KnowBe4 detailed the incident in a recent blog post as a warning for other potential targets.

KnowBe4, a US-based security vendor, revealed that it unwittingly hired a North Korean hacker who attempted to load malware into the company's network. KnowBe4 CEO and founder Stu Sjouwerman described the incident in a blog post this week, calling it a cautionary tale that was fortunately detected before causing any major problems.

"First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems," Sjouwerman wrote. “This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don't let it happen to you.”

KnowBe4 said it was looking for a software engineer for its internal IT AI team. The firm hired a person who, it turns out, was from North Korea and was "using a valid but stolen US-based identity" and a photo that was "enhanced" by artificial intelligence. There is now an active FBI investigation amid suspicion that the worker is what KnowBe4's blog post called "an Insider Threat/Nation State Actor."

KnowBe4 operates in 11 countries and is headquartered in Florida. It provides security awareness training, including phishing security tests, to corporate customers. If you occasionally receive a fake phishing email from your employer, you might be working for a company that uses the KnowBe4 service to test its employees' ability to spot scams.

**Person Passed Background Check and Video Interviews**

KnowBe4 hired the North Korean hacker through its usual process. "We posted the job, received résumés, conducted interviews, performed background checks, verified references, and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware," the company said.

Even though the photo provided to HR was fake, the person who was interviewed for the job apparently looked enough like it to pass. KnowBe4's HR team "conducted four video conference based interviews on separate occasions, confirming the individual matched the photo provided on their application," the post said. "Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen US-based identity. The picture was AI 'enhanced.'"

The two images at the top of this story are a stock photo and what KnowBe4 says is the AI fake based on the stock photo. The stock photo is on the left, and the AI fake is on the right.

The employee, referred to as "XXXX" in the blog post, was hired as a principal software engineer. The new hire's suspicious activities were flagged by security software, leading KnowBe4's Security Operations Center (SOC) to investigate:

> On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55 pm EST. When these alerts came in KnowBe4's SOC team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.
> 
> The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. He used a Raspberry Pi to download the malware. SOC attempted to get more details from XXXX including getting him on a call. XXXX stated he was unavailable for a call and later became unresponsive. At around 10:20 pm EST SOC contained XXXX's device.

**“Fake IT Worker From North Korea”**

The SOC analysis indicated that the loading of malware "may have been intentional by the user," and the group "suspected he may be an Insider Threat/Nation State Actor," the blog post said.

"We shared the collected data with our friends at Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this was a fake IT worker from North Korea," Sjouwerman wrote.

KnowBe4 said it can't provide much detail because of the active FBI investigation. But the person hired for the job may have logged into the company computer remotely from North Korea, Sjouwerman explained:

> How this works is that the fake worker asks to get their workstation sent to an address that is basically an "IT mule laptop farm." They then VPN in from where they really physically are (North Korea or over the border in China) and work the night shift so that they seem to be working in US daytime. The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs. I don't have to tell you about the severe risk of this. It's good we have new employees in a highly restricted area when they start, and have no access to production systems. Our controls caught it, but that was sure a learning moment that I am happy to share with everyone.

_This story originally appeared on_ _Ars Technica._

A North Korean Hacker Tricked a US Security Vendor Into Hiring Him—and Immediately Tried to Hack Them

"Peace is the virtue of civilization. War is its crime. Yet it is often in the furnace of war that the sharpest tools of peace are forged." - Victor Hugo.
In 1971, an unsettling message started appearing on several computers that comprised ARPANET, the precursor to what we now know as the Internet. The message, which read "I'm the Creeper: catch me if you can." was the output of a program named

Digital Warfare / Cybersecurity Training

> "Peace is the virtue of civilization. War is its crime. Yet it is often in the furnace of war that the sharpest tools of peace are forged." - Victor Hugo.

In 1971, an unsettling message started appearing on several computers that comprised ARPANET, the precursor to what we now know as the Internet. The message, which read "I'm the Creeper: catch me if you can." was the output of a program named Creeper, which was developed by the famous programmer Bob Thomas while he worked at BBN Technologies. While Thomas's intentions were not malicious, the Creeper program represents the advent of what we now call a computer virus.

The appearance of Creeper on ARPANET set the stage for the emergence of the first Antivirus software. While unconfirmed, it is believed that Ray Thomlinson, famously known for inventing email, developed Reaper, a program designed to remove Creeper from Infected Machines. The development of this tool used to defensively chase down and remove a malicious program from a computer is often referred to as the inception of the cybersecurity field. It highlights an early recognition of a cyberattack's potential power and the need for defensive measures.

