A software engineer hired for an internal IT AI team immediately became an insider threat by loading malware onto his workstation.

Source: Den Rise via ShutterStock

A security firm recently hired a software engineer for its internal AI team that turned out to be a North Korean threat actor, who immediately began loading malware to his company-issued workstation.

KnowBe4, which provides security awareness and training, conducted standard pre-hiring background checks for the employee and four separate video-conference interviews with him before his hiring, Stu Sjouwerman, KnowBe4's founder, shared in a blog post about the situation. The company also verified that the person interviewed was the same one in the photo sent in with a resume.

The checks came back clean and the candidate for the position ("principal software engineer") appeared credible and qualified, though later the company realized he was using a stolen identity and his photo was AI-enhanced.

Once the verification and hiring process was complete, KnowBe4 sent the new employee, who is referred to in KnowBe4's post as "XXXX," his Mac workstation, "and the moment it was received, it immediately started to load malware," Sjouwerman wrote.

"On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55pm EST," he detailed. "When these alerts came in, KnowBe4's security operations center (SOC) team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to the SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise."

What the employee was really doing, however, was performing various actions to manipulate session history files, transferring potentially harmful files, and executing unauthorized software using a Raspberry Pi. KnowBe4's SOC attempted to get him on a call to investigate further, but he said he was unavailable and "later became unresponsive." By 10:20am, the SOC had quarantined XXXX's device.

KnowBe4 shared the data it collected about the employee and his activities with cybersecurity firm Mandiant and the FBI, to corroborate the company's initial findings. The company eventually discovered that XXXX was a fake IT worker from North Korea, and an FBI investigation is still ongoing.

**"It Can Happen to Anyone"**

Sjouwerman stressed to customers that no data breach occurred due to the activity, as security tooling blocked the malware before it was executed. His aim in sharing what happened at his company is to provide "an organizational learning moment," he said.

"Do we have egg on our face? Yes," he wrote. "And I am sharing that lesson with you."

KnowBe4 grants new employees' accounts only limited permissions for proceeding through the new hire onboarding process and training, with access to only necessary apps such an an email inbox, Slack, and Zoom. This means that XXXX never had access to any customer data, KnowBe4's private networks, cloud infrastructure, code, or any KnowBe4 confidential information, Sjouwerman said.

"No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems," Sjouwerman wrote. However, "if it can happen to us, it can happen to almost anyone," he added.

Indeed, North Korean threat actors are notorious for engaging in successful cybercriminal activities by posing as credible IT workers. Last October, the Department of Justice warned that the freelance IT market was being flooded by operatives working on behalf of the North Korean government, urging caution to companies when hiring new workers. The department found that these workers are quietly directing their earnings to the government's sanctions-ridden nation's nuclear weapons program.

“Most of these individuals who attempt to obtain employment are not physically located in the US," Sjouwerman explained. "In order for them to conduct work, they require a US location for the equipment to be sent. There are small networks set up at drop locations where a US-based individual will turn on the received computers and configure them to be accessed remotely. The remote worker will then connect into the laptop farm network, and from there remote into the received device. This will cause security and access logs for that person to show up as being US-based and coming from the correct device.”

**How Not to Hire a North Korean Hacker**

KnowBe4 has made "several process changes" to hiring to help ensure any potential bad actor will be detected earlier, according to the post. In the US, for example, the company now will only ship new employee workstations to a nearby UPS shop and require a picture ID to obtain it.

Other process improvements that organizations can make are to ensure all background and reference checks are verified for inconsistencies and properly vetted; review and strengthen access controls and authentication processes; and conduct security awareness training for employees to stress social-engineering tactics used by threat actors.

The company also made recommendations so other organizations can avoid a similar scenario, including scanning remote devices for any suspicious access or activity; improving vetting and resume scanning for inconsistencies; and checking for red flags, like a laptop shipping address that's different from where the person is supposed to live and work.

