Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/14/2017
07:33 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Warns of North Korea's Not-So-Secret 'Hidden Cobra' DDoS Botnet

Reclusive government behind DDoS infrastructure is targeting organizations around the world US-CERT says.

This story was updated to include comments from Adobe

The US-CERT this week formally identified the North Korean government as being behind a distributed denial of service (DDoS) botnet infrastructure that has been used to target media, financial, aerospace, and critical infrastructure organizations in the US and elsewhere.

In an advisory, the US-CERT provided indicators of compromise, malware descriptions, and network signatures associated with the malicious North Korean cyber operation, dubbed Hidden Cobra by the US government. Included in the alert were IP addresses of systems infected with DeltaCharlie, the malware used to manage the North Korean botnet.

Organizations that detect any of the tools associated with Hidden Cobra on their networks should immediately mitigate the threat and report their discovery to the DHS National Cybersecurity Communications and Integration Center (NCIC) or to the FBI, US-CERT said.

"DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network," US-CERT said. "FBI has high confidence that HIDDEN COBRA actors are using the IP addresses for further network exploitation," it noted.

The alert definitively ties the North Korean government to attacks that have been previously attributed more generally to threat actors based in the country. Even so, a lot of the information in the US-CERT alert is previously known so the timing of the release was not entirely clear. 

As US-CERT itself noted, security researchers have previously linked the malicious activity referenced in the report to the Lazarus Group and Guardians of Peace.  Only earlier this year for instance, Symantec fingered Lazarus Group as the likely actor behind a string of attacks on banks in 31 different countries.

Similarly, Guardians of Peace, which is another name that security vendors have used in connection with the North Korean activity, was associated with the devastating cyberattack on Sony back in 2015. And DeltaCharlie, the botnet malware in the report, was thoroughly chronicled in a Novetta report last year.

"Since the vulnerabilities cited in the alert are over a year old, we can only assume US-CERT has seen a rise in systems infected by the DeltaCharlie malware," says Tim Matthews, vice president of marketing at Imperva. "It is also possible that in the wake of last month’s WannaCry ransomware outbreak – also attributed to Lazarus Group – US-CERT was spurred to proactively warn users about the need to patch older applications that could be vulnerable," he says. Ensuring there are fewer vulnerable systems would limit the growth of the Hidden Cobra botnet infrastructure, Matthews says.

Security researchers from multiple vendors, including Google, Kaspersky Lab, and Symantec, found a possible connection between WannaCry and the Lazarus Group: common code elements. 

The actors behind Hidden Cobra have a tendency to go after systems running older and unsupported versions of Microsoft Windows, which have multiple vulnerabilities in them, US-CERT said. Also a favorite for the threat actors are vulnerabilities in Adobe Flash player.

An Adobe spokesman said that patches have been available for more than a year for the vulnerabilities listed in the DHS alert. "Users are strongly encouraged to apply all available security updates to Adobe Flash Player to ensure they are receiving the latest features and security protections. The latest version with most up-to-date patches can be accessed at https://get.adobe.com/flashplayer/," the company said.

In addition to DeltaCharlie, other tools used by DeltaCharlie include keyloggers, wiper malware, and remote access tools. Examples include Destover, wiper malware used in the Sony attacks, Wild Positron a backdoor Trojan, and Hangman, US-CERT said this week.

In a statement responding to the US-CERT release, security vendor Kaspersky Lab said that it could confirm all the code referenced in the report has been associated with the Lazarus Group. Some of the code has been publicly known and discussed sine 2014 while some of the more recent samples were compiled in 2016, Kaspersky Lab said. The malware tools mentioned in the advisory have been observed in use in 26 countries including USA, France, Brazil and Russia, the security vendor added.

Regardless of the timing, the alert is a reminder for organizations to be paying attention to the threat posed by Hidden Cobra aka Lazarus aka Guardians of Peace. "IT workers in the media, aerospace, financial services, and critical infrastructure sectors should heed the US-CERT warning, as they are apparently the top targets of Hidden Cobra," Matthews says. "Organizations should always patch and update software to prevent any type of malware infestation. In the case of DeltaCharlie, not patching could perversely grow a botnet that could then be used against their own company.”

Related Content:

 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24619
PUBLISHED: 2020-09-22
In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check misuses TLS because of setPeerVerifyMode(QSslSocket::VerifyNone). A man-in-the-middle attacker could offer a spoofed download resource.
CVE-2020-8887
PUBLISHED: 2020-09-22
Telestream Tektronix Medius before 10.7.5 and Sentry before 10.7.5 have a SQL injection vulnerability allowing an unauthenticated attacker to dump database contents via the page parameter in a page=login request to index.php (aka the server login page).
CVE-2020-7734
PUBLISHED: 2020-09-22
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
CVE-2020-6564
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
CVE-2020-6565
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.