{"id":45992,"date":"2024-07-25T20:59:44","date_gmt":"2024-07-26T00:59:44","guid":{"rendered":"https:\/\/www.technewsday.com\/?p=45992"},"modified":"2024-07-25T21:30:43","modified_gmt":"2024-07-26T01:30:43","slug":"security-company-accidentally-hires-a-north-korean-state-hacker-cybersecurity-today-for-friday-july-26-2024","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/security-company-accidentally-hires-a-north-korean-state-hacker-cybersecurity-today-for-friday-july-26-2024\/","title":{"rendered":"Security company accidentally hires a North Korean state hacker: Cybersecurity Today for Friday, July 26, 2024"},"content":{"rendered":"<p>A security company accidentally hires a North Korean state actor posing as a software engineer. CrowdStrike issues its Post Incident Review and a failure in crisis communications.<\/p>\n<p>Welcome to Cyber Security Today. I\u2019m Jim Love, sitting in for Howard Solomon.<\/p>\n<p><iframe style=\"border: none;\" title=\"Embed Player\" src=\"https:\/\/play.libsyn.com\/embed\/episode\/id\/32298987\/height\/192\/theme\/modern\/size\/large\/thumbnail\/yes\/custom-color\/2f3336\/time-start\/00:00:00\/playlist-height\/200\/direction\/backward\/font-color\/FFFFFF\" width=\"100%\" height=\"192\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<p>In a startling cybersecurity incident, American firm KnowBe4 inadvertently hired a North Korean state actor posing as a Principal Software Engineer. The company, which specializes in security awareness training, detected an attempt to install information-stealing malware on a newly issued Mac workstation on July 15, 2024.<\/p>\n<p>KnowBe4&#8217;s CEO, Stu Sjouwerman, explained: &#8220;The scheme involves tricking the employer into sending the workstation to an &#8216;IT mule laptop farm&#8217; near the location the fraudster declared as their home address.&#8221;<\/p>\n<p>Despite rigorous background checks, video interviews, and identity verification, the threat actor used stolen U.S. credentials and AI tools to create a convincing facade.<\/p>\n<p>KnowBe4\u2019s CEO noted that the company was tricked into sending the employee\u2019s workstation to an \u201cIT mule laptop farm\u2019 near the location where the fraudster declared as his home address.\u00a0 The employee used a VPN to appear to be working in the US.<\/p>\n<p>Fortunately, the company detected what they thought was abnormal activity. When confronted, the individual initially made excuses before cutting off all communication.<\/p>\n<p>This incident highlights the ongoing threat from North Korean IT workers infiltrating U.S. companies, a concern the FBI has repeatedly warned about since 2023. These operations aim to fund weapons programs, gather intelligence, and support cyber operations.<\/p>\n<p>KnowBe4 recommends that companies maintain isolated sandboxes for new hires and treat shipping address inconsistencies as red flags. This case serves as a stark reminder of the sophisticated tactics employed by state-sponsored threat actors in the digital age.<\/p>\n<p>That\u2019s our show. You can find the show notes with links at technewsday.com or .ca \u2013 take your pick. Cybersecurity returns to its three shows a week.<\/p>\n<p>Sources include Bleeping Computer<\/p>\n<p>Security vendor CrowdStrike released an update on from their initial Post Incident Review.<\/p>\n<p>The first, and most surprising information was that CrowdStrike says that the incident was not caused by code or a kernel driver \u2013 the kernel driver was the assumed cause in most industry speculation.<\/p>\n<p>This might be semantics to some extent especially the offending file is stored in a folder called system32\\drivers\\CrowdStrike<\/p>\n<p>But clearly, whatever you call it, CrowdStrike acknowledges that this file contains data which \u201cresulted in an out-of-bounds memory read triggering and exception\u201d that Windows was not set up to handle \u201cgracefully\u201d and that resulted in the crash.<\/p>\n<p>I\u2019m not trying to attribute anything to CrowdStrike, I\u2019m sure they take accountability, but the idea that if Windows had just been able to handle this \u201cgracefully\u201d might seem to some like passing the buck.<\/p>\n<p>But if the driver\/non-driver issue is a somewhat confusing, we did get an answer to the question that many of us were asking, and that is \u201cwhy didn\u2019t their testing catch this?\u201d<\/p>\n<p>The report lists a very thorough testing procedure before release which is, on our reading, pretty much consistent with industry best practices. So the template did go through a testing regime.<\/p>\n<p>CrowdStrike notes that they issued two other templates at the same time and that both of these \u201cbehaved as expected.\u201d<\/p>\n<p>So what went wrong?<\/p>\n<p>Apparently, it was a bug in what CrowdStrike refers to as the \u201cContent Validator\u201d which allowed this template to pass through despite having problematic data.