Other red flags to look out for in potential employees include the use of VoIP numbers and/or lack of digital footprint for provided contact information, and any discrepancies in addresses, personal information, or date of birth across different sources. A remote employee's sophisticated use of VPNs or virtual machines should raise an alarm.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Security Firm Accidentally Hires North Korean Hacker, Did Not KnowBe4

Our critical systems can be protected from looming threats by embracing a proactive approach, investing in education, and fostering collaboration between IT and OT professionals.

Source: Juri Samsonov via Alamy Stock Photo

COMMENTARY

In the realm of cybersecurity risk, the obscure dark corner of the room is operational technology (OT). This is the space where computers and physical function come together, opening and closing valves, flipping breakers, stamping metal, and changing the temperature in your home from an app on your phone. This is also a place that most IT professionals and cybersecurity practitioners shy away from and look to as "that stuff over there we don't really understand."

**The Lack of Attention on Operation Technology Attacks**

The cyberattacks that make the headlines often impact consumers significantly. Historically, these targeted financial systems, hospitals, credit agencies, and occasionally government entities. What is less common to see is public acknowledgment of a cyberattack against true critical infrastructure. Stuxnet was one of the very first, but there was so much shrouded in the mystery of espionage that it did not have a major mental impact on most of the world's population. In contrast, the 2021 Colonial Pipeline attack caused widespread gasoline shortages, highlighting the severe potential impacts of such attacks. Yet, only three years later, it has faded from public memory. Similarly, attacks on small water utilities in Pennsylvania and Texas received little public attention.

Why are people not more focused on securing operational technology, then? Perhaps it's a lack of understanding and a bit of awe as to how much control computers can have; however, the OT space isn't new tech. Many of the components in an OT environment can be decades old. Even still, seasoned network engineers and IT administrators alike may not fully understand OT communications protocols, making cyberattacks in this space more possible and simultaneously less discussed.

**Reimagining OT Security **

How do we manage risk and protect the often-ignored underbelly of IT, which includes the infrastructure that keeps the lights on, water clean, medication available, and manufactured products flowing — all driven by OT?

Protecting this infrastructure isn't overly complex. Here's what's needed:

1.  A solid risk management plan
    
2.  Visibility into what's happening in those environments
    
3.  The ability to understand what's normal so we can tell when something is not
    
4.  Documentation of what is supposed to communicate in OT environments and how and where that communication should happen
    
5.  The ability to have some protective mechanisms that will work in the environment
    
6.  A solid patch and vulnerability management program
    
7.  Secure and monitored remote access
    

If it's that simple, why has protecting this infrastructure been so challenging globally? The primary issue is that available tools are either tailored for IT systems or designed for OT systems but lack necessary integrations for IT staff monitoring. SIEM tools, crucial for monitoring network communications and rogue activity, need to interface with cloud services — something OT environments avoid. Consequently, protective tools like CrowdStrike can't be fully utilized. Even with partnerships with Claroty or Dragos, they still involve a proxy connection to the Internet.

**Proposing Solutions, Highlighting Roadblocks**

There are a few strategies that can be utilized successfully to manage risk in these environments.

The first is to have a thorough understanding of what information needs to flow and in which directions, and what portion of it needs to get to the outside world. Time and again we encounter scenarios in which there's technical documentation about the operational side of the design but not up-to-date information about what data is flowing where and how it's being utilized. The second is that most of the tools that are utilized for visibility in this space require specific network configurations.

These tools rely on network traffic analysis because it's not typically possible to install traditional antivirus or endpoint protection software on the devices that exist in the OT space. That means there must be a mechanism to route the traffic to the inspection points. Most of these networks were designed for resilience and uptime, not for cybersecurity, so reconfiguration is often necessary to be able to route traffic in a direction that allows for inspection. These network resegmentation projects take a lot of time, tend to be expensive, and run the risk of operational downtime, which is something that no OT environment can typically tolerate.

**The First of Many Bottom Lines**

The urgency to secure our critical infrastructure cannot be overstated. Our critical systems can be protected from looming threats by embracing a proactive approach, investing in education, and fostering collaboration between IT and OT professionals. The cost of inaction is too high — our water, power, and safety depend on our ability to safeguard these essential technologies.

