theDocumentId => 743488 FBI & DHS Warn About 2 North Korea Malware Threats

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

5/31/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

FBI & DHS Warn About 2 North Korea Malware Threats

The FBI and Department of Homeland Security are warning about North Korea's Hidden Cobra group, which is suspected of being behind the Joanap and Brambul threats that have targeted multiple countries for almost a decade.

The federal government this week issued an alert about two pieces of malware allegedly developed by the North Korean government that have been in use for almost a decade to attack such targets around the world, including the US.

The US-CERT joint technical alert from the FBI and Department of Homeland Security points to malware called Joanap and Brambul, part of the advanced persistent threat (APT) effort dubbed Hidden Cobra -- the name given by US government to threat actors tied to the North Korean government.

Joanap is a remote access tool (RAT) and Brambul is a server message block (SMB) worm that the FBI and DHS, citing "trusted third parties," note have been used since at least 2009 to target such industries as media, aerospace and finance as well a critical infrastructure.

"FBI has high confidence that HIDDEN COBRA actors are using the IP addresses... to maintain a presence on victims' networks and enable network exploitation," according to the May 29 alert. "DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity."

The associated indicators of compromise (IOCs) can be found in the FBI and DHS alert.

Joanap is designed to receive multiple command that can be issued remotely by Hidden Cobra attackers from a command-and-control server and infects a system as a file that is placed by other malware designed by the group. That malware is downloaded by unknowing users when they visit compromised sites or open malicious attachments in email. The FBI and DHS found 87 compromised network nodes in 17 countries, including in South America, Asia, the Middle East and Europe.

The agencies noted that Brambul is a "brute-force authentication world that spreads through SMBs," which enable users on a network to share access to files. "Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim's networks," according to the alert.

DHS officials said that users should make sure to keep operating systems, software and anti-virus software up to date to help prevent against infection. The department also notes that users should scan all software downloaded from the Internet before executing it, restrict user permissions to install unwanted applications, scan for and remove suspicious email attachments and disable Microsoft's File and Printer Sharing service.

"McAfee can confirm that these malware samples have been known to cyber threat researchers since 2011," Ryan Sherstobitoff, a researcher at McAfee Labs, told Security Now in an email. "Our research into Hidden Cobra shows that these campaigns are still underway, and, while these components are being revealed now, the perpetrators behind the latest attacks have moved on to use newer tools."

Hidden Cobra -- which also has been known as Lazarus -- has been active for more than a decade and has ramped up its efforts in recent months even as the North Korean government has been in talks with South Korea and the US in hopes of easing tensions with the countries. The US government has put out multiple alerts about malware from Hidden Cobra since the beginning of the year, calling out Trojans such as Sharpknot, Hardrain and Badcall.


Now entering its fifth year, the 2020 Vision Executive Summit is an exclusive meeting of global CSP executives focused on navigating the disruptive forces at work in telecom today. Join us in Lisbon on December 4-6 to meet with fellow experts as we define the future of next-gen communications and how to make it profitable.

In April, McAfee Labs issued research regarding a Hidden Cobra campaign called "GhostSecret," which is targeting similar sectors as Joanap -- such as critical infrastructure, finance, healthcare and telecommunications -- in 17 countries around the world. Earlier this month, McAfee Labs noted a targeted mobile campaign called "RedDawn" -- and attributed to a group called Sun Team -- in which malware in Google Play was designed to implant spyware on the devices of North Korean defectors. (See North Korea-Linked 'Operation GhostSecret' Found in 17 Countries.)

Hidden Cobra -- which Symantec refers to as Lazarus -- is fairly unique, according to Vikram Thakur, technical director for Symantec Security Response.

"This targeted attack group is the only one tracked by Symantec that has attempted attacks against organizations for financial gain," Thakur told Security Now in an email. "Aside from direct monetary gain, Lazarus has been involved in stealing intellectual property, espionage and even ransomware, such as WannaCray, that spread globally in mid-2017."

McAfee's Sherstobitoff said that it's difficult for industry researchers to link malware attacks to specific suspects, but that what McAfee does know dovetails with what the government has found regarding Joanap and Brambul.

"Direct attribution of cyber campaigns to particular actors is complicated," he said. "Cyber forensic evidence available to industry is just part of the picture. Governments are in a more effective position to combine such evidence with evidence from traditional intelligence sources available only to state intelligence services and law enforcement. That said, we can confirm that the countries the government mentions as targets [of Joanap and Brambul] align with the attack targets we observed during our research into the GhostSecret operation and Hidden Cobra."

Symantec's Vikram said that "every country that conducts offensive cyber operations has different national interests for doing so. One might focus its resource on disinformation in specific geographies, another might be most interested in acquiring intellectual property for economic advantage. Lazarus is the only group that we've seen that has a team dedicated to conducting bank heists for more direct monetary gain. At the end of the day, the geopolitical situation of a country is what guides their offensive cyber mandate."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18428
PUBLISHED: 2021-07-26
tinyexr commit 0.9.5 was discovered to contain an array index error in the tinyexr::SaveEXR component, which can lead to a denial of service (DOS).
CVE-2020-18430
PUBLISHED: 2021-07-26
tinyexr 0.9.5 was discovered to contain an array index error in the tinyexr::DecodeEXRImage component, which can lead to a denial of service (DOS).
CVE-2021-37576
PUBLISHED: 2021-07-26
arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e.
CVE-2021-37555
PUBLISHED: 2021-07-26
TX9 Automatic Food Dispenser v3.2.57 devices allow access to a shell as root/superuser, a related issue to CVE-2019-16734. To connect, the telnet service is used on port 23 with the default password of 059AnkJ for the root account. The user can then download the filesystem through preinstalled BusyB...
CVE-2020-23240
PUBLISHED: 2021-07-26
Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature.