Hackers use many methods to steal your data, from cybercrime AI-chatbots, two-factor authentication bypass attacks, and even novel don’t click twice hacks. They also, however, attack after gaining employment with your organization, as is the case outlined in the latest warning from the Federal Bureau of Investigation in public service announcement I-012325-PSA. Disable local admin accounts, the FBI said: here’s why your business really should take notice.
FBI Warning—Extortion And Theft Of Sensitive Company Data
As hack attacks involving remotely-based information technology workers from the Democratic People’s Republic of Korea continue, the FBI said, it is warning the public, private sector and international community about the “victimization of US-based businesses.” FBI investigations have observed North Korean IT workers using unlawful access to systems in order to steal proprietary and sensitive data as well as to facilitate other cyber-crime activity.
According to the FBI announcement, victims have seen proprietary data and code held to ransom, the copying of corporate code repositories to attacker user-profiles and personal cloud accounts, and the attempted harvesting of company credentials and session cookies for further compromise opportunities.
The Principle Of Least Privilege—FBI Advice
The principle of least privilege as recommended by the FBI when it says to disable local admin accounts has also been advised by other law enforcement and intelligence agencies. The NSA also said, alongside the FBI, that restricting the administrative rights available to users of both Windows and MacOS operating systems is a recommended security practice. “Only allow designated administrator accounts to be used for administrative purposes,” the NSA and FBI advice document said. So, what is the principle of least privilege, exactly?
It’s basically any method of ensuring that all users only have access to the specific resources that they absolutely need in order to do their job at any particular time. Admin account access, for example, should only be available to those who need it for their work and absolutely nobody else. Consumers can jump on this restricted rights bus as well. Simply set up an admin account protected by a strong password in addition to a separate user account without admin rights. Use the user account for your day-to-day computing needs, and if something potentially risky, such as installing software, is required, the operating system will ask you to enter your admin credentials. Wikipedia has some great examples such as a user account that exists purely for the sole purpose of creating backups does not need to install software and so should only have the rights necessary to run backup and backup-related applications. OK, so that’s pretty unlikely in most real-world scenarios, but you get the general idea. The point is that this account wouldn’t then be able to install new software, including malware.
Mitigating The North Korean IT Worker Threat—Advice From The FBI And Security Experts
The FBI has advised that you should disable local administrator accounts and limit privileges for installing remote desktop applications, as well as monitor for any unusual network traffic. “North Korean IT workers often have multiple logins into one account in a short period of time,” the FBI warned,“ from various IP addresses, often associated with different countries.”
The FBI concluded that you should implement strict identity-verification processes during the interviewing and onboarding stages of hiring such workers, as well as continuing to do so throughout the employment lifecycle. “Cross-check HR systems for other applicants with the same resume content and/or contact information,” the FBI warned, adding that “North Korean IT workers have been observed using artificial intelligence and face-swapping technology during video job interviews to obfuscate their true identities.”
Following Department of Justice indictments against people alleged to be involved with the running of the North Korean remote IT worker hacking campaign, Michael Barnhart, Mandiant principal analyst at Google Cloud, said that “these legal actions aim to dismantle the support infrastructure and impose substantial obstacles to their continued success.” That, according to the latest FBI security warning, apparently has not happened. Mandiant also offered the following mitigation advice in the face of these attacks.
- The utilization of periodic and mandatory checks where your remote workers are required to go on camera.
- Continuous education programs for users and employees on current threats and trends.
- The mandatory use of U.S. banks for financial transactions so as to interfere with malicious overseas activity, as the acquisition of U.S. bank accounts entails stricter identity verification than in many countries.
Meanwhile, the FBI said that human resources staff, hiring managers, and development teams should explicitly focus “on changes in address or payment platforms during the onboarding process.”
-Forbes