Is our water safe to drink? The answer lies in our commitment to securing the unseen, often ignored underbelly of our technological world. Only through vigilance and dedicated effort can we ensure the safety and reliability of our critical infrastructure for the future.

**About the Author(s)**

Chief Security Officer, DirectDefense

Christopher Walcutt is a former network architect with 25 years of experience in security, risk, and compliance leadership. His expertise is predominantly in the energy, utility, smart grid, and manufacturing sectors, specializing in industrial controls architecture, management consulting, and breach and incident handling. He has provided services to a wide variety of enterprise clients, including some of the world’s largest energy, engineering, manufacturing, and water companies, and has advised CISO’s offices and boards of directors globally. Chris served in leadership roles at Constellation Energy, SunGard, and Black & Veatch, where he was responsible for cybersecurity and management consulting for NERC CIP, NRC, smart grid, and NIST compliance. Chris has guided organizational change amidst the ever-changing threat landscape and has served in multiple NERC committees and working groups.

Is Our Water Safe to Drink? Securing Our Critical Infrastructure

DDoS cyberattack campaign averaged 4.5 million requests per second, putting the bank under attack 70% of the time.

Source: VideoFlow via Shutterstock

A distributed denial-of-service (DDoS) attack targeting a financial institution in the United Arab Emirates set records for the duration of the cyberattack and the sustained volume of requests.

The attack — attributed to pro-Palestinian hacktivist group BlackMeta, also known as DarkMeta — lasted six days and included multiple waves of Web requests lasting anywhere from four to 20 hours, targeting the financial institution's site. Overall, it lasted more than 100 hours in total, averaging 4.5 million requests per second, cybersecurity firm Radware stated in an advisory published this week.

The DDoS attack represents a significant departure from the standard hacktivist denial-of-service attacks, says Pascal Geenens, director of threat intelligence for Radware.

"Those attacks were lasting between 60 seconds and five minutes — they came, they hit hard, and they go away after one to five minutes," he says. "Now, in the case of this attack, the campaign in total lasted six days, and in those six days, 70% of the time, that customer was being targeted by an average of 4.5 million requests."

BlackMeta, also known as SN\_BlackMeta, appeared in November 2023 and has a history of claiming responsibility for attacks against organizations in Israel, the United Arab Emirates, and the United States. In May, the group claimed responsibility for a multiday denial-of-service attack on the San Francisco-based Internet Archive. In April, the group claimed to have attacked the Israel-based infrastructure of the Orange Group, a French provider of telecommunication services in Europe, the Middle East, and Africa. The group also targeted organizations in Saudi Arabia, Canada, and the United Arab Emirates.

**DDoS Attacks for $500 a Month**

The BlackMeta group announced its intent to attack the financial institution on Telegram in the days leading up to the operation. The cyberattack inundated the financial firm's website with requests, causing the share of legitimate requests to plummet to as low as 0.002%, with an average of 0.12%. The attacks continued for 70% of the time during the six-day period.

Bandwidth captures showing the attack over six days. Source: Radware

The attackers used a cybercrime service known as InfraShutdown, which allows attackers to target sites for $500 to $625 a week, according to Radware's advisory.

BlackMeta is primarily motivated by a pro-Palestinian ideology, but similar to Anonymous Sudan, has an anti-Western stance, and appears to have links with Russia, and uses Arabic, English, and Russian in its posts, Radware stated.

"The group positions its attacks as retribution for perceived injustices against Palestinians and Muslims," the company stated. "Their targets typically include critical infrastructure such as banking systems, telecommunication services, government websites and major tech companies, all reflecting a strategy to disrupt entities viewed as complicit in or supportive of their adversaries."

**Profiting from DDoS Service?**

BlackMeta is likely a rebrand of Anonymous Sudan, a group that made a name for itself last year attacking targets along with the loose-knit pro-Russian Killnet group, according to the researchers. Anonymous Sudan targeted Israeli organizations and the encrypted messaging service Telegram in 2023. Comparing the number of claimed attacks by month over the past year and a half shows Anonymous Sudan's activity dwindling at the same time that BlackMeta's was ramping up.

