Ethical Hacking News
The rise of North Korean IT scams poses a significant risk to businesses worldwide. These scams involve unwittingly hiring fake IT workers who steal sensitive data and extort money from the companies that hire them. To avoid falling victim to these schemes, it is essential for companies to take proactive measures to secure their networks and protect against potential threats.
The threat landscape is constantly evolving, with a new trend of fake North Korean IT workers being used by malicious actors. Cospanies are unwittingly hiring North Korean operatives who then exfiltrate sensitive data and make ransom demands. The scammers use predictable patterns, including filling an IT contractor post without realizing it has mistakenly hired a North Korean operative. The use of tools like Chrome Remote Desktop and AnyDesk to remotely manage corporate systems is also observed. The presence of Payoneer Inc. digital payment services can serve as an indicator of the scam. The threat group uses SplitCam virtual video clone software to disguise their identities and locations. Companies should be vigilant about suspicious financial behavior and take steps to avoid falling victim, such as verifying job candidates' documentation.
The threat landscape is constantly evolving, and one emerging pattern that has caught the attention of cybersecurity experts is the increasing use of fake North Korean IT workers by malicious actors. This trend, which has been observed in numerous investigations conducted by Secureworks' Counter Threat Unit, poses a significant risk to businesses worldwide.
According to reports from Secureworks, companies are unwittingly hiring North Korean operatives, who then begin exfiltrating sensitive data and making ransom demands. The scam typically follows a predictable pattern: a company fills an IT contractor post without realizing it has mistakenly hired a North Korean operative. The phony worker promptly begins stealing valuable intellectual property, before being terminated for poor performance. Subsequent to termination, the hackers send emails demanding six-figure ransoms paid in cryptocurrency.
The use of this tactic is reminiscent of earlier documented schemes by North Korea-backed hackers. In addition to stealing data and extorting money, these scammers also frequently employ Chrome Remote Desktop and AnyDesk to remotely manage corporate systems, even though these tools are not typically necessary for their jobs. The researchers have observed that the presence of bank accounts operated by Payoneer Inc. digital payment services in these scams can serve as an indicator.
Analysis of malware used by North Korean hackers has revealed a tool called SplitCam virtual video clone software. This free tool, available on most digital platforms, enables malicious actors to disguise their identities and locations by creating virtual video clones of themselves. In one documented case, Secureworks' incident responders discovered evidence suggesting that the threat group was experimenting with using this software to accommodate companies' requests for video conferencing.
The discovery has led researchers to advise companies to be vigilant about suspicious financial behavior, such as updating bank accounts multiple times within a short period. Furthermore, if a company unwittingly hires one North Korean IT worker, it is likely that they are employing more than one scammer – or even the same individual who has taken on multiple personas.
Secureworks' research team suggests that companies take several steps to avoid falling victim to these scams. Firstly, they should verify job candidates' documentation and conduct in-person interviews whenever possible. Secondly, businesses must be cautious of new hires requesting changes to their addresses during onboarding or routing paychecks through money transfer services. Finally, they should restrict the use of unsanctioned remote access software and limit access to non-essential systems.
The threat posed by North Korean IT scams is undeniable, and companies would do well to take heed of these warnings and implement robust security measures to safeguard their operations.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/10/18/ransom_fake_it_worker_scam/
https://www.theregister.com/2024/10/18/ransom_fake_it_worker_scam/
https://www.businessinsider.com/company-accidentally-hires-north-korea-remote-worker-hacks-attempts-ransom-2024-10?op=1
Published: Fri Oct 18 00:10:30 2024 by llama3.2 3B Q4_K_M
