Ransomware

KnowBe4 Duped By North Korean Hacker Using AI Deepfake

Everything appeared standard until the new hire's Mac workstation was delivered. Upon receiving, the machine immediately began to load malware, triggering alarms. 

by Avantika July 24, 2024

Share on LinkedInShare on Twitter

Who would have imagined that a security awareness training firm could be tricked into hiring a North Korean hacker? Yet that’s exactly what happened to KnowBe4.

Leading provider of security awareness training and simulated phishing platforms, KnowBe4 recently revealed an incident where they accidentally hired a North Korean hacker. 

KnowBe4 Hires North Korean Hacker into Team: Here’s How it Happened 

The company’s internal IT team was in search of a software engineer to join their AI division. After a comprehensive hiring process that included multiple interviews, background checks, and reference verifications, the candidate was onboarded.

“Our HR team conducted four video conference-based interviews on separate occasions, confirming the individual matched the photo provided on their application. Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen US-based identity. The picture was AI “enhanced,” stated the company’s official statement.

According to the company, the subject exhibited remarkable sophistication in crafting a convincing cover identity, exploiting vulnerabilities in the hiring and background check processes, and attempting to gain access to the organization’s systems.

On the left is the original stock photo, while the AI-enhanced fake submitted to HR is on the right.. (Source: knowbe4/Blog)

Everything appeared standard until the new hire’s Mac workstation was delivered. Upon receiving, the machine immediately began to load malware, triggering alarms. 

“The EDR software detected it and alerted our InfoSec Security Operations Center.  The SOC called the new hire and asked if they could help. That’s when it got dodgy fast. We shared the collected data with Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings.” 

The investigation uncovered that the so-called software engineer was a North Korean operative using a stolen U.S. identity and an AI-enhanced photograph to create a convincing cover. This elaborate deception involved a fake identity and a sophisticated malware attack designed to exploit the company’s systems. However, the company confirmed that no illegal access was gained, and no data was lost or compromised on any KnowBe4 systems. 

KnowBe4 Fake Employee Investigation 

The investigation into the employee, identified as “XXXX,” revealed that the suspicious activities detected on their account were likely intentional, raising concerns that they could be an insider threat or a nation-state actor. 

“On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55pm EST. When these alerts came in KnowBe4’s SOC team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise,” read the company’s summary report on the incident.  

 The report further stated that the attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software.  “He used a raspberry pi to download the malware. SOC attempted to get more details from XXXX including getting him on a call. XXXX stated he was unavailable for a call and later became unresponsive. At around 10:20pm EST SOC contained XXXX’s device.” 

Breaking down the scam, the summary report detailed how it functions: “the fake worker asks to get their workstation sent to an address that is basically an “IT mule laptop farm. They then VPN in from where they really physically are (North Korea or over the border in China) and work the night shift so that they seem to be working in US daytime. The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs.” 

Acknowledging the Breach 

KnowBe4’s decision to disclose this incident is commendable. By bringing this issue to light, they not only highlight the advanced tactics employed by cybercriminals but also demonstrate a commitment to transparency and education within the cybersecurity community. 

Lessons Learned and Recommendations 

This incident has exposed several critical vulnerabilities in the hiring and security processes: 

  • Vetting Procedures: The necessity of thorough background checks and identity verification cannot be overstated. The hacker utilized a stolen identity with a digitally altered photo, slipping past conventional checks. 
  • Enhanced Monitoring: Continuous surveillance and anomaly detection are crucial. The rapid response by KnowBe4’s SOC was key to mitigating potential damage. 
  • Improved Security Measures: Future recommendations include scanning remote devices for unauthorized access, scrutinizing resumes for inconsistencies, and employing enhanced monitoring and access controls. 

Tips for Prevention 

Organizations should consider the following steps to avoid similar incidents: 

  • Scan Remote Devices: Regularly check for unauthorized remote connections. 
  • Better Vetting: Implement rigorous verification procedures and avoid relying solely on email references. 
  • Enhanced Monitoring: Strengthen monitoring to detect and respond to potential threats promptly. 
  • Security Awareness: Educate employees about social engineering and sophisticated cyber threats. 

This incident highlights that even the most vigilant and diligent can fall prey to social engineering attacks. It also brings attention to the prevalence of identity theft and how malicious actors can cleverly exploit it. However, due to their vigilance, KnowBe4 swiftly identified the deception and took the necessary steps to prevent a more significant breach.

Source

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button