Anonymous Sudan advertised its InfraShutdown DDoS attack service during previous attacks, urging other would-be attackers to sign up, which means the group is likely financially benefiting from its "hacktivism."

"If the actors behind \[BlackMeta\] are in any way related to or support Anonymous Sudan, the premium InfraShutdown service is highly likely to be the origin of the 14.7 million \[requests-per-second\], 100-hour attack campaign," Radware stated in its advisory

Rate-limiting the bandwidth during such attacks is not a solution to sustained application-layer attacks, because a company would have to be able to differentiate between the 1.5 billion legitimate requests reaching the website over a six-day period, and the 1.25 trillion malicious requests targeting the site, Geenens says.

"With the attacks going to Layer 7 — the application layer — the problem has shifted," he says. "Before we were at the network level, you could use a firewall, but that is too much processing power, so we moved to network protection. But when you move one layer up \[to Layer 7\], they can target specific pages and randomize the queries that they put in, so they make it look like legitimate posts."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Pro-Palestinian Actor Levels 6-Day DDoS Attack on UAE Bank

Cookies aren't going away, after all. After years of saying it will do so, Google has decided to not remove third-party cookies from Chrome.

Source: Piotr Malczyk via Alamy Stock Photo

After almost four years of tinkering, Google said it will not phase out third-party cookies from its Chrome browser. Instead, the company will provide users with options on how they want to be tracked on the web.

Back in 2020, Google urged browser makers, publishers, developers, and advertisers to move away from using third-party cookies and adopt mechanisms that would provide users with a more private and secure web. Despite opposition from online advertisers, Google set April 2025 as the deadline for removing third-party cookies from Chrome.

However, following discussions with stakeholders -- a list which includes regulators, publishers, developer, and other entities -- Google said it now realizes building ad mechanisms which also preserve privacy has implications for online advertisers.

"In light of this, we are proposing an updated approach that elevates user choice," wrote Chavez. "Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they'd be able to adjust that choice at any time."

One of the mechanisms Google has been working on for the past few years is Privacy Sandbox, a suite of APIs for online ad delivery and analytics with privacy protections built-in. Chrome users will have the choice of keeping third-party cookies or using Privacy Sandbox.

The Electronic Frontier Foundation noted that while major browsers, like Safari and Firefox, block third-party cookies by default, Chrome still does not. And while Privacy Sandbox may be less invasive, it is problematic because it shifts control of online tracking from third-party trackers to Google, according to EFF's Lena Cohen. "That doesn't mean it's good for your privacy," Cohen wrote. EFF suggests downloading its Privacy Badger browser extension to opt out of Privacy Sandbox and the broader online tracking ecosystem.

**About the Author(s)**

Google Will Not Remove Third-Party Cookies From Chrome

Small businesses are increasingly being targeted by cyberattackers. Why, then, are security features priced at a premium?

Source: Song\_about\_summer via Shutterstock

Small and midsize businesses (SMBs) are more vulnerable to attacks because software companies, cloud service providers, and technology makers either charge for safety features that should be offered at every service tier or fail to offer the features at all.

Earlier this year, at least 165 customers of data-services provider Snowflake were compromised — and one reason was because the firm did not offer a way to easily require all users to enable multifactor authentication (MFA), cybersecurity experts say. And just last year, a nonprofit organization failed to detect an attack because, among other reasons, its Microsoft 365 license level of "E3" did not come with logging features that were available to organizations on the more expensive "E5" plan, incident responders stated at the time.

Software makers and service providers need to offer effective security features as a safety measure to every tier of service and not create a cybersecurity gap between the "cyber poor" and enterprises that can afford extra security, says Kymberlee Price, CEO and co-founder of Zatik, a provider of fractional security expertise targeting smaller businesses.

"If vendors do not change the way they price security, if they don't put seatbelts in the base model, then software liability is inevitable," Price says.