The revelation of the need for cybersecurity shouldn't come as much of a surprise, as the cyber realm is nothing more than an abstraction of the natural world. In the same way that we grew from fighting with sticks and stones to swords and spears to now bombs and aircraft, so too has the war over the cyber realm progressed. In the beginning, it all started with a rudimentary Creeper virus that was a cheeky representation of what could be a harbinger of digital doom. The discovery of weaponized electronic systems necessitated the invention of antivirus solutions such as Reaper, and as the attacks grew more complex, so too did the defensive solutions. Fast forward to the era of network-based attacks, and digital battlefields began to take shape. Firewalls emerged to replace vast city walls, load balancers act as generals directing resources to ensure one singular point isn't overwhelmed, and Intrusion Detection and Prevention systems replace sentries in watch towers. This isn't to say that all systems are perfect; there is always the existential dread that a globally favored benevolent rootkit that we call an EDR solution could contain a null pointer dereference that will act as a trojan horse capable of bricking tens of millions of Windows devices.

Putting aside catastrophic, and all be it accidental, situations still leaves the question of what's next. Enter Offensive AI, the most dangerous cyber weapon to date. In 2023, Foster Nethercott published a whitepaper at SANS Technology Institute detailing how threat actors could abuse ChatGPT with minimal technical capability to create novel malware capable of evading traditional security controls. Numerous other articles have also examined the use of generative AI to create advanced worms such as Morris II and polymorphic malware such as Black Mamba.

The seemingly paradoxical solution to these growing threats is further development and research into more sophisticated offensive AI. Plato's adage, "Necessity is the mother of invention," is an apt characterization of cybersecurity today, where new AI-driven threats drive the innovation of more advanced security controls. While developing more sophisticated offensive AI tools and techniques is far from morally commendable, it continues to emerge as an inescapable necessity. To effectively defend against these threats, we must understand them, which necessitates their further development and study.

The rationale for this approach is rooted in one simple truth. You cannot defend against a threat you do not understand, and without the development and research into these new threats, we cannot hope to understand them. The unfortunate reality is that bad actors are already leveraging offensive AI to innovate and deploy new threats. To try and refute this would be misguided and naive. Because of this, the future of cybersecurity lies in the further development of offensive AI.

If you want to learn more about Offensive AI and gain hands-on experience in implementing it into penetration testing, I invite you to attend my upcoming workshop at SANS Network Security 2024: Offensive AI for Social Engineering and Deep Fake Development on September 7th in Las Vegas. This workshop will be a great introduction to my new course, SEC535: Offensive AI - Attack Tools and Techniques, to be released at the beginning of 2025. The event as a whole will also be an excellent opportunity to meet several leading experts in AI and learn how it is shaping the future of cybersecurity. You can get event details and the complete list of bonus activities here.

**Note:** _This article is expertly written by Foster Nethercott, a United States Marine Corps and Afghanistan veteran with nearly a decade of experience in cybersecurity. Foster owns the security consulting firm Fortisec and is an author for SANS Technology Institute, currently developing the new course SEC 535 Offensive Artificial Intelligence._

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Offensive AI: The Sine Qua Non of Cybersecurity

Cybersecurity researchers are sounding the alarm over an ongoing campaign that's leveraging internet-exposed Selenium Grid services for illicit cryptocurrency mining.
Cloud security Wiz is tracking the activity under the name SeleniumGreed. The campaign, which is targeting older versions of Selenium (3.141.59 and prior), is believed to be underway since at least April 2023.
"Unbeknownst to most

Cybersecurity researchers are sounding the alarm over an ongoing campaign that's leveraging internet-exposed Selenium Grid services for illicit cryptocurrency mining.

Cloud security Wiz is tracking the activity under the name **SeleniumGreed**. The campaign, which is targeting older versions of Selenium (3.141.59 and prior), is believed to be underway since at least April 2023.

"Unbeknownst to most users, Selenium WebDriver API enables full interaction with the machine itself, including reading and downloading files, and running remote commands," Wiz researchers Avigayil Mechtinger, Gili Tikochinski, and Dor Laska said.

"By default, authentication is not enabled for this service. This means that many publicly accessible instances are misconfigured and can be accessed by anyone and abused for malicious purposes."

