Cyber Firm KnowBe4 Hired a Fake IT Worker From North Korea (cyberscoop.com) 49
In a blog post on Tuesday, security firm KnowBe4 revealed that a remote software engineer hire was a North Korean threat actor using a stolen identity and AI-augmented images. "Detailing a seemingly thorough interview process that included background checks, verified references and four video conference-based interviews, KnowBe4 founder and CEO Stu Sjouwerman said the worker avoided being caught by using a valid identity that was stolen from a U.S.-based individual," reports CyberScoop. "The scheme was further enhanced by the actor using a stock image augmented by artificial intelligence." From the report: An internal investigation started when KnowBe4's InfoSec Security Operations Center team detected "a series of suspicious activities" from the new hire. The remote worker was sent an Apple laptop, which was flagged by the company on July 15 when malware was loaded onto the machine. The AI-filtered photo, meanwhile, was flagged by the company's Endpoint Detection and Response software. Later that evening, the SOC team had "contained" the fake worker's systems after he stopped responding to outreach. During a roughly 25-minute period, "the attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software," Sjouwerman wrote in the post. "He used a [single-board computer] raspberry pi to download the malware." From there, the company shared its data and findings with the FBI and with Mandiant, the Google-owned cyber firm, and came to the conclusion that the worker was a fictional persona operating from North Korea.
KnowBe4 said the fake employee likely had his workstation connected "to an address that is basically an 'IT mule laptop farm.'" They'd then use a VPN to work the night shift from where they actually reside -- in this case, North Korea "or over the border in China." That work would take place overnight, making it appear that they're logged on during normal U.S. business hours. "The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs," Sjouwerman wrote. "I don't have to tell you about the severe risk of this." Despite the intrusion, Sjouwerman said "no illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems." He chalked up the incident to a threat actor that "demonstrated a high level of sophistication in creating a believable cover identity" and identified "weaknesses in the hiring and background check processes."
KnowBe4 said the fake employee likely had his workstation connected "to an address that is basically an 'IT mule laptop farm.'" They'd then use a VPN to work the night shift from where they actually reside -- in this case, North Korea "or over the border in China." That work would take place overnight, making it appear that they're logged on during normal U.S. business hours. "The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs," Sjouwerman wrote. "I don't have to tell you about the severe risk of this." Despite the intrusion, Sjouwerman said "no illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems." He chalked up the incident to a threat actor that "demonstrated a high level of sophistication in creating a believable cover identity" and identified "weaknesses in the hiring and background check processes."
My workplace (Score:5, Insightful)
My workplace uses this company for privacy and security training. It's a joke.
Re: (Score:2)
Was just thinking the same thing. There will be a staff meeting about this tomorrow.
Re: (Score:2)
Mine did too, until this month, they switched to MimeCast.
Their phishing tests are also a joke.
Re: My workplace (Score:3)
Re: (Score:2)
Yep. The company I work for resells KnowBe4 services... and insisted on using them internally as well. We're not typical end users in an IT company, we all know how to make Outlook rules without assistance.
Re: (Score:2)
Yep, their headers are pretty obvious.
Re:My workplace (Score:4, Insightful)
Their tests may seem like a joke, but given the statistics, you'd honestly be surprised at how many people fall for them.
And that's really how phishing works. You get an email from your "bank", but you don't deal with that bank, so you delete it. But chances are, 99.99% of people that message goes to tosses it as a spam.
But that still leaves 1 in 10 thousand. If you send a million emails, that's 100 marks you caught.
There will generally be someone in that situation.
You would think a company should easily score 100% on those, but I've seen it range from 80% to a dismal 40% ratings. And I admit, on one of them, I nearly fell for it. So much so I emailed IT about it because it was so slick someone would really fall for it.
Re: (Score:3)
I have failed exactly one phishing test - while it was an external address, it concerned a project my company was working on with an external client - and, most importantly, it contained details that my manager and I had discussed the previous day.
Turns out that was the plan - the testing company asked individual managers for details only they and the target would know, and tailored the email accordingly.
Yeah, that kind of 'gotcha!' test really soured the entire company on the idea of security tests.
This te
Re: (Score:2)
Agreed. A good phishing test should NOT remove the warning that the email came from outside the organization. We *want* people to learn to look for that message as an important clue that what they are reading, is fake.