Finding ways to secure the cyber poor — those companies and organizations that cannot afford dedicated cybersecurity professionals or high-priced security systems — has become a critical effort worldwide. In 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) pledged to find ways to help the smallest organizations, which typically do not have budgets for information technology, let alone information security. Security compromises can result in business failures and significant stress-related problems for small-business owners.

Driving security down to the smallest firms is critical to promote security across the business ecosystem, as larger companies count SMBs among their vendors, contractors, and partners, says Saeed Abbasi, product manager of vulnerability research at Qualys.

"Strengthening cybersecurity in SMBs is essential for protecting their assets and safeguarding larger business ecosystems, as these small businesses often serve as links in broader supply chains," he says. "Moreover, proactive cybersecurity costs are typically lower than the potential losses from data breaches."

**Delivering More Security By Default**

Defining the difference between what should be a security product in its own right and what should be a security feature is not easy, Price acknowledges. Single sign-on capabilities, such as Okta, would be obviously considered as a security service, but a feature in another product to connect to Okta's SSO should not require purchasing a higher tier, Price says.

"If there's some completely new innovation that revolutionizes the way security works ... that's going to involve development and other costs," so charging extra for that seems fair, she says. "But at this point, so many of these features \[are the equivalent of\] backup cameras, which were an LX-model option when they first came out, but now they're standard in the base models."

Among the safety features Price says she would like to see: Firms should be given the ability to require and monitor two-factor authentication across the business, single sign-on integration should be a base-tier feature, and role-based access controls that split administration and normal user functions should be standard. In addition, companies should start offering audit trails in every application by default and the ability for an administrator to revoke access to users.

For Snowflake, it was not a matter of charging extra for a MFA but of not enabling a feature that cybersecurity professionals have long advocated for. On the platform, individuals could opt into MFA, but company administrators had no power to require the security for every user in their organizations, said Ofer Maor, co-founder and CTO at threat response firm Mitiga, in an interview last month.

"Snowflake not only does not require MFA, but it also makes it very hard for administrators to enforce this," he said. "Unlike other \[software-as-a-service\] platforms, where an admin of a tenant can require MFA for all users in the tenant, in Snowflake this option is not available. The only way for the admin to attempt to enforce it is by manually reviewing every user in the system to see if they voluntarily enabled MFA and, if not, ask them to do so."

Both Snowflake and Microsoft now offer the requested security features on their platforms. As of July 9, administrators can require MFA by default for Snowflake, and Microsoft changed its policy on the cost of logging last year, following criticism of its licenses.

**Make Cyber Safety Easy, Available in Lowest Tiers**

Because SMBs often do not have their own IT specialist, not to mention a skilled cybersecurity expert, offering easy-to-use basic security is paramount. There needs to be a path to drive security down to every user, says Narayana Pappu, CEO at Zendata, a data security and compliance firm.

"SMBs usually lack security expertise in-house, don't have resources to implement nor maintain a solution, and usually carry security risks that can put them out of business if or when a security incident occurs," he says. "These are great reasons to drive good security down to the SMB level — in a connected ... world, you are only as strong as your weakest link."

While generative artificial intelligence and the latest large-language models could provide some companies more security, the cost may still be prohibitive and rarely are such features offered at the base level.

Instead, cybersecurity and software firms should provide basic, effective security in every product at the base service tier, says Zatik's Price, who stresses that she is not against charging everyone a bit extra to make the feature available. However, all tiers should offer the most effective security measures, she says.

"There's no version of a car that does not include seatbelts on the market today," she says. "Are seatbelts free? No, they're baked into the cost of that car. \[Similarly\], we're not saying that all security should be free and zero cost."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Small Businesses Need Default Security in Products Now

With every new third-party provider and partner, an organization's attack surface grows. How, then, do enterprises use threat intelligence to enhance their third-party risk management efforts?

The network of global supply chains means organizations are more interconnected than ever, which increases the potential for a data breach or other security incidents involving third-party suppliers and partners. Third-party vendors, especially those digitally connected to an organization, significantly increase their attack surface and open exposure to software supply chain risks, vulnerabilities, and malicious or negligent insiders.