Selenium Grid, part of the Selenium automated testing framework, enables parallel execution of tests across multiple workloads, different browsers, and various browser versions.

"Selenium Grid must be protected from external access using appropriate firewall permissions," the project maintainers warn in a support documentation, stating that failing to do so could allow third-parties to run arbitrary binaries and access internal web applications and files.

Exactly who is behind the attack campaign is currently not known. However, it involves the threat actor targeting publicly exposed instances of Selenium Grid and making use of the WebDriver API to run Python code responsible for downloading and running an XMRig miner.

It starts with the adversary sending a request to the vulnerable Selenium Grid hub with an aim to execute a Python program containing a Base64-encoded payload that spawns a reverse shell to an attacker-controlled server ("164.90.149\[.\]104") in order to fetch the final payload, a modified version of the open-source XMRig miner.

"Instead of hardcoding the pool IP in the miner configuration, they dynamically generate it at runtime," the researchers explained. "They also set XMRig's TLS-fingerprint feature within the added code (and within the configuration), ensuring the miner will only communicate with servers controlled by the threat actor."

The IP address in question is said to belong to a legitimate service that has been compromised by the threat actor, as it has also been found to host a publicly exposed Selenium Grid instance.

Wiz said it's possible to execute remote commands on newer versions of Selenium and that it identified more than 30,000 instances exposed to remote command execution, making it imperative that users take steps to close the misconfiguration.

"Selenium Grid is not designed to be exposed to the internet and its default configuration has no authentication enabled, so any user that has network access to the hub can interact with the nodes via API," the researchers said.

"This poses a significant security risk if the service is deployed on a machine with a public IP that has inadequate firewall policy."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ongoing Cyberattack Targets Exposed Selenium Grid Services for Crypto Mining

CrowdStrike is alerting about an unfamiliar threat actor attempting to capitalize on the Falcon Sensor update fiasco to distribute dubious installers targeting German customers as part of a highly targeted campaign.
The cybersecurity company said it identified what it described as an unattributed spear-phishing attempt on July 24, 2024, distributing an inauthentic CrowdStrike Crash Reporter

Enterprise Security / Network Security

CrowdStrike is alerting about an unfamiliar threat actor attempting to capitalize on the Falcon Sensor update fiasco to distribute dubious installers targeting German customers as part of a highly targeted campaign.

The cybersecurity company said it identified what it described as an unattributed spear-phishing attempt on July 24, 2024, distributing an inauthentic CrowdStrike Crash Reporter installer via a website impersonating an unnamed German entity.

The imposter website is said to have been created on July 20, a day after the botched update crashed nearly 9 million Windows devices, causing extensive IT disruptions across the world.

"After the user clicks the Download button, the website leverages JavaScript (JS) that masquerades as JQuery v3.7.1 to download and deobfuscate the installer," CrowdStrike's Counter Adversary Operations team said.

"The installer contains CrowdStrike branding, German localization, and a password \[is\] required to continue installing the malware."

Specifically, the spear-phishing page featured a download link to a ZIP archive file containing a malicious InnoSetup installer, with the malicious code serving the executable injected into a JavaScript file named "jquery-3.7.1.min.js" in an apparent effort to evade detection.

Users who end up launching the bogus installer are then prompted to enter a "Backend-Server" to proceed further. CrowdStrike said it was unable to recover the final payload deployed via the installer.

The campaign is assessed to be highly targeted owing to the fact that the installer is password-protected and requires input that's likely only known to the targeted entities. Furthermore, the presence of the German language suggests that the activity is geared towards German-speaking CrowdStrike customers.

"The threat actor appears to be highly aware of operations security (OPSEC) practices, as they have focused on anti-forensic techniques during this campaign," CrowdStrike said.

"For example, the actor registered a subdomain under the it\[.\]com domain, preventing historical analysis of the domain-registration details. Additionally, encrypting the installer contents and preventing further activity from occurring without a password precludes further analysis and attribution."

The development comes amid a wave of phishing attacks taking advantage of the CrowdStrike update issue to propagate stealer malware -

*   A phishing domain crowdstrike-office365\[.\]com that hosts rogue archive files containing a Microsoft Installer (MSI) loader that ultimately executes a commodity information stealer called Lumma.

*   A ZIP file ("CrowdStrike Falcon.zip") that contains a Python-based information stealer tracked as Connecio that collects system information, external IP address, and data from various web browsers, and exfiltrates them to SMTP accounts listed on a Pastebin dead-drop URL.

