Story image

United States hot on heels of North Korea's Hidden Cobra malware

19 Feb 18

The United States Computer Emergency Readiness Team (US-CERT) is honing in on the North Korean Government’s cyber espionage activities known as HIDDEN COBRA, which have been operational since at least 2009.

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have been working together to understand the North Korean Government’s cyber activities.

Since 2009, Hidden Cobra actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace,” US-CERT states in an alert from June 2017.

“Tools and capabilities used by Hidden Cobra actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Wild Positron/Duuzer, and Hangman.”

“Hidden Cobra actors commonly target systems running older, unsupported versions of Microsoft operating systems. The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation. These actors have also used Adobe Flash player vulnerabilities to gain initial entry into users’ environments.”

In a malware analysis report of the HARDRAIN Trojan from earlier this month, US CERT explicitly states that the FBI is highly confident that the Hidden Cobra actors are using malware and proxy servers to squat and exploit victims’ networks.

The latest techniques involve Windows executable files that function as proxy servers and implement ‘Fake TLS’. It goes by several names, including Backdoor:Win32/Escad.A!dha.

US-CERT explains:

“The proxy sessions are disguised to appear as encrypted TLS/SSL sessions by using public SSL certificates obtained from well-known, legitimate Internet services. The legitimate certificates are contained within the malware. However, the traffic between the operator and the proxy server is encrypted using an unidentified cipher.”

 Another malware is an Executable Linkable Format (ELF) file that functions as a Remote Access Trojan on Android devices. It goes by different names, including Andr/Spy-ANK.

“This artifact is a malicious ELF ARM executable designed to connect to hard-coded Internet Protocol (IP) addresses. Static analysis indicates this ELF binary, designed to run on Android platforms, is a fully functioning Remote Access Tool.”

US-CERT also attributes Trojans BADCALL and BANKSHOT to the North Korean Government.

US-CERT would like to remind users and administrators of the following best practices to strengthen the security posture of their organization's systems:

  • Maintain up-to-date antivirus signatures and engines.
  • Restrict users' ability (permissions) to install and run unwanted software applications.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Keep operating system patches up-to-date. Enable a personal firewall on agency workstations. Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats; implement appropriate ACLs.
Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).