According to Cyentia Institute, 98% of organizations have at least one third party that suffered a cybersecurity breach within the previous two years.

Organizations have increased their investments in third-party risk management (TPRM) programs to mitigate these risks. In its "2023 Global Third-Party Risk Management Survey," EY found that 90% of respondents were investing to improve their programs' effectiveness. In a recent Dark Reading report, "Managing Third-Party Risk Through Situational Awareness," experts outline how organizations can use threat intelligence to effectively manage third-party risk.

"Third-party risk management is such a big challenge for CISOs," says Rick Holland, VP CISO at security services provider ReliaQuest.

Experts say that the top drivers for TPRM investments are regulatory demands, increased remote work, and data privacy. Much of that investment is being used for threat intelligence programs. By harnessing threat intelligence from various sources, organizations can comprehensively understand the threat landscape and make informed decisions to manage third-party risks effectively.

Threat intelligence is found in many sources, such as open source intelligence, commercial threat intelligence providers, industry-specific information sharing and analysis centers, and internal security data. As applied to third parties, threat intelligence analysts incrementally add intelligence that could indicate that their third parties are either at risk of attack, under attack, or have recently been attacked. Such indicators include comments on Web forums and marketplaces, leaked data, credentials spilled on the Internet, and more.

Download the report to learn how to get started with threat intelligence. Organizations can better comprehend their threat landscape through such threat intelligence and make better-informed decisions to manage their risks. Learn how to collect and use threat intelligence to help reduce many risks associated with third parties.

**About the Author(s)**

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Fighting Third-Party Risk With Threat Intelligence

Cybersecurity startup Zest Security emerged from stealth with an AI-powered cloud risk resolution platform to reduce time from discovery to remediation.

Source: Peachshutterstock via Shutterstock

Organizations have plenty of tools to identify cloud risks, vulnerabilities, and misconfigurations, but not so much for remediating cloud risks. For most companies, significant collaboration is needed between DevOps and security teams to validate the risk, understand the root cause, and determine the best resolution.

Remediating risk usually involves a series of manual and time-consuming processes. Cybersecurity startup Zest Security wants to change that with its AI-powered platform designed to simplify and automate risk resolution. The platform correlates and pinpoints the root cause of cloud risks to craft resolution paths that eliminate cloud vulnerabilities and misconfigurations that attackers can exploit, Zest said in a statement.

On average, it takes 30 to 60 days to remediate a single cloud security risk, and 80% of resolved risks resurface after remediation, Zest said. The increase in known cloud attacks is directly the result of lack of efficient and effective remediation.

"Zest eliminates the back-and-forth typically required between security and DevOps teams to determine the best path to mitigation and remediation," said Matthew Hurewitz, director of platforms and application security at Best Buy, in a statement. "Zest shows security teams all of their options, so they can quickly and confidently resolve their vulnerabilities."

As part of the launch, Zest Security also raised $5 million in seed funding from Hanaco Ventures, Silvertech Ventures, and several angel investors. The company's co-founders have years of experience in cloud and product security. Uri Aronovici, Zest’s CTO, previously worked at Akamai Technologies and Check Point Software. Prior to founding Zest, Snir Ben Shimol, Zest's CEO, built the global cybersecurity platform and services organization at Varonis. Shimol was also the CSO of Cider Security before it was acquired by Palo Alto Networks.

**About the Author(s)**

Zest Security Aims to Resolve Cloud Risks

The threat group uses its "Stargazers Ghost Network" to star, fork, and watch malicious repos to make them seem legitimate, all to distribute a variety of notorious information-stealers-as-a-service.

Source: Miriam Doerr Martin Frommherz via Shutterstock

A threat actor known as "Stargazer Goblin" has found a new way to leverage GitHub to distribute malware and malicious links to unsuspecting users.

Instead of hosting malware on GitHub and then luring users to inadvertently download an infected code package (by getting them to click on a malicious link in a phishing email, for instance), the new tactic involves convincing victims that malicious repositories are legitimate via a socially engineered influence operation involving thousands of inauthentic accounts.