On Thursday, CrowdStrike's CEO George Kurtz said 97% of the Windows devices that went offline during the global IT outage are now operational.

"At CrowdStrike, our mission is to earn your trust by safeguarding your operations. I am deeply sorry for the disruption this outage has caused and personally apologize to everyone impacted," Kurtz said. "While I can't promise perfection, I can promise a response that is focused, effective, and with a sense of urgency."

Previously, the company's chief security officer Shawn Henry apologized for failing to "protect good people from bad things," and that it "let down the very people we committed to protect."

"The confidence we built in drips over the years was lost in buckets within hours, and it was a gut punch," Henry acknowledged. "We are committed to re-earning your trust by delivering the protection you need to disrupt the adversaries targeting you. Despite this setback, the mission endures."

Meanwhile, Bitsight's analysis of traffic patterns exhibited by CrowdStrike machines across organizations globally has revealed two "interesting" data points that it said warrants additional investigation.

"Firstly, on July 16 at around 22:00 there was a huge traffic spike, followed by a clear and significant drop off in egress traffic from organizations to CrowdStrike," security researcher Pedro Umbelino said. "Second, there was a significant drop, between 15% and 20%, in the number of unique IPs and organizations connected to CrowdStrike Falcon servers, after the dawn of the 19th."

"While we can not infer what the root cause of the change in traffic patterns on the 16th can be attributed to, it does warrant the foundational question of 'Is there any correlation between the observations on the 16th and the outage on the 19th?'"

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CrowdStrike Warns of New Phishing Scam Targeting German Customers

Progress Software is urging users to update their Telerik Report Server instances following the discovery of a critical security flaw that could result in remote code execution.
The vulnerability, tracked as CVE-2024-6327 (CVSS score: 9.9), impacts Report Server version 2024 Q2 (10.1.24.514) and earlier.
"In Progress Telerik Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code

Software Security / Vulnerability

Progress Software is urging users to update their Telerik Report Server instances following the discovery of a critical security flaw that could result in remote code execution.

The vulnerability, tracked as **CVE-2024-6327** (CVSS score: 9.9), impacts Report Server version 2024 Q2 (10.1.24.514) and earlier.

"In Progress Telerik Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability," the company said in an advisory.

Deserialization flaws occur when an application reconstructs untrusted data that an attacker has control over without adequate validation in place, resulting in the execution of unauthorized commands.

Progress Software said the flaw has been addressed in version 10.1.24.709. As temporary mitigation, it's recommended to change the user for the Report Server Application Pool to one with limited permission.

Administrators can check if their servers are vulnerable to attacks by going through these steps -

*   Go to the Report Server web UI and log in using an account with administrator rights
*   Open the Configuration page (~/Configuration/Index).
*   Select the About tab and the version number will be displayed in the pane on the right.

The disclosure comes nearly two months after the company patched another critical shortcoming in the same software (CVE-2024-4358, CVSS score: 9.8) that could be abused by a remote attacker to bypass authentication and create rogue administrator users.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Flaw in Telerik Report Server Poses Remote Code Execution Risk

Mimecast's acquisition of Code42 helps the company move into insider risk management, joining key rival Proofpoint and others in the space.

Source: Panther Media GmbH via Alamy Stock Photo

Email security providers are increasingly adding human risk management (HRM) tools to their portfolios to broaden their data loss prevention (DLP) capabilities. The latest to sharpen its focus on HRM is Mimecast, which acquired insider risk tool provider Code42 for undisclosed terms this week.

The deal marks Mimecast's second acquisition of an HRM company this year. In January, it made its foray into human risk management with the acquisition of Elevate Security, which resulted in last week's release of Mimecast's Engage risk management platform.

Omdia senior principal analyst Fernando Montenegro says Mimecast's competitors, such as Proofpoint, Sophos, ESET, OpenText (Webroot), and Barracuda Networks, have made similar moves into HRM.

"We have seen similar packaging of messaging security with user training and human factors in many vendors," Montenegro says. "This makes sense as we think there is a long-standing evolutionary pattern to cybersecurity to be better aligned to business outcomes and concerns, and this fits well into this narrative."

Mimecast is playing catch-up to Proofpoint, its most formidable competitor, which released its Proofpoint Nexus People Risk Explorer in 2021. Earlier, Proofpoint made its foray into insider threat management by acquiring ObserveIT, known for its insider threat management platform.

