Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/14/2017
07:33 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Warns of North Korea's Not-So-Secret 'Hidden Cobra' DDoS Botnet

Reclusive government behind DDoS infrastructure is targeting organizations around the world US-CERT says.

This story was updated to include comments from Adobe

The US-CERT this week formally identified the North Korean government as being behind a distributed denial of service (DDoS) botnet infrastructure that has been used to target media, financial, aerospace, and critical infrastructure organizations in the US and elsewhere.

In an advisory, the US-CERT provided indicators of compromise, malware descriptions, and network signatures associated with the malicious North Korean cyber operation, dubbed Hidden Cobra by the US government. Included in the alert were IP addresses of systems infected with DeltaCharlie, the malware used to manage the North Korean botnet.

Organizations that detect any of the tools associated with Hidden Cobra on their networks should immediately mitigate the threat and report their discovery to the DHS National Cybersecurity Communications and Integration Center (NCIC) or to the FBI, US-CERT said.

"DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network," US-CERT said. "FBI has high confidence that HIDDEN COBRA actors are using the IP addresses for further network exploitation," it noted.

The alert definitively ties the North Korean government to attacks that have been previously attributed more generally to threat actors based in the country. Even so, a lot of the information in the US-CERT alert is previously known so the timing of the release was not entirely clear. 

As US-CERT itself noted, security researchers have previously linked the malicious activity referenced in the report to the Lazarus Group and Guardians of Peace.  Only earlier this year for instance, Symantec fingered Lazarus Group as the likely actor behind a string of attacks on banks in 31 different countries.

Similarly, Guardians of Peace, which is another name that security vendors have used in connection with the North Korean activity, was associated with the devastating cyberattack on Sony back in 2015. And DeltaCharlie, the botnet malware in the report, was thoroughly chronicled in a Novetta report last year.

"Since the vulnerabilities cited in the alert are over a year old, we can only assume US-CERT has seen a rise in systems infected by the DeltaCharlie malware," says Tim Matthews, vice president of marketing at Imperva. "It is also possible that in the wake of last month’s WannaCry ransomware outbreak – also attributed to Lazarus Group – US-CERT was spurred to proactively warn users about the need to patch older applications that could be vulnerable," he says. Ensuring there are fewer vulnerable systems would limit the growth of the Hidden Cobra botnet infrastructure, Matthews says.

Security researchers from multiple vendors, including Google, Kaspersky Lab, and Symantec, found a possible connection between WannaCry and the Lazarus Group: common code elements. 

The actors behind Hidden Cobra have a tendency to go after systems running older and unsupported versions of Microsoft Windows, which have multiple vulnerabilities in them, US-CERT said. Also a favorite for the threat actors are vulnerabilities in Adobe Flash player.

An Adobe spokesman said that patches have been available for more than a year for the vulnerabilities listed in the DHS alert. "Users are strongly encouraged to apply all available security updates to Adobe Flash Player to ensure they are receiving the latest features and security protections. The latest version with most up-to-date patches can be accessed at https://get.adobe.com/flashplayer/," the company said.

In addition to DeltaCharlie, other tools used by DeltaCharlie include keyloggers, wiper malware, and remote access tools. Examples include Destover, wiper malware used in the Sony attacks, Wild Positron a backdoor Trojan, and Hangman, US-CERT said this week.

In a statement responding to the US-CERT release, security vendor Kaspersky Lab said that it could confirm all the code referenced in the report has been associated with the Lazarus Group. Some of the code has been publicly known and discussed sine 2014 while some of the more recent samples were compiled in 2016, Kaspersky Lab said. The malware tools mentioned in the advisory have been observed in use in 26 countries including USA, France, Brazil and Russia, the security vendor added.

Regardless of the timing, the alert is a reminder for organizations to be paying attention to the threat posed by Hidden Cobra aka Lazarus aka Guardians of Peace. "IT workers in the media, aerospace, financial services, and critical infrastructure sectors should heed the US-CERT warning, as they are apparently the top targets of Hidden Cobra," Matthews says. "Organizations should always patch and update software to prevent any type of malware infestation. In the case of DeltaCharlie, not patching could perversely grow a botnet that could then be used against their own company.”

Related Content:

 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.