Researchers from Check Point Research (CPR) who uncovered the operation noted in a report this week that the adversary's end game is running a malware distribution-as-a-service (DaaS) network dubbed Stargazers Ghost Network, currently comprised of more than 3,000 active GitHub accounts.

**A Large Network of Rogue Accounts**

The threat group is using a relatively small number of these accounts to actually distribute the malware and malicious links, and the remaining ones are the inauthentic accounts that are being used to make the rogue repositories appear legitimate. Their tactics for doing so have included using the inauthentic accounts to star, fork, and subscribe to the malicious repos, in order to give them a veneer of innocence.

Starring, which gives the group its name, is a way to bookmark repositories on GitHub to make them easier to find in the future, and also as a way to show appreciation for a particular project. Forking is about creating an identical copy of another GitHub project as a way to propose changes to the project or to build on it for your own purposes; and watching is basically a way of keeping abreast of the latest developments in a project. Just as with applications on mobile app stores, users tend to perceive GitHub projects with more stars, forks, and watchers as being more credible — and trustworthy — than others.

"In the past, malware was hosted on GitHub, though the repositories that hosted malware never suggested that a normal user would land, trust, download, and execute the hosted sample," says Antonis Terefos, a researcher at CPR. "Currently, via the Stargazers Ghost Network, we are experiencing a new era of malware distribution utilizing accounts to act organically by starring \[and\] forking malicious repositories \[to make them appear\] as legitimate to normal users."

**Stargazer Goblin's Distribution-as-a-Service Play**

Since at least August 2022, and likely even earlier, Stargazer Goblin has used its rogue GitHub accounts to distribute a variety of malware families, including Atlantida Stealer, Rhadamanthys infostealer, RisePro, Redline, and Lumma Stealer. A Stargazers Ghost Network advertisement from July 2023 — in English and Russian — that CPR researchers found on a Dark Web forum showed the threat actor charging $10 to "star" a repository with 100 accounts, and $2 to provide an account with an empty "aged" repository, which generally is more trusted than a brand-new one.

CPR also said that the operation likely extends well beyond GitHub.

"We believe that Stargazer Goblin created a universe of Ghost Network accounts operating across various platforms such as GitHub, Twitter, YouTube, Discord, Instagram, Facebook, and many others," CPR said in its report. "Similar to GitHub, other platforms can be utilized to legitimize malicious phishing and distribute links and malware to victims through posts, repositories, videos, tweets, and channels, depending on the features each platform offers."

Terefos says the majority of repositories on the Stargazers Ghost Network use tags that ensure they surface at the top of GitHub searches when users are looking for something. The threat group has also used services, such as Discord, to promote the malicious repositories as places where users can get game mods, cracked software such as Adobe and VPN software, and free trading, AI, and coin-mining tools.

"Since last week's CrowdStrike event, which threat actors have been trying to take advantage of, we have been monitoring for CrowdStrike 'drive-fixes' repositories, on the Ghost Network. So far, there have been none," Terefos says. "\[But\] this could be an example of how a user could land on a malicious repository by searching on GitHub for how to perform the \[CrowdStrike\] fix. The user would see that the repository has been starred by multiple other accounts, indicating that the provided 'fix/repo' works. Instead, the user is being infected with malware."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Stargazer Goblin' Amasses Rogue GitHub Accounts to Spread Malware

The good news: Only organizations far behind on standard Windows patching have anything to worry about.

Source: dennizn via Alamy Stock Photo

A Microsoft Defender SmartScreen vulnerability that was patched in February is still being used in infostealing attacks across the globe.

CVE-2024-21412 — a "high" severity, 8.1 CVSS-scored security bypass bug in SmartScreen — was first disclosed and fixed on Feb. 13. Since then, it has been used in campaigns involving well-known infostealers like Lumma Stealer, Water Hydra, and DarkGate.

Now, five months later, Fortinet has flagged yet another campaign involving two more stealers: Meduza and ACR. Attacks thus far have reached the US, Spain, and Thailand.

