Ethan Grammer
Guillermo Sánchez / August 28, 2024 / 4 minutes of readingAdvisories, Vulnerabilities & Alerts
How a North Korean Fake IT Worker Tried to Infiltrate KnowBe4
Description: Nation State threat actors are attempting to infiltrate U.S. companies by planting fake IT workers into their environments to try and gain confidential information. KnowBe4, a popular Cybersecurity training company, hired an engineer who turned out to be a North Korean hacker trying to infiltrate the company from within.
During an investigation conducted by KnowBe4’s Security Operations Center (SOC) after multiple alerts, it was discovered that this newly hired employee was attempting to install malware to his machine that would allow him to move throughout KnowBe4’s internal network. KnowBe4 quickly quarantined the machine and subsequently terminated the employee’s access to company information.
Recommended Actions:
- Ensure that HR procedures include a background check and identity verification
- Provision accounts with least-privilege and quarantine newly hired employee’s access away from production systems
- Maintain a robust security posture with endpoint detection and response capabilities to monitor for malicious activity
Take Action Now: Perform access reviews and ensure that only legitimate accounts are active across systems, and that least privilege is being followed across your organization.
External Links:
Microsoft Arc Browser Fake Installers
Description: The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory to disseminate known BlackSuit ransomware IOCs and TTPs identified through FBI threat response activities and third-party reporting as recently as of July 2024. BlackSuit ransomware is the evolution of the ransomware previously identified as Royal ransomware, which was used from approximately September 2022 through June 2023. BlackSuit shares numerous coding similarities with Royal ransomware and has exhibited improved capabilities
BlackSuit ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, commercial facilities, healthcare and public health, government facilities, and critical manufacturing.
Recommended Actions:
- Ensure strong passwords.
- Keep all operating systems, software, and firmware up to date.
- Require phishing-resistant multifactor authentication to administrator accounts.
- Segment networks.
- Maintain offline backups of data, and regularly maintain backup and restoration.
Take Action Now:
Add the updated IOCs provided by CISA in this advisory to your SIEM tool to aid in the BlackSuit ransomware detection.
External Links:
Ransomware Group Targets IT-workers with new Remote Access Trojan (RAT)
Description: The Ransomware group, Hunters International, has been seen utilizing a new Remote Access Trojan (RAT) in the wild that is aiming to target IT workers. By masquerading this RAT as the popular IP-based scanner called “Angry IP Scanner”, the ransomware group aims to have users install their RAT and subsequently grant persistent access to their machine to Hunters International.
Once installed, this malware provides persistent access to the machine through an edit to the Windows Registry and installs two directories that provide access to the threat actors.
Recommended Actions:
- Ensure that end-user Cybersecurity training is being conducted to all users, including those working in IT
- Implement and monitor Endpoint Detection and Response (EDR) capabilities on machines
- Limit access to unapproved websites and the ability for users to install software out of an approved list of software packages
Take Action Now:
Notify all employees to be vigilant when attempting to utilize third-party software, and implement an approved software list that can be enforced via security tooling.
External Links:
Attackers abuse URL protection services to mask phishing links
Description: Analysis of current phishing attacks by security researchers have uncovered an increase in the use of trusted shortlink services. According to Barracuda, a wave of phishing attacks is leveraging legitimate URL shortening services to add a layer of obfuscation to their malicious links in emails.
Recommended Actions:
- Employ security software solutions that traverse links and scan final web destinations for malicious content. Solutions that include machine-learning capabilities, both at the gateway level and post-delivery, will ensure companies are well protected.
Take Action Now:
Deploy security awareness training sessions for employees on the latest email threats. Teach them to be vigilant every time they interact with an email, an attachment, or a web link.
External Links:
Adobe Releases Security Updates for Multiple Products
Description: The Cybersecurity & Infrastructure Security Agency (CISA) has released an advisory citing multiple Adobe products with their latest vulnerabilities and associated patches. All software that is present within an organization should be patched immediately to prevent malicious threat actors from exploiting the vulnerabilities against machines.
Recommended Actions:
- Implement Adobe-provided patches and/or workarounds for each piece of software that is present within your organization
Take Action Now:
Perform a software inventory check on all listed Adobe products from the associated advisory, and immediately patch affected products and versions.
External Links: