Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label American Firms. Show all posts
North Korean Hackers
American Firms Data Breach Data Theft EDR IT Sector North Korean Hackers

KnowBe4 Avoids Data Breach After Hiring North Korean Hacker


 

American cybersecurity firm KnowBe4 recently discovered that a new hire, brought on as a Principal Software Engineer, was actually a North Korean state actor. This individual attempted to install data-stealing malware on the company's devices, but the threat was identified and neutralised before any data breach occurred.

This incident is the testament to the persistent threat from North Korean operatives posing as IT professionals, a danger that the FBI has been warning about since 2023. North Korea has a well-organised network of IT workers who disguise their true identities to secure employment with American companies. The revenue generated by these infiltrators funds the country's weapons programs, cyber operations, and intelligence gathering.

How the Hacker Bypassed Checks

Before hiring the malicious actor, KnowBe4 conducted extensive background checks, verified references, and held four video interviews. Despite these precautions, the individual used a stolen U.S. identity and AI tools to create a fake profile picture that matched during the video calls. This deception enabled the hacker to bypass the initial vetting process.

On July 15, 2024, KnowBe4's Endpoint Detection and Response (EDR) system flagged an attempt to load malware from the Mac workstation recently issued to the new hire. The malware, designed to steal information stored in web browsers, was intended to capture any leftover credentials or data from the computer's previous user.

When confronted by KnowBe4's IT staff, the state actor initially offered excuses but soon ceased all communication.

Deceptive Hiring Practices

KnowBe4 CEO Stu Sjouwerman explained that the scheme involved tricking the company into sending the workstation to an "IT mule laptop farm" near the address provided by the fraudster. The hacker then used a VPN to connect to the device during U.S. working hours, making it seem like they were working as usual.

To prevent similar incidents, KnowBe4 advises companies to use isolated sandboxes for new hires, keeping them away from critical network areas. Additionally, firms should ensure that new employees' external devices are not used remotely and treat any inconsistencies in shipping addresses as potential red flags.

This incident at KnowBe4 zeroes in on the intricate  methods employed by North Korean hackers to infiltrate American companies. By staying vigilant and implementing robust security measures, firms can protect themselves from such threats.


Read more »
User Security
American Firms Cyber Attacks Data Leak Ransomware User Security

Black Basta Ransomware Hits American Dental Association

 

A new ransomware gang dubbed Black Basta is exfiltrating corporate data and documents before encrypting the firm’s devices. It has quickly catapulted into operation this month and has targeted more than twelve firms in just a few weeks. 

The malicious actors then employ stolen data in double-extortion assaults and demand hefty amounts to decrypt files and prevent the publishing of the victim's stolen data. 

According to BleepingComputer, the American Dental Association was targeted by Black Basta last weekend, prompting the shutdown of some parts of its network. The ADA sent emails to its members noting that some of its systems, including ADA email and Aptify, as well as its webchat and telephone lines, have been disrupted as a result of the attack. 

Impacted systems were immediately taken down, with the ADA leveraging Gmail addresses while its email systems are offline. State dental associations, including those in Florida, New York, and Virginia, have also been hit by the ADA breach. 

The attackers claimed to have leaked 2.8GB of data, which they believe accounts for about 30% of the stolen data from the attack. The exfiltrated files include non-disclosure agreements, W2 forms, accounting spreadsheets, and ADA member data. 

The researchers first uncovered the Black Basta attacks in the second week of April, as the operation quickly began targeting firms worldwide. While not much else is known about the new ransomware gang as they have not begun marketing their operation or recruiting affiliates on hacking forums. 

Black Basta modus operandi 

The ransomware infiltrates into an existing Windows service and exploits it to launch the ransomware decryptor executable. The ransomware then changed the wallpaper to display a message stating, “Your network is encrypted by the Black Basta group. Instructions in the file readme.txt” and reboot the computer into Safe Mode with Networking. 

According to security expert Michael Gillespie, the portal Black Basta ransomware utilizes the ChaCha20 algorithm to encrypt files. Each folder on the encrypted device contains a readme.txt file that has information about the attack and a link and unique ID to log in to the negotiation chat session with the threat actors. 

Subsequently, the ransomware operators demand a ransom and threaten to leak data if payment is not made in seven days, and promise to secure data after a ransom is paid. Unfortunately, the encryption algorithm is secure and there is no way to recover files for free. The data extortion part of these attacks is conducted on the 'Black Basta Blog' or 'Basta News' Tor site, which contains a list of all victims who have not paid a ransom.
Read more »
Subscribe to: Posts (Atom)