Re: (Score:2)
No, I'm not surprised. In our phishing tests, about 1 in 10 people clicked the phishing link. That in itself doesn't make the test a good test. When the phishing test removes the warning "This message comes from outside your organization" that's not a fair test, because we are training people to look for that warning, and unless the warning can somehow be removed by phishers (which is unlikely), then the phishing test should also include the warning just as a real phishing email would.
Re: (Score:2)
That happened to us -
Re: (Score:2)
My workplace uses this company for privacy and security training. It's a joke.
Probably the cheapest way to meet regulations.
So yeah, it's a joke.
I'm honestly not surprised they were so easily fooled. I've dealt with a few companies like this (HireRight) and they're a complete circus. Pretty much relied on me giving them all the information including all the contacts, one of the companies I used to work for ceased trading (I didn't know either) but they couldn't even do a simple google search, which is what I did to find out they went out of business a few months after I left (w
Re: (Score:2)
*snort* (Score:2)
With that company name the jokes will write themselves.
Re: (Score:2)
NoMoreCustomers
NoFuture
KnowBankruptcy
are they useing recruiters and 1HB's vs USC's? (Score:1)
are they useing recruiters and 1HB's vs USC's?
Are they looking for real U.S.-based individuals or just what ever they can find that passes an background check?
Re: are they useing recruiters and 1HB's vs USC's? (Score:2)
Re:are they useing recruiters and 1HB's vs USC's? (Score:4, Insightful)
You mean H1B, which is a type of visa that allows a non-US citizen to temporarily relocate to the US for work.
It doesn't matter if the company was sponsoring H1Bs or not because the applicant used a stolen identity of a US resident. An actual US citizen may have been the victim of ID theft here.
KnowBe4 Suggestion (Score:2)
KnowBe4 staff should watch The Inside Man season three, it will give some tips on personal identification, AI deepfakes, etc.
Re: (Score:2)
This made me chuckle because Inside Man was mandatory viewing at one of my old jobs. We used to get obvious phishing emails with the knowbe4 domain and some people still clicked on them. But then again what preceded this was a new employee getting an email from the CEO saying he was too busying in a meeting and to go buy gift cards immediately and send the numbers *facepalm*
Re: (Score:3)
> But then again what preceded this was a new employee getting an email from the CEO saying he was too busying in a meeting and to go buy gift cards immediately and send the numbers *facepalm*
Fucking LinkedIn. Every single time we hire someone and that person updates LinkedIn then that person is sent an email from the CEO. We block the ones that comes through the office but I can't block your personal email and I can't block SMS to your personal phone if you have your phone number on LinkedIn.
Re: (Score:2)
Damn, this almost makes me wish I had a LinkedIn account just so I could toy with these fuckers.
Re: (Score:2)
KnowBe4 staff should watch The Inside Man season three, it will give some tips on personal identification, AI deepfakes, etc.
I fucking loved The Inside Man. I could not wait until my mandatory viewing of the next episode came around. I almost want to go back to work just to find out what happened to those people; I retired somewhere in Season 3 or 4, I think.
Funny when taken out of context (Score:1)
The scam is that they are actually doing the work
Most scammers are lazy. This guy, not so much.
So (Score:1, Troll)
Fake workers can get jobs and free laptops but American workers get put through seven interviews before they are told they aren't a good fit for the company culture.
Or they get hired and laid off the following week.
Or it was a fake job post.
Re: (Score:2)
My thought too. I need some tips from these NK guys.
Re: (Score:2)
North Korea Tip #1: Be willing to work for half what a westerner's market rate is.
North Korea Tip #2: Stealing is not a crime if your country says it isn't.
Re: (Score:2, Funny)
great catch by their SOC team (Score:2)
not sure what background check companies do these days, most of the time it's just to validate work history and Social no. is valid- as they mentioned- stolen identity. I'd love for someone to tell me how they could have prevented this, in a way that everyone else can also employ without breaking everything.
If i can get a bank loan with a stolen identity, please don't make the argument that getting a job should be more difficult than getting a loan for $100K - that would be ass backwards.
