Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

5/31/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

FBI & DHS Warn About 2 North Korea Malware Threats

The FBI and Department of Homeland Security are warning about North Korea's Hidden Cobra group, which is suspected of being behind the Joanap and Brambul threats that have targeted multiple countries for almost a decade.

The federal government this week issued an alert about two pieces of malware allegedly developed by the North Korean government that have been in use for almost a decade to attack such targets around the world, including the US.

The US-CERT joint technical alert from the FBI and Department of Homeland Security points to malware called Joanap and Brambul, part of the advanced persistent threat (APT) effort dubbed Hidden Cobra -- the name given by US government to threat actors tied to the North Korean government.

Joanap is a remote access tool (RAT) and Brambul is a server message block (SMB) worm that the FBI and DHS, citing "trusted third parties," note have been used since at least 2009 to target such industries as media, aerospace and finance as well a critical infrastructure.

"FBI has high confidence that HIDDEN COBRA actors are using the IP addresses... to maintain a presence on victims' networks and enable network exploitation," according to the May 29 alert. "DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity."

The associated indicators of compromise (IOCs) can be found in the FBI and DHS alert.

Joanap is designed to receive multiple command that can be issued remotely by Hidden Cobra attackers from a command-and-control server and infects a system as a file that is placed by other malware designed by the group. That malware is downloaded by unknowing users when they visit compromised sites or open malicious attachments in email. The FBI and DHS found 87 compromised network nodes in 17 countries, including in South America, Asia, the Middle East and Europe.

The agencies noted that Brambul is a "brute-force authentication world that spreads through SMBs," which enable users on a network to share access to files. "Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim's networks," according to the alert.

DHS officials said that users should make sure to keep operating systems, software and anti-virus software up to date to help prevent against infection. The department also notes that users should scan all software downloaded from the Internet before executing it, restrict user permissions to install unwanted applications, scan for and remove suspicious email attachments and disable Microsoft's File and Printer Sharing service.

"McAfee can confirm that these malware samples have been known to cyber threat researchers since 2011," Ryan Sherstobitoff, a researcher at McAfee Labs, told Security Now in an email. "Our research into Hidden Cobra shows that these campaigns are still underway, and, while these components are being revealed now, the perpetrators behind the latest attacks have moved on to use newer tools."

Hidden Cobra -- which also has been known as Lazarus -- has been active for more than a decade and has ramped up its efforts in recent months even as the North Korean government has been in talks with South Korea and the US in hopes of easing tensions with the countries. The US government has put out multiple alerts about malware from Hidden Cobra since the beginning of the year, calling out Trojans such as Sharpknot, Hardrain and Badcall.


Now entering its fifth year, the 2020 Vision Executive Summit is an exclusive meeting of global CSP executives focused on navigating the disruptive forces at work in telecom today. Join us in Lisbon on December 4-6 to meet with fellow experts as we define the future of next-gen communications and how to make it profitable.

In April, McAfee Labs issued research regarding a Hidden Cobra campaign called "GhostSecret," which is targeting similar sectors as Joanap -- such as critical infrastructure, finance, healthcare and telecommunications -- in 17 countries around the world. Earlier this month, McAfee Labs noted a targeted mobile campaign called "RedDawn" -- and attributed to a group called Sun Team -- in which malware in Google Play was designed to implant spyware on the devices of North Korean defectors. (See North Korea-Linked 'Operation GhostSecret' Found in 17 Countries.)

Hidden Cobra -- which Symantec refers to as Lazarus -- is fairly unique, according to Vikram Thakur, technical director for Symantec Security Response.

"This targeted attack group is the only one tracked by Symantec that has attempted attacks against organizations for financial gain," Thakur told Security Now in an email. "Aside from direct monetary gain, Lazarus has been involved in stealing intellectual property, espionage and even ransomware, such as WannaCray, that spread globally in mid-2017."

McAfee's Sherstobitoff said that it's difficult for industry researchers to link malware attacks to specific suspects, but that what McAfee does know dovetails with what the government has found regarding Joanap and Brambul.

"Direct attribution of cyber campaigns to particular actors is complicated," he said. "Cyber forensic evidence available to industry is just part of the picture. Governments are in a more effective position to combine such evidence with evidence from traditional intelligence sources available only to state intelligence services and law enforcement. That said, we can confirm that the countries the government mentions as targets [of Joanap and Brambul] align with the attack targets we observed during our research into the GhostSecret operation and Hidden Cobra."

Symantec's Vikram said that "every country that conducts offensive cyber operations has different national interests for doing so. One might focus its resource on disinformation in specific geographies, another might be most interested in acquiring intellectual property for economic advantage. Lazarus is the only group that we've seen that has a team dedicated to conducting bank heists for more direct monetary gain. At the end of the day, the geopolitical situation of a country is what guides their offensive cyber mandate."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23351
PUBLISHED: 2021-03-08
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in ...
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...