Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

5/31/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

FBI & DHS Warn About 2 North Korea Malware Threats

The FBI and Department of Homeland Security are warning about North Korea's Hidden Cobra group, which is suspected of being behind the Joanap and Brambul threats that have targeted multiple countries for almost a decade.

The federal government this week issued an alert about two pieces of malware allegedly developed by the North Korean government that have been in use for almost a decade to attack such targets around the world, including the US.

The US-CERT joint technical alert from the FBI and Department of Homeland Security points to malware called Joanap and Brambul, part of the advanced persistent threat (APT) effort dubbed Hidden Cobra -- the name given by US government to threat actors tied to the North Korean government.

Joanap is a remote access tool (RAT) and Brambul is a server message block (SMB) worm that the FBI and DHS, citing "trusted third parties," note have been used since at least 2009 to target such industries as media, aerospace and finance as well a critical infrastructure.

"FBI has high confidence that HIDDEN COBRA actors are using the IP addresses... to maintain a presence on victims' networks and enable network exploitation," according to the May 29 alert. "DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity."

The associated indicators of compromise (IOCs) can be found in the FBI and DHS alert.

Joanap is designed to receive multiple command that can be issued remotely by Hidden Cobra attackers from a command-and-control server and infects a system as a file that is placed by other malware designed by the group. That malware is downloaded by unknowing users when they visit compromised sites or open malicious attachments in email. The FBI and DHS found 87 compromised network nodes in 17 countries, including in South America, Asia, the Middle East and Europe.

The agencies noted that Brambul is a "brute-force authentication world that spreads through SMBs," which enable users on a network to share access to files. "Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim's networks," according to the alert.

DHS officials said that users should make sure to keep operating systems, software and anti-virus software up to date to help prevent against infection. The department also notes that users should scan all software downloaded from the Internet before executing it, restrict user permissions to install unwanted applications, scan for and remove suspicious email attachments and disable Microsoft's File and Printer Sharing service.

"McAfee can confirm that these malware samples have been known to cyber threat researchers since 2011," Ryan Sherstobitoff, a researcher at McAfee Labs, told Security Now in an email. "Our research into Hidden Cobra shows that these campaigns are still underway, and, while these components are being revealed now, the perpetrators behind the latest attacks have moved on to use newer tools."

Hidden Cobra -- which also has been known as Lazarus -- has been active for more than a decade and has ramped up its efforts in recent months even as the North Korean government has been in talks with South Korea and the US in hopes of easing tensions with the countries. The US government has put out multiple alerts about malware from Hidden Cobra since the beginning of the year, calling out Trojans such as Sharpknot, Hardrain and Badcall.


Now entering its fifth year, the 2020 Vision Executive Summit is an exclusive meeting of global CSP executives focused on navigating the disruptive forces at work in telecom today. Join us in Lisbon on December 4-6 to meet with fellow experts as we define the future of next-gen communications and how to make it profitable.

In April, McAfee Labs issued research regarding a Hidden Cobra campaign called "GhostSecret," which is targeting similar sectors as Joanap -- such as critical infrastructure, finance, healthcare and telecommunications -- in 17 countries around the world. Earlier this month, McAfee Labs noted a targeted mobile campaign called "RedDawn" -- and attributed to a group called Sun Team -- in which malware in Google Play was designed to implant spyware on the devices of North Korean defectors. (See North Korea-Linked 'Operation GhostSecret' Found in 17 Countries.)

Hidden Cobra -- which Symantec refers to as Lazarus -- is fairly unique, according to Vikram Thakur, technical director for Symantec Security Response.

"This targeted attack group is the only one tracked by Symantec that has attempted attacks against organizations for financial gain," Thakur told Security Now in an email. "Aside from direct monetary gain, Lazarus has been involved in stealing intellectual property, espionage and even ransomware, such as WannaCray, that spread globally in mid-2017."

McAfee's Sherstobitoff said that it's difficult for industry researchers to link malware attacks to specific suspects, but that what McAfee does know dovetails with what the government has found regarding Joanap and Brambul.

"Direct attribution of cyber campaigns to particular actors is complicated," he said. "Cyber forensic evidence available to industry is just part of the picture. Governments are in a more effective position to combine such evidence with evidence from traditional intelligence sources available only to state intelligence services and law enforcement. That said, we can confirm that the countries the government mentions as targets [of Joanap and Brambul] align with the attack targets we observed during our research into the GhostSecret operation and Hidden Cobra."

Symantec's Vikram said that "every country that conducts offensive cyber operations has different national interests for doing so. One might focus its resource on disinformation in specific geographies, another might be most interested in acquiring intellectual property for economic advantage. Lazarus is the only group that we've seen that has a team dedicated to conducting bank heists for more direct monetary gain. At the end of the day, the geopolitical situation of a country is what guides their offensive cyber mandate."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/1/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Threat from the Internet--and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15478
PUBLISHED: 2020-07-01
The Journal theme before 3.1.0 for OpenCart allows exposure of sensitive data via SQL errors.
CVE-2020-6261
PUBLISHED: 2020-07-01
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired.
CVE-2020-15471
PUBLISHED: 2020-07-01
In nDPI through 3.2, the packet parsing code is vulnerable to a heap-based buffer over-read in ndpi_parse_packet_line_info in lib/ndpi_main.c.
CVE-2020-15472
PUBLISHED: 2020-07-01
In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in lib/protocols/h323.c, as demonstrated by a payload packet length that is too short.
CVE-2020-15473
PUBLISHED: 2020-07-01
In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-based buffer over-read in ndpi_search_openvpn in lib/protocols/openvpn.c.