**Insider Risk Tied to Data Breaches**

According to Verizon's "2024 Data Breach Investigations Report" (DBIR), insiders were involved in 68% of all breaches in 2023. Forrester Research forecasts that figure could rise to 90% in 2024, according to its "Predictions 2024" report.

"HRM solutions and programs have surfaced to help CISOs evaluate their firm's human risk, determine whether they are getting a return on their training investment, whether their training is really changing anyone's behavior and improving the firm's cybersecurity posture, and determine what to manage human risk in addition to training people," the report's authors noted.

Weeks after closing the Elevate acquisition in January, Marc van Zadelhoff was tapped as Mimecast's new CEO, replacing co-founder Peter Bauer. Tasked with expanding Mimecast's emerging HRM portfolio, Zadelhoff inked a partnership with Code42 to integrate Code42 Incydr with the Mimecast platform.

By integrating Code42 Incydr's Watchlists for employees with a history of engaging in risky behavior (such as those who frequently fall for phishing attempts) with Mimecast's Profile Groups, organizations can automate the formation, management and policy enforcement among user groups. Likewise, Incydr can be used to manage Mimecast Profile Groups. The integration also lets Mimecast administrators detect and manage exfiltration activity.

Mimecast CEO Marc van Zadelhoff tells Dark Reading that the plan was to leverage that capability to emphasize Mimecast's human risk detection and management capabilities.

"We had been talking to Code42 for a while, and we did the partnership," van Zadelhoff says. "One thing led to another in terms of strengthening it."

Van Zadelhoff says the two acquisitions mark the company's entry into HRM.

"The partnership exposed to us that we had a lot of joint customer interest," he says. "In fact, during that time, we saw an increasing number of our customers adopt Code42 in a fairly short amount of time. As we started leveraging the human risk dashboard and the human risk platform, we started to see that when you add Code42 into the score, it really adds a lot of value on identifying the riskiest segment of the population out there.

**Product Portfolios to Remain Intact With Common Dashboard**

According to van Zadelhoff, there is no overlap between the products Mimecast now offers and Code42's portfolio.

"We tested the product around scalability and how it would work with our technology stack," he says. "It is incredibly compatible. There's zero overlap."

Further, van Zadelhoff insists no products from either company will be deprecated in the wake of the acquisition; the Code42 products will be rebranded Mimecast. Also, in the coming months, Mimecast will create a common human risk dashboard tied to its distinct offerings.

At next month's Black Hat USA Conference in Las Vegas, the company will demonstrate and roll out new artificial intelligence (AI) tools to detect exfiltration risk when employees upload files into generative AI platforms, such as Chat GPT.

"What we're really focused on is understanding when someone takes data from their corporate organizations or from a key repository and exfiltrates that to a public generative AI location," says Rob Juncker, Code42's CTO. "AI is something that we all have to deal with now. So it will be in our base product for all customers effective immediately."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Mimecast Joins Human Risk Management Fray With Code42 Deal

The fake updates are part of a phishing and fraud surge that is both more voluminous and more targeted that the usual activity around national news stories.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

Scam alert: Cybercriminals are using last week's CrowdStrike outage as a vehicle for social engineering attacks against the security vendor's customers.

In the hours after the event that grounded planes, shuttered stores, closed down medical facilities, and more, national cybersecurity agencies in the US, UK, Canada, and Australia all reported follow-on phishing activity by petty criminals. That much is to be expected after any national news event. But, says BforeAI CEO Luigi Lenguito, these post-CrowdStrike attacks are both more copious and more targeted than those typically seen after major media stories.

For reference, "in the attack last week on Trump, we saw a spike on the first day of 200 \[related cyber threats\] and then it flattened to 40, 50 a day," he says. "Here, you're looking at a spike that is three times as big. We're seeing about 150 to 300 attacks per day. I would say this is not the normal volume for news-related attacks."

**Profile of a CrowdStrike-Themed Scam**

"The philosophy is: We have these large corporations' users who are lost, because their computers cannot connect to the mothership, and now they're trying to get connected. It's a perfect opportunity for cybercriminals to get back into these networks," Lenguito explains.

This makes CrowdStrike-themed phishing attacks characteristically different from, say, Trump assassination-themed ones. They're much more targeted — aimed at organizations affected by the outage — and potential victims are more technically adept and educated in cybersecurity than your average bear.

