Kẻ Hack Bắc Triều Tiên Lừa Đảo Công Ty Bảo Mật Mỹ Để Tuyển Dụng và Liền Tìm Cách Hack vào Họ

Một Hacker Bắc Triều Tiên Đã Lừa Một Nhà Cung Cấp Bảo Mật Hoa Kỳ Để Thuê Anh Ta – Và Ngay Lập Tức Thử Hack Họ

KnowBe4, một nhà cung cấp bảo mật đặt ở Mỹ, tiết lộ rằng họ đã không để ý thuê một hacker Bắc Triều Tiên người đã cố gắng tải phần mềm độc hại vào mạng của công ty. CEO và người sáng lập Stu Sjouwerman của KnowBe4 mô tả sự việc trong một bài đăng trên blog tuần này, gọi đó là một câu chuyện cẩn trọng mà may mắn được phát hiện trước khi gây ra bất kỳ vấn đề lớn nào.

“Đầu tiên: Không có truy cập bất hợp pháp, và không có dữ liệu nào bị mất, bị xâm phạm hoặc bị xoá trên bất kỳ hệ thống của KnowBe4 nào,” Sjouwerman viết. “Đây không phải là thông báo về việc xâm nhập dữ liệu, không có gì. Hãy xem đó như một bài học tổ chức mà tôi đang chia sẻ với bạn. Nếu nó có thể xảy ra với chúng ta, nó có thể xảy ra với hầu hết mọi người. Đừng để nó xảy ra với bạn.”

KnowBe4 cho biết họ đang tìm kiếm một kỹ sư phần mềm cho nhóm AI CNTT nội bộ của họ. Công ty đã thuê một người mà, cuối cùng, được biết đến từ Bắc Triều Tiên và “đang sử dụng một loại danh tính của Mỹ bị đánh cắp nhưng hợp lệ” và một bức ảnh đã được “nâng cấp” bằng trí tuệ nhân tạo. Hiện có một cuộc điều tra FBI hoạt động trong sự nghi ngờ rằng người làm việc này là cái mà bài đăng trên blog của KnowBe4 gọi là “Mối Đe Dọa Nội Bộ/ Hoạt Động Quốc Gia.”

#KnowBe4 #Hack #Hacker #BắcTriềuTiên #AnNinhMạng #TrungQuốc #Mỹ #FBI

Nguồn: https://www.wired.com/story/north-korean-hacker-hired-ecurity-company-malware/

KnowBe4, a US-based security vendor, revealed that it unwittingly hired a North Korean hacker who attempted to load malware into the company’s network. KnowBe4 CEO and founder Stu Sjouwerman described the incident in a blog post this week, calling it a cautionary tale that was fortunately detected before causing any major problems.

“First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems,” Sjouwerman wrote. “This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don’t let it happen to you.”

KnowBe4 said it was looking for a software engineer for its internal IT AI team. The firm hired a person who, it turns out, was from North Korea and was “using a valid but stolen US-based identity” and a photo that was “enhanced” by artificial intelligence. There is now an active FBI investigation amid suspicion that the worker is what KnowBe4’s blog post called “an Insider Threat/Nation State Actor.”

KnowBe4 operates in 11 countries and is headquartered in Florida. It provides security awareness training, including phishing security tests, to corporate customers. If you occasionally receive a fake phishing email from your employer, you might be working for a company that uses the KnowBe4 service to test its employees’ ability to spot scams.

Person Passed Background Check and Video Interviews

KnowBe4 hired the North Korean hacker through its usual process. “We posted the job, received résumés, conducted interviews, performed background checks, verified references, and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware,” the company said.

Even though the photo provided to HR was fake, the person who was interviewed for the job apparently looked enough like it to pass. KnowBe4’s HR team “conducted four video conference based interviews on separate occasions, confirming the individual matched the photo provided on their application,” the post said. “Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen US-based identity. The picture was AI ‘enhanced.'”

The two images at the top of this story are a stock photo and what KnowBe4 says is the AI fake based on the stock photo. The stock photo is on the left, and the AI fake is on the right.

The employee, referred to as “XXXX” in the blog post, was hired as a principal software engineer. The new hire’s suspicious activities were flagged by security software, leading KnowBe4’s Security Operations Center (SOC) to investigate:

On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55 pm EST. When these alerts came in KnowBe4’s SOC team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.

The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. He used a Raspberry Pi to download the malware. SOC attempted to get more details from XXXX including getting him on a call. XXXX stated he was unavailable for a call and later became unresponsive. At around 10:20 pm EST SOC contained XXXX’s device.

“Fake IT Worker From North Korea”

The SOC analysis indicated that the loading of malware “may have been intentional by the user,” and the group “suspected he may be an Insider Threat/Nation State Actor,” the blog post said.

“We shared the collected data with our friends at Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this was a fake IT worker from North Korea,” Sjouwerman wrote.

KnowBe4 said it can’t provide much detail because of the active FBI investigation. But the person hired for the job may have logged into the company computer remotely from North Korea, Sjouwerman explained:

How this works is that the fake worker asks to get their workstation sent to an address that is basically an “IT mule laptop farm.” They then VPN in from where they really physically are (North Korea or over the border in China) and work the night shift so that they seem to be working in US daytime. The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs. I don’t have to tell you about the severe risk of this. It’s good we have new employees in a highly restricted area when they start, and have no access to production systems. Our controls caught it, but that was sure a learning moment that I am happy to share with everyone.

This story originally appeared on Ars Technica.


Leave a Reply

Your email address will not be published. Required fields are marked *