United States top cybersecurity cops warned Tuesday that North Korean government threat actors are targeting U.S. businesses with malware and botnet-r
United States top cybersecurity cops warned Tuesday that North Korean government threat actors are targeting U.S. businesses with malware and botnet-related attacks that are part of concerted effort dubbed “Hidden Cobra.”
According to a United States Computer Emergency Readiness Team (US-CERT) bulletin, Hidden Cobra is leveraging malware called DeltaCharlie, which is the brains behind North Korea’s distributed denial-of-service (DDoS) botnet infrastructure being used against U.S. assets.
Both the Department of Homeland Security and the Federal Bureau of Investigation were part of the Hidden Cobra research released Tuesday. They warn Hidden Cobra is actively targeting the media, aerospace, financial, and critical infrastructure sectors in the United States and other global assets.
A successful network intrusion attack could result in a “temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation,” according to the DHS and FBI.
Hidden Cobra, believed to be the work of the Lazarus Group, has been on security experts’ radar screen since 2014. According to research by Kaspersky Lab, a number of Lazarus tool samples were compiled as recently as last year. Lazarus is alleged to be behind the Sony hack, which featured wiper malware and damaging data leaks, as well as the SWIFT attacks against banks in Bangladesh, Poland and Mexico.
“The Hidden Cobra malware is used to conduct DDoS-attacks by abusing a number of technologies, such as CGN (Carrier Grade NAT), NTP (Network Time Protocol) and DNS. We are not aware of the particular targets actively attacked by this malware,” Kaspersky Lab researchers said on Wednesday.
According to researchers at Kaspersky Lab, one recently detected Hidden Cobra malware sample contained a hardcoded IP that belongs to a major U.S. financial institution.
The DeltaCharlie malware, used by Lazarus, was first referenced in the Operation Blockbuster Destructive Malware report released in February 2016. Operation Blockbuster, a coalition of security companies including Kaspersky Lab, Novetta and Invincea, found that DeltaCharlie was one of several DDoS tools used by the Lazarus Group.
“DeltaCharlie is a DDoS tool capable of launching Domain Name System attacks, Network Time Protocol attacks, and Character Generation Protocol attacks,” according to the US-CERT bulletin. “The malware operates on victims’ systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks.”
DeltaCharlie malware and its accompanying botnet have been observed in 25 countries, including France, Brazil, Russia, Malaysia, UK, USA, UAE, Taiwan, Rwanda and Philippines, researchers at Kaspersky Lab said.
DHS and FBI analysis of Hidden Cobra’s modus operandi reveal desirable targets are businesses running older, unsupported versions of Microsoft Windows along with vulnerable versions of Adobe Flash player and a Korean word processing application called Hangul. “We recommend that organizations upgrade these applications to the latest version and patch level,” according to the bulletin.
Authorities are urging system administrators who observe indicators of compromise that match the Hidden Cobra profile to flag and report observations to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).
“DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network. FBI has high confidence that Hidden Cobra actors are using the IP addresses for further network exploitation,” it said.
DHS and FBI recommend that network administrators review the IP addresses, file hashes, network signatures, and YARA rules provided, and add the IPs to their watchlist to determine if malicious activity has occurred on their network.