Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/14/2017
07:33 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Warns of North Korea's Not-So-Secret 'Hidden Cobra' DDoS Botnet

Reclusive government behind DDoS infrastructure is targeting organizations around the world US-CERT says.

This story was updated to include comments from Adobe

The US-CERT this week formally identified the North Korean government as being behind a distributed denial of service (DDoS) botnet infrastructure that has been used to target media, financial, aerospace, and critical infrastructure organizations in the US and elsewhere.

In an advisory, the US-CERT provided indicators of compromise, malware descriptions, and network signatures associated with the malicious North Korean cyber operation, dubbed Hidden Cobra by the US government. Included in the alert were IP addresses of systems infected with DeltaCharlie, the malware used to manage the North Korean botnet.

Organizations that detect any of the tools associated with Hidden Cobra on their networks should immediately mitigate the threat and report their discovery to the DHS National Cybersecurity Communications and Integration Center (NCIC) or to the FBI, US-CERT said.

"DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network," US-CERT said. "FBI has high confidence that HIDDEN COBRA actors are using the IP addresses for further network exploitation," it noted.

The alert definitively ties the North Korean government to attacks that have been previously attributed more generally to threat actors based in the country. Even so, a lot of the information in the US-CERT alert is previously known so the timing of the release was not entirely clear. 

As US-CERT itself noted, security researchers have previously linked the malicious activity referenced in the report to the Lazarus Group and Guardians of Peace.  Only earlier this year for instance, Symantec fingered Lazarus Group as the likely actor behind a string of attacks on banks in 31 different countries.

Similarly, Guardians of Peace, which is another name that security vendors have used in connection with the North Korean activity, was associated with the devastating cyberattack on Sony back in 2015. And DeltaCharlie, the botnet malware in the report, was thoroughly chronicled in a Novetta report last year.

"Since the vulnerabilities cited in the alert are over a year old, we can only assume US-CERT has seen a rise in systems infected by the DeltaCharlie malware," says Tim Matthews, vice president of marketing at Imperva. "It is also possible that in the wake of last month’s WannaCry ransomware outbreak – also attributed to Lazarus Group – US-CERT was spurred to proactively warn users about the need to patch older applications that could be vulnerable," he says. Ensuring there are fewer vulnerable systems would limit the growth of the Hidden Cobra botnet infrastructure, Matthews says.

Security researchers from multiple vendors, including Google, Kaspersky Lab, and Symantec, found a possible connection between WannaCry and the Lazarus Group: common code elements. 

The actors behind Hidden Cobra have a tendency to go after systems running older and unsupported versions of Microsoft Windows, which have multiple vulnerabilities in them, US-CERT said. Also a favorite for the threat actors are vulnerabilities in Adobe Flash player.

An Adobe spokesman said that patches have been available for more than a year for the vulnerabilities listed in the DHS alert. "Users are strongly encouraged to apply all available security updates to Adobe Flash Player to ensure they are receiving the latest features and security protections. The latest version with most up-to-date patches can be accessed at https://get.adobe.com/flashplayer/," the company said.

In addition to DeltaCharlie, other tools used by DeltaCharlie include keyloggers, wiper malware, and remote access tools. Examples include Destover, wiper malware used in the Sony attacks, Wild Positron a backdoor Trojan, and Hangman, US-CERT said this week.

In a statement responding to the US-CERT release, security vendor Kaspersky Lab said that it could confirm all the code referenced in the report has been associated with the Lazarus Group. Some of the code has been publicly known and discussed sine 2014 while some of the more recent samples were compiled in 2016, Kaspersky Lab said. The malware tools mentioned in the advisory have been observed in use in 26 countries including USA, France, Brazil and Russia, the security vendor added.

Regardless of the timing, the alert is a reminder for organizations to be paying attention to the threat posed by Hidden Cobra aka Lazarus aka Guardians of Peace. "IT workers in the media, aerospace, financial services, and critical infrastructure sectors should heed the US-CERT warning, as they are apparently the top targets of Hidden Cobra," Matthews says. "Organizations should always patch and update software to prevent any type of malware infestation. In the case of DeltaCharlie, not patching could perversely grow a botnet that could then be used against their own company.”

Related Content:

 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.
CVE-2020-11533
PUBLISHED: 2020-04-04
Ivanti Workspace Control before 10.4.30.0, when SCCM integration is enabled, allows local users to obtain sensitive information (keying material).
CVE-2020-11529
PUBLISHED: 2020-04-04
Common/Grav.php in Grav before 1.6.23 has an Open Redirect.