Threat Intelligence

6/14/2017
07:33 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Warns of North Korea's Not-So-Secret 'Hidden Cobra' DDoS Botnet

Reclusive government behind DDoS infrastructure is targeting organizations around the world US-CERT says.

This story was updated to include comments from Adobe

The US-CERT this week formally identified the North Korean government as being behind a distributed denial of service (DDoS) botnet infrastructure that has been used to target media, financial, aerospace, and critical infrastructure organizations in the US and elsewhere.

In an advisory, the US-CERT provided indicators of compromise, malware descriptions, and network signatures associated with the malicious North Korean cyber operation, dubbed Hidden Cobra by the US government. Included in the alert were IP addresses of systems infected with DeltaCharlie, the malware used to manage the North Korean botnet.

Organizations that detect any of the tools associated with Hidden Cobra on their networks should immediately mitigate the threat and report their discovery to the DHS National Cybersecurity Communications and Integration Center (NCIC) or to the FBI, US-CERT said.

"DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network," US-CERT said. "FBI has high confidence that HIDDEN COBRA actors are using the IP addresses for further network exploitation," it noted.

The alert definitively ties the North Korean government to attacks that have been previously attributed more generally to threat actors based in the country. Even so, a lot of the information in the US-CERT alert is previously known so the timing of the release was not entirely clear. 

As US-CERT itself noted, security researchers have previously linked the malicious activity referenced in the report to the Lazarus Group and Guardians of Peace.  Only earlier this year for instance, Symantec fingered Lazarus Group as the likely actor behind a string of attacks on banks in 31 different countries.

Similarly, Guardians of Peace, which is another name that security vendors have used in connection with the North Korean activity, was associated with the devastating cyberattack on Sony back in 2015. And DeltaCharlie, the botnet malware in the report, was thoroughly chronicled in a Novetta report last year.

"Since the vulnerabilities cited in the alert are over a year old, we can only assume US-CERT has seen a rise in systems infected by the DeltaCharlie malware," says Tim Matthews, vice president of marketing at Imperva. "It is also possible that in the wake of last month’s WannaCry ransomware outbreak – also attributed to Lazarus Group – US-CERT was spurred to proactively warn users about the need to patch older applications that could be vulnerable," he says. Ensuring there are fewer vulnerable systems would limit the growth of the Hidden Cobra botnet infrastructure, Matthews says.

Security researchers from multiple vendors, including Google, Kaspersky Lab, and Symantec, found a possible connection between WannaCry and the Lazarus Group: common code elements. 

The actors behind Hidden Cobra have a tendency to go after systems running older and unsupported versions of Microsoft Windows, which have multiple vulnerabilities in them, US-CERT said. Also a favorite for the threat actors are vulnerabilities in Adobe Flash player.

An Adobe spokesman said that patches have been available for more than a year for the vulnerabilities listed in the DHS alert. "Users are strongly encouraged to apply all available security updates to Adobe Flash Player to ensure they are receiving the latest features and security protections. The latest version with most up-to-date patches can be accessed at https://get.adobe.com/flashplayer/," the company said.

In addition to DeltaCharlie, other tools used by DeltaCharlie include keyloggers, wiper malware, and remote access tools. Examples include Destover, wiper malware used in the Sony attacks, Wild Positron a backdoor Trojan, and Hangman, US-CERT said this week.

In a statement responding to the US-CERT release, security vendor Kaspersky Lab said that it could confirm all the code referenced in the report has been associated with the Lazarus Group. Some of the code has been publicly known and discussed sine 2014 while some of the more recent samples were compiled in 2016, Kaspersky Lab said. The malware tools mentioned in the advisory have been observed in use in 26 countries including USA, France, Brazil and Russia, the security vendor added.

Regardless of the timing, the alert is a reminder for organizations to be paying attention to the threat posed by Hidden Cobra aka Lazarus aka Guardians of Peace. "IT workers in the media, aerospace, financial services, and critical infrastructure sectors should heed the US-CERT warning, as they are apparently the top targets of Hidden Cobra," Matthews says. "Organizations should always patch and update software to prevent any type of malware infestation. In the case of DeltaCharlie, not patching could perversely grow a botnet that could then be used against their own company.”

Related Content:

 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
Hyatt Hit With Another Credit Card Breach
Dark Reading Staff 10/13/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.