Posted in

How Cybercriminals Use PiKVM to Breach Corporate Networks

by ailona

Cybercriminals are exploiting fake remote hires to infiltrate corporate networks using PiKVM devices, bypassing traditional security controls. Microsoft’s DART team reveals tactics, forensic insights, and defense strategies to help organizations detect, contain, and prevent these sophisticated insider threats.

The Rising Threat of Fake Employees in Cybersecurity

Cybercriminals are evolving. They don’t just hack networks anymore. Now, they impersonate legitimate employees to gain access. This trend is alarming for tech professionals who manage identity and access controls. By posing as remote hires, attackers slip past onboarding checks unnoticed. Once inside, they steal sensitive data and deploy malicious tools. This approach is more sophisticated and dangerous than typical breaches.
“This represents a significant leap forward in threat actor tactics,” said a Microsoft security expert.
Such fake profiles are becoming more common. Gartner predicts that by 2028, one in four candidate profiles will be fake. This isn’t just a hiring problem; it’s a major cybersecurity risk. Organizations must rethink their security strategies to combat this insider threat effectively.

How Microsoft Tackled the Jasper Sleet Intrusion

Microsoft’s Detection and Response Team (DART) recently uncovered a case involving North Korean threat actors known as Jasper Sleet. These attackers used PiKVM devices—hardware tools that allow remote control of computers—to bypass traditional security. This enabled them to maintain persistent access and exfiltrate data covertly. DART employed cutting-edge tools like Cosmic and Arctic for Azure and Active Directory analysis, plus telemetry from Microsoft Entra ID and Defender solutions. This combination helped identify compromised accounts, contain the threat, and restore system integrity swiftly. The team also suspended thousands of related accounts to blunt the broader campaign.

Practical Steps to Strengthen Your Defenses

Defending against fake employee attacks requires a multi-layered approach. Start by integrating Microsoft 365 Defender with Unified Audit Logs for enhanced visibility. Deploy Microsoft Purview Data Loss Prevention policies to safeguard sensitive information. Insider risk management tools can detect risky behavior early. Moreover, enforce strict pre-employment vetting and apply the principle of least privilege to limit access. Keep an eye on unauthorized hardware like PiKVM devices. Lastly, stay updated with threat intelligence via Microsoft Defender’s Threat Analytics dashboard.
“Combining strong SOC practices with insider risk strategies closes security gaps effectively,” advised a cybersecurity analyst.
In conclusion, the rise of fake employees in cyberattacks is a pressing challenge. However, with the right tools and processes, tech professionals can detect and prevent these sophisticated intrusions. Staying proactive and informed is key to securing your organization’s future in this evolving threat landscape.

Key points from the article:

  • PiKVM hardware enables covert, persistent remote access, evading endpoint detection
  • DART leverages advanced tools like Cosmic, Arctic, and Fennec for deep forensic investigations
  • Unified Audit Logs and Microsoft Defender solutions are crucial for tracing and disrupting attacks
  • Implement strict pre-employment vetting and least privilege access to reduce insider risks
  • Monitor unauthorized IT tools and use Microsoft Purview policies to enhance data loss prevention

    • From the Source