Story image

United States hot on heels of North Korea's Hidden Cobra malware

19 Feb 18

The United States Computer Emergency Readiness Team (US-CERT) is honing in on the North Korean Government’s cyber espionage activities known as HIDDEN COBRA, which have been operational since at least 2009.

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have been working together to understand the North Korean Government’s cyber activities.

Since 2009, Hidden Cobra actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace,” US-CERT states in an alert from June 2017.

“Tools and capabilities used by Hidden Cobra actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Wild Positron/Duuzer, and Hangman.”

“Hidden Cobra actors commonly target systems running older, unsupported versions of Microsoft operating systems. The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation. These actors have also used Adobe Flash player vulnerabilities to gain initial entry into users’ environments.”

In a malware analysis report of the HARDRAIN Trojan from earlier this month, US CERT explicitly states that the FBI is highly confident that the Hidden Cobra actors are using malware and proxy servers to squat and exploit victims’ networks.

The latest techniques involve Windows executable files that function as proxy servers and implement ‘Fake TLS’. It goes by several names, including Backdoor:Win32/Escad.A!dha.

US-CERT explains:

“The proxy sessions are disguised to appear as encrypted TLS/SSL sessions by using public SSL certificates obtained from well-known, legitimate Internet services. The legitimate certificates are contained within the malware. However, the traffic between the operator and the proxy server is encrypted using an unidentified cipher.”

 Another malware is an Executable Linkable Format (ELF) file that functions as a Remote Access Trojan on Android devices. It goes by different names, including Andr/Spy-ANK.

“This artifact is a malicious ELF ARM executable designed to connect to hard-coded Internet Protocol (IP) addresses. Static analysis indicates this ELF binary, designed to run on Android platforms, is a fully functioning Remote Access Tool.”

US-CERT also attributes Trojans BADCALL and BANKSHOT to the North Korean Government.

US-CERT would like to remind users and administrators of the following best practices to strengthen the security posture of their organization's systems:

  • Maintain up-to-date antivirus signatures and engines.
  • Restrict users' ability (permissions) to install and run unwanted software applications.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Keep operating system patches up-to-date. Enable a personal firewall on agency workstations. Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats; implement appropriate ACLs.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.