<\/p>\n<p>Reliance on that \u201cContent Validator\u201d was apparently the issue. Which still raises another question \u2013 whether you call this a template or a driver, shouldn\u2019t the severe implication of a null value (or whatever the problematic value was) have been anticipated?<\/p>\n<p>We got some additional answers as to why multiple reboots of a machine might be necessary to correct the error. Apparently, this \u201ctemplate\u201d can\u2019t simply be deleted remotely or simply over-written. It stays in the sensor\u2019s directory.<\/p>\n<p>Cleverly, their team, in a very short time opted to put the file on their \u201cknown-bad\u201d list and after multiple reboot attempts it could be blocked and normal activity resumed.<\/p>\n<p>A couple of assurances were offered to CrowdStrike customers. First, CrowdStrike is stating that there is no impact to the protection on working systems.<\/p>\n<p>Second, they have listed a number of things that they will do to \u201cprevent this in the future,\u201d among these:<\/p>\n<ul>\n<li>Adding additional checks to the Content Validator<\/li>\n<li>Staggering deployment to gradually release to their base, starting with what they refer to as a \u201ccanary\u201d deployment, likening back to the old idea of taking a canary into a coal mine because the canary would die more quickly than a human.<\/li>\n<\/ul>\n<p>I\u2019d normally say that there is a link to the complete text included in our show notes, but as reminder that this is a time when, as CrowdStrike CEO George Kurtz warned about \u201cadversaries and bad actors\u201d taking advantage of this situation \u2013 you should ensure that you take information only from the CrowdStrike site. \u00a0So just go to CrowdStrike.com \u2013 the link to their remediation hub should be obvious.<\/p>\n<p>And one final piece on the CrowdStrike story.<\/p>\n<p>We really try not to dump on people, people make mistakes, but whoever at CrowdStrike thought that it would be cool to give 10 dollar gift cards to make up for what they put security staff through was going to go over well.<\/p>\n<p>&#8220;To express our gratitude, your next cup of coffee or late night snack is on us!&#8221; was the message from CrowdStrike giving out a code to access the $10 credit.<\/p>\n<p style=\"font-style: inherit;\">In an earlier story, I went through the fbomb messages on Reddit to the initial outage. The reaction to this 10 dollar gift wasn\u2019t much better. One called it\u00a0 an&#8221;absolute clown show&#8221; while another Reddit user posted: &#8220;I literally wanted to drive my car off a bridge this weekend and they bought me coffee. Nice.&#8221;<\/p>\n<p>But some people who said they had received a voucher also took to social media to say it did not work.<\/p>\n<p>&#8220;Uber flagged it as fraud because of high usage rates,&#8221;<\/p>\n<p>In fairness, the person who came up with this may have had the best of intentions, but they simply were not trained to handle crisis communications.\u00a0 So it\u2019s a lesson to all of us that when (probably not if, but when) you get hit with an outage that affects your customers, you need to have a trained crisis communications person in charge of your planning.<\/p>\n<p>We\u2019ll have more on this on our week in review show \u2013 that\u2019ll be available on late Friday night or early Saturday morning.<\/p>\n<p>I\u2019ll be sitting in for Howard Solomon for a few more shows. We\u2019ll let you know when Howard will be back.<\/p>\n<p>Thanks for listening.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A security company accidentally hires a North Korean state actor posing as a software engineer. CrowdStrike issues its Post Incident Review and a failure in crisis communications. Welcome to Cyber Security Today. I\u2019m Jim Love, sitting in for Howard Solomon. In a startling cybersecurity incident, American firm KnowBe4 inadvertently hired a North Korean state actor [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":45961,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,9],"tags":[389,198,1365],"class_list":["post-45992","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-podcasts","category-todays-news","tag-cyber-security-today","tag-podcast","tag-todays-news"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/45992","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=45992"}],"version-history":[{"count":2,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/45992\/revisions"}],"predecessor-version":[{"id":46002,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/45992\/revisions\/46002"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media\/45961"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=45992"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=45992"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=45992"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}