Even the Experts Can Be Fooled

When even experts in social engineering can be fooled, it is important to ensure a defense in depth strategy for your business’ information security.  KnowBe4, one of the country’s largest providers of cybersecurity and social engineering training, got fooled by a North Korean IT worker intent upon loading their network with malware. 

KnowBe4 had a job opening. They were looking for someone for their internal Artificial Intelligence (AI) team.  What they received instead was a valuable training lesson in advanced social engineering. They were fooled. But unlike many companies, they disclosed the failure. Their experience might save others from a similar fate. 

Fortunately, they caught the imposter early enough so there was no breach or illegal access to the company’s systems.  They stopped him before he could do any damage.  Here is how it happened, how they stopped it, and some lessons learned. 

The human resources team did their jobs.  Background checks came back clean because the imposter was using a valid but stolen US-based identity.  They conducted 4 video conference-based interviews validating that the person matched the photo on the application.   The imposter took a stock photo and used AI to merge his features to the photo.  HR even verified his references. 

Once hired, the imposter asked to have his laptop sent to a farm. Not the kind you’re thinking of. It was “an IT mule laptop farm.”  The laptop farm is like an office filled with laptops and computers hackers use. They connect remotely from North Korea to the laptop farm. It was a good thing KnowBe4 restricted new employee access and didn’t allow access to the production systems. 

Once the imposter had been successfully hired and his laptop had been delivered, it was time for him to embed his malware onto the company network.  He downloaded and attempted to execute malware.  He then used some technical trickery to cover his tracks. 

The good news is the company security operations center (SOC) was alerted to potentially dangerous behavior and called the imposter.  The imposter claimed criminals must have compromised his router.  The SOC team quickly isolated his computer from the rest of the network preventing his access to valuable systems and data.  The imposter was unresponsive once he figured out that he was caught.  

Here are some lessons learned.  When a company uses remote workers with remote computers, the company should have a way to scan the device ensuring there are no other connections on the device.  When hiring workers, don’t rely simply on email references.  Do not ship laptops to locations that don’t match the applicant’s address.  Make sure applicants are not using Voice over IP (VOIP) phone numbers.  Lastly, watch for discrepancies in address and date of birth.  

With all the process failures, KnowBe4 did not suffer a breach.  They understood defense in depth.  They had multiple lines of defense in case one (the employee screening process) was breached.  All their laptops had endpoint detection and response (EDR) software loaded and they had a SOC watching over their network.  The EDR stopped the malware from executing and alerted the SOC. The SOC team isolated the computer right away and escalated the issue.   

When it comes to protecting your business, you cannot rely on the minimal protections.   Firewalls and anti-virus are useful, but they do not stop a hacker from entering through your email or your browser.  Technology, like EDRs and SOCs, may save the day, but must be backed up with tried-and-true policies and training.   Although KnowBe4 is an expert in social engineering, they got scammed due to lax hiring policies.  They have since updated their hiring policies.  Remember, a fool may learn from his own mistakes, but a wise man learns from the mistakes of others.   Be the wise man. 

Airline And Emergency Services Halted Worldwide Thanks to A Simple Update 

On Friday morning, Karen came to work for Delta Airlines at 4:30AM like she always did to help the early bird travelers check in and catch their flights.  When she booted up her computer, she saw something she had not seen in 20 years.  It was the “Blue Screen of Death.”   She asked a co-worker, and her computer was showing the same thing.   What was she going to do with all those travelers that can’t check in?  By 10:00AM EDT, Delta had cancelled more than 600 flights.    By Saturday, July 20th, over 4,000 flights would be cancelled throughout the airline industry globally leaving passengers stranded or dealing with hours of delay.   

What happened?  Shortly after midnight, CrowdStrike, a security software provider, pushed out a single content update to its 24,000 customers worldwide.  It was a small update designed to stop new attacks hackers have been using.   On installation, the configuration update triggered a logic error that resulted in the famous Blue Screen of Death.  CrowdStrike could not just back out the patch.  The customer computers were inoperable.  There is no automated way to back out the software.  It required a “Safe Mode” boot which requires someone to be physically next to the device and enter a set of keystrokes during boot.  Only then could the bogus file be removed allowing the computer to operate as normal.   

The impact of this mistake was felt worldwide.  Several states, including Arizona, experienced 911 service outages.   By 3:00AM, the Federal Aviation Administration announced that all Delta, United, Allegiant, and American flights were grounded.  Transportation services in the Northeast, including trains and buses were experiencing delays.  Global banks reported services disruptions, from Australia, South Africa, Israel, and New Zealand.  Hospitals in Germany and the UK were cancelling all non-urgent surgeries due to the event.   Even locally, Maricopa County reported that their Dominion voting machines were malfunctioning due to the automatic update.   

CrowdStrike is a leader in the cybersecurity space.   Their Falcon Sensor product is an endpoint detection response tool.  It goes onto each individual computer and searches and stops known malware from firing.  The company was founded in 2011.   Some may recall that CrowdStrike was called to investigate the alleged Democratic National Convention server hack in 2016.  Since then, the small company has enjoyed tremendous growth and success.  The company says its customers include 298 Fortune 500 companies, eight out of the top 10 financial services firms, seven out of the top 10 manufacturers, six of the top 10 healthcare providers and eight out of the top 10 food and beverage companies.  With this many big names, you can see why the impact of this failed Falcon Sensor update caused such a huge problem.  

It is appalling that any company, much less a global leader like this, would automatically push out software which they had not validated.      There have been rumblings on the internet that this could have been done on purpose for some nefarious reason, but I disagree.   CrowdStrike should have manually validate their software at the developer level and then again at an independent test and verification department level and then again at a pilot customer site before pushing anything out to the world.    

As for the customers caught up in this, we would not recommend immediate auto-updates for anything.   While working in the industry, we regularly waited a day to test the vendor updates and ran through a suite of tests before releasing it to our customers.  The fact that there was no control at the customer level made this event that much worse. 

This event shows us the need for every business to have disaster recovery and contingency plans. Whether it’s due to cyberattacks, technical issues, or natural disasters, having an effective plan is crucial for maintaining business continuity and minimizing downtime. 

In a world where we are increasingly dependent on computers for our businesses to function, be ready to run the old school way as a backup – just in case.    

The original article was published in the Sierra Vista Herald and can be found here.