Sad to see that th
Re: (Score:2)
A bank just looks at your driver's license and hopes it isn't fake. They don't have any sophisticated way of detecting fakes since verification is done by human eyes.
Face-to-face (Score:2)
but shouldn't they have detected this *before* they hired him? It doesn't say when he submitted the photo but presumably it was part of his application process and should have been caught before he was granted any credentials.
What I find weird: the actors was pretending to be based in the US (using VPNs and working on schedule to match the pretended business hours), the company conducted video calls so anonymity wasn't at play (e.g. not a v-tuber dev or a fursonna, etc.) Why didn't they do one last face-to-face meeting?
How come that a company that pretends to by into cyber security, in an era where AI generated realtime video avatars are a thing, doesn't dare to meet a future employee in person?
Oh, yeah. They only pretend to be
cyber security firms (Score:1)
US-based front organization (Score:5, Insightful)
Not directly linked (Score:2)
So some physical US person is involved here - possibly an entire organization that fronts for North Korean efforts. Seems to me *that's* the real news.
Somebody physically in the US helped? Yes, definitely!
They were employee of North Korea? Probably not.
Probably there are a few shady groups that help with steps needing local presence, that offer their (paid) service to scammers, pig-butchers, and other criminals. An agent working for North Korea just happens to be among their clients.
Re: (Score:2)
So that laptop was sent to a US address, and was then set up to be used remotely. There almost certainly was a US bank account. So some physical US person is involved here - possibly an entire organization that fronts for North Korean efforts. Seems to me *that's* the real news.
Not sure about the US, but here in the UK it would be a legal grey area (if not outright illegal) to provide my banking details to a third party or for the third party to ask me for them.
The employer should still check though.
I'm an immigrant to the UK, so for me, an employer needs to verify that I have the right to work in the UK, this means I get a short term code from the Home Office (done online) and provide that to the employer (it's actually a pretty painless process). This is something the empl
Re: (Score:2)
Not sure about the US, but here in the UK it would be a legal grey area (if not outright illegal) to provide my banking details to a third party or for the third party to ask me for them.
The bank info is not for verification of residence/right to work ... it is for payroll.
Re: (Score:2)
Not sure about the US, but here in the UK it would be a legal grey area (if not outright illegal) to provide my banking details to a third party or for the third party to ask me for them.
The bank info is not for verification of residence/right to work ... it is for payroll.
Was kind of my point, in the UK payroll doesn't even need that info until after I start as most jobs pay 1 month in arrears. Also in the UK it's not a good indicator of if I have the right to work as any resident and some non residents can get bank accounts and some non-residents have rights to work (I.E. Working Holiday Visa). It's rather pointless to use a bank account to verify someone's rights or even identity.
Next steps for the company (Score:1)
Shut it down, declare bankrupt, and reincorporate under a completely different name and ban all staff from using your previous name as a reference.
Seriously how do you recover from this? This is like going to a dentist and having him knock all your teeth out and then saying "I don't know how to put teeth in". It's like ... YOU HAVE ONE JOB!
Stolen Identity (Score:2)
using a valid identity that was stolen from a U.S.-based individual
Meanwhile, US agencies are tripping over themselves to outsource their HR functions to contractors. As well as handing over their on-line user authentication functions to private firms. The SSA is switching from login.gov to id.me (some outfit in Montenegro as far as I can tell).
The OPM has experienced several instances of their subcontractors losing millions of employee records, including those of holders of security clearances. It would not surprise me if there were markets on the dark web for these cred
ssa subcontractors get ready for the phone scams! (Score:2)
ssa subcontractors get ready for the phone scams!
cyber firm is pushing it... (Score:2)
Are they really that stupid? (Score:2)
Sjouwerman said "no illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems."
He was a North Korean agent with software engineer levels of access meaning he must have at least had access to their codebase. Do they REALLY think he didn't take copies of that and everything else he and some hacked up software could get its hands on?
This spy got caught (Score:2)
How many others are out there who didn't get caught? And how many other security firms are infiltrated?
Security firms are an obvious target for spies from other countries. I'm betting a lot of them aren't really on the lookout for this.
Before kevin died (Score:2)
Figures (Score:2)
No matter how many times I block KnowBe4 and report them as SPAM at work, their emails keep getting through.
UGH!