitimate AI tools have measures designed to prevent misuse, the researchers found that many of these safeguards can be bypassed.

"We recently assessed mainstream large language models (LLMs) against prompt based attacks, which revealed significant vulnerabilities,” the researchers write. "Three attack vectors—guardrail bypass, information leakage and goal hijacking—demonstrated consistently high success rates across various models.

"In particular, some attack techniques achieved success rates exceeding 50% across models of different scales, from several-billion-parameter models to trillion-parameter models, with certain cases reaching up to 88%.”

Bypassing these safeguards allows attackers to use the tools to perform malicious activities, such as crafting phishing attacks, writing malware code or gaining access to sensitive information.

The researchers separate prompt attacks into four categories based on their impacts: Goal Hijacking, Guardrail Bypass, Information Leakage and Infrastructure Attack.

"This proposed categorization differs from other technique-based categories, like prompt engineering, social engineering, obfuscation and knowledge poisoning,” the researchers write. "This is because techniques evolve over time, making it essential to focus on their broader implications.

"As such, each technique can contribute to one or more of the impact categories mentioned above. This is why, for most AI practitioners, the impacts of the prompt attacks are much more important than the techniques themselves.”

Both users and developers of AI tools should be aware of the threats posed by these attacks. "GenAI users, especially enterprises, are responsible for recognizing the risks associated with adversarial prompt attacks,” Unit 42 says.

"By exercising caution and validating GenAI outputs, users can mitigate potential security threats and prevent unintended consequences.”

Unit 42 has the story:
https://www.paloaltonetworks.com/blog/2025/04/new-frontier-of-genai-threats-a-comprehensive-guide-to-prompt-attacks/

64% of Australian Organizations Hit by Ransomware Were Forced to Halt Operations

Illumio's recent Global Cost of Ransomware Study found that 64% of Australian companies hit by ransomware had to shut down operations as a result.

Additionally, 43% of these organizations reported a significant loss of revenue, and 39% lost customers as a result of an attack. Most respondents indicated that reputational damage has overtaken regulatory fees as the most costly effect of a ransomware attack.

"Since 2021, more organizations are reporting that brand damage was a consequence of the ransomware attack (an increase from 21% to 35% of respondents),” the report states. "The findings also reveal that recovering from damage to brand can cost organizations the most following a ransomware attack.”

The report also found that phishing remains the top initial access vector for ransomware gangs, used in 58% of attacks. "Phishing continues to be the most common way ransomware is delivered,” the report says. "Phishing and Remote Desktop Protocol (RDP) compromises continue to be the primary methods used to unleash ransomware.

"Ransomware is typically spread through emails that contain links to malicious web pages or attachments. Infection can also occur when a user visits an infected website and malware is downloaded without the user's knowledge.”

The researchers add that security awareness training can help prevent these attackers from gaining a foothold within the organization. "To improve prevention and reduce the time it takes to respond, organizations should address negligent user behavior and the lack of security awareness,” the report says.

"Training programs should focus on how users can make better decisions about the content they receive through email, what they view or click in social media, how they access the web and other common practices. Because no cybersecurity control can prevent every attack, containment and response strategies were equally critical."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Illumio has the story:
https://www.illumio.com/resource-center/cost-of-ransomware

What KnowBe4 Customers Say

"Good Morning Stu, I had to do my own checking on this email to ensure this was legitimate. I appreciate the communication and check in on how your clients are doing. I am sure these emails to your other customers are also appreciated.

"We are very satisfied with KnowBe4. The training material and delivery is top notch. Your staff do an excellent job with customer service and assistance with any technical issues we have encountered. There have not been many. Thanks again for the email and follow up on services!"

- H.S., Chief Information Security Officer