A security company accidentally hires a North Korean state actor posing as a software engineer. CrowdStrike issues its Post Incident Review and a failure in crisis communications.
Welcome to Cyber Security Today. I’m Jim Love, sitting in for Howard Solomon.
In a startling cybersecurity incident, American firm KnowBe4 inadvertently hired a North Korean state actor posing as a Principal Software Engineer. The company, which specializes in security awareness training, detected an attempt to install information-stealing malware on a newly issued Mac workstation on July 15, 2024.
KnowBe4’s CEO, Stu Sjouwerman, explained: “The scheme involves tricking the employer into sending the workstation to an ‘IT mule laptop farm’ near the location the fraudster declared as their home address.”
Despite rigorous background checks, video interviews, and identity verification, the threat actor used stolen U.S. credentials and AI tools to create a convincing facade.
KnowBe4’s CEO noted that the company was tricked into sending the employee’s workstation to an “IT mule laptop farm’ near the location where the fraudster declared as his home address. The employee used a VPN to appear to be working in the US.
Fortunately, the company detected what they thought was abnormal activity. When confronted, the individual initially made excuses before cutting off all communication.
This incident highlights the ongoing threat from North Korean IT workers infiltrating U.S. companies, a concern the FBI has repeatedly warned about since 2023. These operations aim to fund weapons programs, gather intelligence, and support cyber operations.
KnowBe4 recommends that companies maintain isolated sandboxes for new hires and treat shipping address inconsistencies as red flags. This case serves as a stark reminder of the sophisticated tactics employed by state-sponsored threat actors in the digital age.
That’s our show. You can find the show notes with links at technewsday.com or .ca – take your pick. Cybersecurity returns to its three shows a week.
Sources include Bleeping Computer
Security vendor CrowdStrike released an update on from their initial Post Incident Review.
The first, and most surprising information was that CrowdStrike says that the incident was not caused by code or a kernel driver – the kernel driver was the assumed cause in most industry speculation.
This might be semantics to some extent especially the offending file is stored in a folder called system32\drivers\CrowdStrike
But clearly, whatever you call it, CrowdStrike acknowledges that this file contains data which “resulted in an out-of-bounds memory read triggering and exception” that Windows was not set up to handle “gracefully” and that resulted in the crash.
I’m not trying to attribute anything to CrowdStrike, I’m sure they take accountability, but the idea that if Windows had just been able to handle this “gracefully” might seem to some like passing the buck.
But if the driver/non-driver issue is a somewhat confusing, we did get an answer to the question that many of us were asking, and that is “why didn’t their testing catch this?”
The report lists a very thorough testing procedure before release which is, on our reading, pretty much consistent with industry best practices. So the template did go through a testing regime.
CrowdStrike notes that they issued two other templates at the same time and that both of these “behaved as expected.”
So what went wrong?
Apparently, it was a bug in what CrowdStrike refers to as the “Content Validator” which allowed this template to pass through despite having problematic data.
Reliance on that “Content Validator” was apparently the issue. Which still raises another question – whether you call this a template or a driver, shouldn’t the severe implication of a null value (or whatever the problematic value was) have been anticipated?
We got some additional answers as to why multiple reboots of a machine might be necessary to correct the error. Apparently, this “template” can’t simply be deleted remotely or simply over-written. It stays in the sensor’s directory.
Cleverly, their team, in a very short time opted to put the file on their “known-bad” list and after multiple reboot attempts it could be blocked and normal activity resumed.
A couple of assurances were offered to CrowdStrike customers. First, CrowdStrike is stating that there is no impact to the protection on working systems.
Second, they have listed a number of things that they will do to “prevent this in the future,” among these:
- Adding additional checks to the Content Validator
- Staggering deployment to gradually release to their base, starting with what they refer to as a “canary” deployment, likening back to the old idea of taking a canary into a coal mine because the canary would die more quickly than a human.
I’d normally say that there is a link to the complete text included in our show notes, but as reminder that this is a time when, as CrowdStrike CEO George Kurtz warned about “adversaries and bad actors” taking advantage of this situation – you should ensure that you take information only from the CrowdStrike site. So just go to CrowdStrike.com – the link to their remediation hub should be obvious.
And one final piece on the CrowdStrike story.
We really try not to dump on people, people make mistakes, but whoever at CrowdStrike thought that it would be cool to give 10 dollar gift cards to make up for what they put security staff through was going to go over well.
“To express our gratitude, your next cup of coffee or late night snack is on us!” was the message from CrowdStrike giving out a code to access the $10 credit.
In an earlier story, I went through the fbomb messages on Reddit to the initial outage. The reaction to this 10 dollar gift wasn’t much better. One called it an”absolute clown show” while another Reddit user posted: “I literally wanted to drive my car off a bridge this weekend and they bought me coffee. Nice.”
But some people who said they had received a voucher also took to social media to say it did not work.
“Uber flagged it as fraud because of high usage rates,”
In fairness, the person who came up with this may have had the best of intentions, but they simply were not trained to handle crisis communications. So it’s a lesson to all of us that when (probably not if, but when) you get hit with an outage that affects your customers, you need to have a trained crisis communications person in charge of your planning.
We’ll have more on this on our week in review show – that’ll be available on late Friday night or early Saturday morning.
I’ll be sitting in for Howard Solomon for a few more shows. We’ll let you know when Howard will be back.
Thanks for listening.