Sometimes, organizations take their time updating third-party software. By contrast, "The attackers in this case are taking advantage of software that's native on Microsoft Windows, which would be updated in normal Microsoft patch cycles," notes Aamir Lakhani, global security strategist and researcher at Fortinet. "It's a little unclear and concerning when these vulnerabilities are not patched, because it could indicate there are other Microsoft vulnerabilities that are not being patched as well."

**A CVE-2024-21412 Attack Chain**

If you visit a website, or download a file or program that's known to be unsafe — or is suspicious for any number of other reasons — SmartScreen will step in and present you with that famous blue screen message: "Windows protected your PC." It's a simple, effective way to alert users to potentially dangerous cyber threats.

So consider how useful it would be to an attacker if they could simply disable that notification. This is what CVE-2024-21412 allows them to do.

In the latest campaign identified by Fortinet, the attackers are beating SmartScreen "through the combination of PowerShell trickery and hiding attacks in images and taking advantage of how those images are processed," Lakhani explains.

First, they lure victims with a URL that triggers the download of a shortcut (LNK) file. The LNK downloads an executable with an HTML Application (HTA) script with PowerShell code for retrieving decoy PDF files and malicious code injectors.

One of the injectors is more interesting than the other. After running anti-debugging checks, it downloads a JPG image file, then uses a Windows API to access its pixels and decode its bytes, wherein lies malicious code.

"These types of image-based attacks have been around a long time and, while they aren't as common as other types of attacks we typically observe, we still see them pop up over time because they are quite effective," Lakhani notes. "It's not surprising to see this attack, especially because \[steganography\] detection is often overlooked compared to other attack scenarios."

**Consequences to the Unpatched**

The stealers smuggled in through image files in this case get planted inside of legitimate Windows processes, at which point the gathering and exfiltration of data begins.

The kinds of information they aim for are broad. ACR, for example, steals from dozens of browsers (Google Chrome, Firefox), dozens of crypto wallets (Binance, Ledger Live), messenger apps (Telegram, WhatsApp), password managers (Bitwarden, 1Password), virtual private network (VPN) apps, email clients, file transfer protocol (FTP) clients, and more. 

Only organizations far behind on standard Windows patching have anything to worry about. Clearly, though, those organizations are out there.

"I would understand how individual software updates from smaller companies may be missed, but most organizations have regular Microsoft software patch updates, and this particular vulnerability remains open to attack," Lakhani says. To encourage better patching practices, he adds, "I think in all cases, software vendors need to give users alerts and notifications that critical security patches exist and should be installed when the software is launched or used."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Cyberattackers Exploit Microsoft SmartScreen Bug in Stealer Campaign

Players can only access the game by first joining its Telegram channel, with some going astray in copycat channels with hidden malware.

Source: Science Photo Library via Alamy Stock Photo

Malicious actors are targeting users of a mobile currency game by using fake Android and Windows software that installs spyware and other malware.

Hamster Kombat launched in March and already has more than 250 million users, likely due to the promises of winning TON-based cryptocurrency. The game is for Android users, who can earn in-game currency by completing certain tasks within the game.

To play, users must join the game's Telegram channel, scan a QR code, and then launch a Web app on their device. When users first search for the game's Telegram channel, they are likely to come across other Hamster-branded channels attempting to distribute Android malware. One channel, named "HAMSTER EASY," even distributes Ratel Android spyware as an APK file.

This malware can allow the threat actors to subscribe the victim to different services and hide the notifications so that they remain unaware.

Other fake websites include "hamsterkombat-ua.pro" and "hamsterkombat-win.pro," which redirect visitors to advertisements to generate money instead of the real game. 

On the Windows platform, researchers discovered GitHub repositories that promise its victims Hamster Kombat farm bots and autoclickers but instead deliver cryptors that contain Lumma Stealer, info-stealer malware.

As the game continues to grow in popularity among users, it will continue to attract malicious actors, so users should be wary of being tricked by threat actors and copycat apps and remain vigilant when downloading software.

**About the Author(s)**

Source

DARKReading