To convince those people to let them in, attackers have been masquerading as either the company itself, related technical support, or competing companies with their own "offerings."

The evidence lies in phishing and typosquatting domains registered in recent days, like crowdstrikefix\[.\]com, crowdstrikeupdate\[.\]com, and www.microsoftcrowdstrike\[.\]com. One security researcher identified more than 2,000 such domains that have been generated thus far.

These domains might be used to distribute malware, like the ZIP file pretending to be a hotfix which was uploaded to a malware scanning service last weekend. The ZIP contained HijackLoader (aka IDAT Loader), which in turn loaded the RemCos RAT. The file was first reported from Mexico, and it contained Spanish-language filenames, indicating that the campaign likely targeted CrowdStrike customers in Latin America.

In another case, attackers distributed a CrowdStrike-themed phishing email with a crudely designed PDF attachment. Inside the PDF was a link to download a ZIP attachment with an executable inside. Once launched, the executable asked the victim for permission to install an update. The update, though, was a wiper. The pro-Hamas hacktivist group "Handala" took responsibility, claiming that "dozens" of Israeli organizations had lost several terabytes of data as a result.

However the threats might arrive, Lenguito says, organizations can protect themselves by using blocklists, protective DNS tools, and by avoiding tech support from anywhere other than CrowdStrike's own website and customer service channels.

Or, perhaps, they can just wait it out. "We're still early, right? We'll probably see it taper over the coming weeks. Generally, what we see is these campaigns have a tendency to last two to three weeks," he says.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

CrowdStrike 'Updates' Deliver Malware &amp; More as Attacks Snowball

The Andariel group is targeting critical defense, aerospace, nuclear, and engineering companies for data theft, the FBI, NSA, and others said.

Source: DD Images via Shutterstock

A long-known cyber-espionage group working on behalf of North Korea's foreign intelligence service is systematically stealing technical information and intellectual property from organizations in the US and other countries to advance its own nuclear and military programs.

The group — which security vendors track variously as Andariel, Silent Chollima, Onyx Sleet, and Stonefly — is using ransomware attacks on US health care entities to fund the campaign, the US government warned this week.

**A Clear and Present Danger**

In a joint advisory, the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and others identified the threat actor as primarily targeting defense, aerospace, nuclear, and engineering organizations in the US, Japan, South Korea, and India. "The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide," the advisory noted.

Meanwhile, the US government offered a $10 million reward under the State Department's Rewards for Justice program for information leading to the arrest of Rim Jong Hyok, whom it believes is a key player in the malicious cyber activity. In tandem, the US Justice Department indicted Jong Hyok on charges related to his involvement in Andariel attacks on multiple US entities, including NASA and two US Air Force bases.

The information that Andariel is pursuing in its current campaign is broad and varied. From defense organizations, the adversary has been stealing information pertaining to heavy and light tanks, self-propelled howitzers, combat ships, autonomous underwater vehicles, and other equipment. Aerospace companies are being targeted for information on everything from fighter aircraft, missiles, and missile defense systems to radars and nano-satellite technology. The goal with attacks on organizations in the nuclear sector is to gather data in areas like uranium processing and enrichment, material waste, and storage. And with engineering firms, the threat actor's focus is on shipbuilding, robotics, additive manufacturing, 3D printing, and other technologies.

"The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections," the advisory said.

**Well-Known Threat Actor**

Andariel has been active for several years. Researchers at Google's Mandiant who track the group as APT45 believe it has been operational since at least 2009. Microsoft, which tracks the threat actor as OnyxSleet, says it first spotted the group in 2014. Over the years, researchers have tied the group to numerous information stealing campaigns and destructive attacks on organizations in more than a dozen critical sectors, including defense, aerospace, energy, financial services, transportation, and health care. Many of its attacks have targeted South Korean entitities.

In a report that coincided with the US government warning this week, Mandiant said it had observed APT45 gradually launching more financially motivated attacks — like ransomware attacks — in recent years, even as it has continued with its cyber espionage mission. "APT45 is one of North Korea’s longest running cyber operators, and the group's activity mirrors the regime's geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science," Mandiant said.

Microsoft also released an update on the North Korean actor this week and has observed Onyx Sleet actors recently switch from spear-phishing as a way to gain initial access to using vulnerability exploits. But otherwise, its tradecraft has remained largely unchanged, Microsoft said. "Onyx Sleet has used the same tactics, techniques, and procedures (TTPs) over extended periods, suggesting the threat actor views its tradecraft as effective."

