New FBI Warning: Disable Local Administrator Accounts as Attacks Continue
download (89).jpeg
FBI Protection. Disable Local Administrator Accounts, FBI
Updated, January 28, 2025:
This story, originally published on January 27, has been updated with additional mitigation advice regarding the threat from North Korean cybercriminals, as outlined in the FBI's public service announcement. Hackers use many methods to steal your data, from cybercriminal AI chatbots, two-factor authentication bypass attacks, and even the new "don't double-click" hacks. However, they also attack after you've secured employment with your organization, as highlighted in the FBI's recent warning in Public Service Announcement I-012325-PSA. Disable local administrator accounts, FBI says: Here's why your business really should consider it.
FBI warning – extortion and theft of sensitive corporate data
As hacking attacks involving remote IT workers from the Democratic People's Republic of Korea continue, the FBI said it is warning the public sector, private sector and international community about "corporate victimization" based in the United States. FBI investigations have found that North Korean IT employees used illegal access to systems to steal private and sensitive data and facilitate other cybercriminal activities.
According to the FBI announcement, victims saw proprietary data and code held for ransom, corporate code repositories copied into attackers' user profiles and personal cloud accounts, and attempted to obtain corporate credentials and sessions for further compromise opportunities. Mitigating the Threat of North Korean Cybercriminals - Advice from the FBI and Security Experts
The FBI recommended disabling local administrator accounts and limiting remote desktop application installation privileges, as well as monitoring any unusual network traffic. "North Korean cybercriminals often have multiple logins to a single account in a short period of time," the FBI warned, "from multiple IP addresses, often associated with different countries."
The FBI concluded that strict identity verification processes should be implemented during the interview and onboarding phases of these employees and should continue to be implemented throughout the employment lifecycle. "Check human resources systems for other candidates with similar resume content and/or contact information," the FBI warned, adding that "North Korean computer scientists have been observed using artificial intelligence and facial-replacement technology during video job interviews to mask their true identities."
Forbes
Following the Justice Department's indictments of individuals suspected of involvement in running the hacking campaign against North Korea's remote IT workers, Michael Barnhart, principal analyst at Mandiant at Google Cloud, said: "These legal actions are designed to disrupt infrastructure support and create significant obstacles. to their continued success." According to the latest FBI security alert, this does not appear to be the case. Mandiant also offered the following mitigation tips for these attacks.
Using periodic and mandatory checks where your remote employees are required to appear on camera. Ongoing training programs for users and employees on current threats and trends. Mandatory use of US banks for financial transactions to thwart malicious activity abroad, as acquiring US bank accounts involves more stringent identity verification than in many countries. At the same time, the FBI said that human resources staff, hiring managers and development teams should focus explicitly "on changes in addresses or payment platforms during the onboarding process."
[attachment deleted by admin]