Story image

United States hot on heels of North Korea's Hidden Cobra malware

19 Feb 2018

The United States Computer Emergency Readiness Team (US-CERT) is honing in on the North Korean Government’s cyber espionage activities known as HIDDEN COBRA, which have been operational since at least 2009.

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have been working together to understand the North Korean Government’s cyber activities.

Since 2009, Hidden Cobra actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace,” US-CERT states in an alert from June 2017.

“Tools and capabilities used by Hidden Cobra actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Wild Positron/Duuzer, and Hangman.”

“Hidden Cobra actors commonly target systems running older, unsupported versions of Microsoft operating systems. The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation. These actors have also used Adobe Flash player vulnerabilities to gain initial entry into users’ environments.”

In a malware analysis report of the HARDRAIN Trojan from earlier this month, US CERT explicitly states that the FBI is highly confident that the Hidden Cobra actors are using malware and proxy servers to squat and exploit victims’ networks.

The latest techniques involve Windows executable files that function as proxy servers and implement ‘Fake TLS’. It goes by several names, including Backdoor:Win32/Escad.A!dha.

US-CERT explains:

“The proxy sessions are disguised to appear as encrypted TLS/SSL sessions by using public SSL certificates obtained from well-known, legitimate Internet services. The legitimate certificates are contained within the malware. However, the traffic between the operator and the proxy server is encrypted using an unidentified cipher.”

 Another malware is an Executable Linkable Format (ELF) file that functions as a Remote Access Trojan on Android devices. It goes by different names, including Andr/Spy-ANK.

“This artifact is a malicious ELF ARM executable designed to connect to hard-coded Internet Protocol (IP) addresses. Static analysis indicates this ELF binary, designed to run on Android platforms, is a fully functioning Remote Access Tool.”

US-CERT also attributes Trojans BADCALL and BANKSHOT to the North Korean Government.

US-CERT would like to remind users and administrators of the following best practices to strengthen the security posture of their organization's systems:

  • Maintain up-to-date antivirus signatures and engines.
  • Restrict users' ability (permissions) to install and run unwanted software applications.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Keep operating system patches up-to-date. Enable a personal firewall on agency workstations. Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats; implement appropriate ACLs.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Ensign and IronNet partner to create cyber analytics capabilities
The Singapore-based joint venture will form a Cyber Analytics Center for Excellence focused on securing regional enterprises from sophisticated cyber threats.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.