**Vulnerability Exploits and Custom Tools**

The US government advisory described Andariel as looking for and exploiting multiple well-known vulnerabilities to gain initial access to target networks in its recent attacks. Vulnerabilities that the group has been exploiting in its attacks include the Log4Shell flaw (CVE-2021-44228) in Apache's Log4j software; CVE-2023-46604, a maximum severity bug in Apache ActiveMQ server technology; CVE-2023-34362, a widely exploited remote code execution flaw in Progress Software's MOVEIt file transfer technology; and a similar flaw in Fortra's GoAnywhere software (CVE-2023-0669).

In all, the joint advisory listed 41 CVEs that Andariel actors have exploited to break into target networks as part of its cyberespionage campaign. Of that, 16 were vulnerabilities that various vendors disclosed last year. The oldest flaw in the list is from 2017 — CVE-2017-4946 — a privilege escalation bug in VMWare's V4H and V4PA desktop agents.

Once they gain access to a network, Andariel actors typically use a variety of custom tools and malware to establish remote access, enable lateral movement, and steal data, the advisory said, listing nearly two dozen of them. The tools "include functionality for executing arbitrary commands, keylogging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing to files, capturing network connections, and uploading content to command and control," the advisory said. "The tools allow the actors to maintain access to the victim system, with each implant having a designated C2 node."

The advisory describes in detail other tactics, techniques, and procedures that Andariel actors have employed in recent attacks so organizations in the group's crosshairs can take protective measures. It also provides indicators of compromise that organizations can use to check for signs of the threat actor's presence on their network and systems.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Feds Warn of North Korean Cyberattacks on US Critical Infrastructure

Though IE was officially retired in June 2022, the vulnerability ramped up in January 2023 and has been going strong since.

Source: mundissima via Alamy Stock Photo

Check Point earlier this month discovered a remote code execution vulnerability, tracked as CVE-2024-38112, that impacts Microsoft Windows users and different versions of Windows Server.

The attackers used Windows Internet Shortcut files, which call on the retired Internet Explorer to visit a URL with a hidden malicious extension name and controlled by these threat actors. Because users are opening this URL with Internet Explorer, and not more secure browsers like Chrome or Edge, the threat actor has more advantages in exploiting the victim's device.

The threat actors also use a second method where they "make the victim believe they are opening a PDF file, while in fact, they are downloading and executing a dangerous .hta application," wrote the Check Point researchers.

The Cybersecurity and Infrastructure Security Agency (CISA) has added this high-severity vulnerability to its Known Exploited Vulnerabilities Catalog  Catalog, with its score of 7.5 due to its active exploitation, and mandated that all Windows systems within federal agencies must be updated or shut down by July 30.

Other research shows that of the roughly 500,000 endpoints running Windows 10 and 11, more than 10% of those devices are missing endpoint protection controls and almost 9% lack patch management controls, meaning that these organizations have a significant number of blind spots for attackers to exploit. 

Though Microsoft issued a patch on July 9, some exploits of this vulnerability date back more than a year ago, which means organizations need to act quickly in their mitigation efforts.

**About the Author(s)**

Microsoft's Internet Explorer Gets Revived to Lure in Windows Victims

How your organization can leverage the disruptive CrowdStrike update to become more resilient.

Chip Stewart, Director–Security, Privacy, and Risk Consulting, RSM US

July 25, 2024

5 Min Read

Source: Illia Uriadnikov via Alamy Stock Photo

COMMENTARY

In the wake of global IT issues caused by a defect in a content update for CrowdStrike's Falcon sensor, many organizations engaged in executing business continuity plans (BCPs), recovering systems, and restoring from backups. In the throes of these activities, it's easy to overlook the similarity with the playbook for ransomware recovery and miss how organizations of all sizes can leverage this event to identify gaps in their capabilities to respond to and recover from ransomware or other disruptive cyberattacks.

It's important to acknowledge the scale of this disruption, with 8.5 million incapacitated PCs across all sectors and organizational sizes. Small businesses, global conglomerates, government agencies, hospitals, and critical infrastructure were all met with the dreaded blue screen of death.

Even those who were not CrowdStrike customers felt the impact, with flights delayed and canceled, gas stations and grocery stores unable to complete transactions, and critical services like police and fire dispatch delayed.

