Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

5/31/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

FBI & DHS Warn About 2 North Korea Malware Threats

The FBI and Department of Homeland Security are warning about North Korea's Hidden Cobra group, which is suspected of being behind the Joanap and Brambul threats that have targeted multiple countries for almost a decade.

The federal government this week issued an alert about two pieces of malware allegedly developed by the North Korean government that have been in use for almost a decade to attack such targets around the world, including the US.

The US-CERT joint technical alert from the FBI and Department of Homeland Security points to malware called Joanap and Brambul, part of the advanced persistent threat (APT) effort dubbed Hidden Cobra -- the name given by US government to threat actors tied to the North Korean government.

Joanap is a remote access tool (RAT) and Brambul is a server message block (SMB) worm that the FBI and DHS, citing "trusted third parties," note have been used since at least 2009 to target such industries as media, aerospace and finance as well a critical infrastructure.

"FBI has high confidence that HIDDEN COBRA actors are using the IP addresses... to maintain a presence on victims' networks and enable network exploitation," according to the May 29 alert. "DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity."

The associated indicators of compromise (IOCs) can be found in the FBI and DHS alert.

Joanap is designed to receive multiple command that can be issued remotely by Hidden Cobra attackers from a command-and-control server and infects a system as a file that is placed by other malware designed by the group. That malware is downloaded by unknowing users when they visit compromised sites or open malicious attachments in email. The FBI and DHS found 87 compromised network nodes in 17 countries, including in South America, Asia, the Middle East and Europe.

The agencies noted that Brambul is a "brute-force authentication world that spreads through SMBs," which enable users on a network to share access to files. "Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim's networks," according to the alert.

DHS officials said that users should make sure to keep operating systems, software and anti-virus software up to date to help prevent against infection. The department also notes that users should scan all software downloaded from the Internet before executing it, restrict user permissions to install unwanted applications, scan for and remove suspicious email attachments and disable Microsoft's File and Printer Sharing service.

"McAfee can confirm that these malware samples have been known to cyber threat researchers since 2011," Ryan Sherstobitoff, a researcher at McAfee Labs, told Security Now in an email. "Our research into Hidden Cobra shows that these campaigns are still underway, and, while these components are being revealed now, the perpetrators behind the latest attacks have moved on to use newer tools."

Hidden Cobra -- which also has been known as Lazarus -- has been active for more than a decade and has ramped up its efforts in recent months even as the North Korean government has been in talks with South Korea and the US in hopes of easing tensions with the countries. The US government has put out multiple alerts about malware from Hidden Cobra since the beginning of the year, calling out Trojans such as Sharpknot, Hardrain and Badcall.


Now entering its fifth year, the 2020 Vision Executive Summit is an exclusive meeting of global CSP executives focused on navigating the disruptive forces at work in telecom today. Join us in Lisbon on December 4-6 to meet with fellow experts as we define the future of next-gen communications and how to make it profitable.

In April, McAfee Labs issued research regarding a Hidden Cobra campaign called "GhostSecret," which is targeting similar sectors as Joanap -- such as critical infrastructure, finance, healthcare and telecommunications -- in 17 countries around the world. Earlier this month, McAfee Labs noted a targeted mobile campaign called "RedDawn" -- and attributed to a group called Sun Team -- in which malware in Google Play was designed to implant spyware on the devices of North Korean defectors. (See North Korea-Linked 'Operation GhostSecret' Found in 17 Countries.)

Hidden Cobra -- which Symantec refers to as Lazarus -- is fairly unique, according to Vikram Thakur, technical director for Symantec Security Response.

"This targeted attack group is the only one tracked by Symantec that has attempted attacks against organizations for financial gain," Thakur told Security Now in an email. "Aside from direct monetary gain, Lazarus has been involved in stealing intellectual property, espionage and even ransomware, such as WannaCray, that spread globally in mid-2017."

McAfee's Sherstobitoff said that it's difficult for industry researchers to link malware attacks to specific suspects, but that what McAfee does know dovetails with what the government has found regarding Joanap and Brambul.

"Direct attribution of cyber campaigns to particular actors is complicated," he said. "Cyber forensic evidence available to industry is just part of the picture. Governments are in a more effective position to combine such evidence with evidence from traditional intelligence sources available only to state intelligence services and law enforcement. That said, we can confirm that the countries the government mentions as targets [of Joanap and Brambul] align with the attack targets we observed during our research into the GhostSecret operation and Hidden Cobra."

Symantec's Vikram said that "every country that conducts offensive cyber operations has different national interests for doing so. One might focus its resource on disinformation in specific geographies, another might be most interested in acquiring intellectual property for economic advantage. Lazarus is the only group that we've seen that has a team dedicated to conducting bank heists for more direct monetary gain. At the end of the day, the geopolitical situation of a country is what guides their offensive cyber mandate."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.