However, there are lessons that every organization can take away from this event to help improve their ability to respond to a cyberattack.

**Detection**

The mean time to detect, or MTTD, is a metric in cyber operations describing how long it takes between when an incident begins and when the organization identifies that something has happened. This metric has been trending down for the past several years, partially because incidents resulting in ransomware deployment are glaringly and quickly apparent. This speedy detection contrasts with incidents where a sophisticated threat actor is siphoning private data from a network, which typically takes longer to discover.

This behavior parallels the obviousness of the CrowdStrike event. Computers across the network became unavailable, displaying a cryptic message about a failed driver. With this event, we have clarity on the start time, with organizations experiencing blue screens around 04:09 UTC.

Organizations should evaluate how long their teams took to detect the outage and how quickly they could reasonably speculate on the root cause. These metrics matter when threat actors deploy ransomware on a network.

**Response**

As IT teams confirmed the cause of the system issues, organizations scrambled to begin restoring systems. Many organizations struggled with incomplete asset inventories, partially managed devices, and no way to prioritize recovery activities reliably. Some found themselves locked out of the password vaults needed to restore critical systems. Others struggled to scale quickly to reimage laptops of remote users scattered across the country. 

These challenges mirror those expected during a ransomware incident and highlight the importance of maintaining an accurate accounting of IT assets that informs prioritization during recovery. Also, recovery plans must consider the operating environment and support reconstituting services in time frames that align with business objectives.

Organizations should evaluate the effectiveness of their response plans during this event, including their ability to prioritize systems that support critical functions and develop or test the granular recovery plans necessary to expedite the reconstitution of these services. They should also determine where there were gaps in asset management and the underlying causes of those discrepancies.

**Business Continuity**

As IT teams worked around the clock to restore systems and get users back online, this event forced many organizations to execute their business continuity plans and restore mission-critical functions. Organizations frequently confuse BCPs with disaster recovery plans (DRPs), resulting in an inability to execute mission-critical functions during this event.

Organizations frequently experience challenges in this area during a ransomware event, with no plan to reconstitute the capabilities that support mission-critical functions. With several high-profile ransomware attacks affecting health departments across the United States (including one during my tenure as the chief information security officer for the State of Maryland), seemingly simple administrative tasks, such as issuing death certificates, become impossible.

To prepare for ransomware events or other cyber disruptions, organizations should conduct a business impact analysis (BIA) and integrate the outputs into comprehensive BCPs, reducing the risk of protracted business disruption from a ransomware incident.

**Supply Chain and Vendor Risk**

The scale of this event has highlighted the risks of cyber events affecting supply chains more than any event in recent history, with financial transactions stalled, logistics companies unable to deliver goods, and hospitals unable to replenish lifesaving supplies. 

In 2021, Kronos, a human capital and workforce management SaaS provider, experienced substantial downtime due to a ransomware event, preventing employees from being paid and stopping work activities at thousands of organizations around the globe. With many organizations relying on their partners to recover quickly from a cyber incident, few were prepared to sustain operations in the event of an incident affecting their supply chain.

Organizations should consider and plan for cyber incidents that have negative consequences on their supply chains as part of their business continuity plans and ensure their partners do the same. 

**Improving Resilience From This Event**

For organizations affected by the CrowdStrike disruption, there is a unique opportunity to reflect on what went well and what your organization should focus on improving through the lens of a ransomware incident. While the disruption certainly should not be minimized, the reality of a ransomware incident includes exorbitant costs, weeks to months of downtime, regulatory challenges, potential lawsuits, and numerous other adverse effects that represent long-term organizational damage.

For organizations that experienced indirect impact through partners in their supply chain, there is an opportunity to ensure adequate supply chain diversification and contingency planning is happening.

For organizations lucky enough to have not experienced any adverse impact from this event, it's crucial to recognize that this could have happened to your organization just as easily, and it's better to be prepared than to be lucky.

For everyone, this is an opportunity to reflect on what you should be doing to improve your organization's resilience.

**About the Author(s)**

Director–Security, Privacy, and Risk Consulting, RSM US

Chip Stewart is a director in RSM's Security, Privacy, and Risk Consulting practice and the former CISO for the state of Maryland, where his charge was to build a statewide security program from the ground up. In this role, he championed the creation of the MD-ISAC, an advanced cyber-threat intelligence center focused on helping all levels of government in Maryland proactively protect their networks from cyber threats by providing them with real-time information.

Tag

#auth