US-CERT issues warning on North Korean Cyber attacks

The US has issued an unusually​ public warning to businesses  both in and outside the United states about the threat posed by North Korean cyberattacks and the urgent need to patch old software to defend against them.

This alert is coming from the Department of Homeland Security (DHS) and the FBI through US-CERT, usually taken as a sign of imminent trouble.
No surprise in this, you might say, after all the US has been accusing the Democratic People’s Republic of Korea (DPRK) of causing trouble in cyberspace as far back as the high profile attacks l on Sony in 2014.

The advisory’s first message is that anyone detecting activities by the DPRK, codenamed “Hidden Cobra” (aka the Lazarus Group or Guardians of Peace), should report activity through the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).


Indicators of Compromise (IOCs) cover a gamut of DDoS botnet activity, keylogging, remote access tools (RATs), and disk wiping malware, as well as SMB worm malware of the sort blamed for the recent WannaCry attacks.


It also refers to IP address ranges used for DDoS attacks, dubbed “DeltaCharlie”, and describes some of the tools employed by Hidden Cobra:


…DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Wild Positron/Duuzer, and Hangman. DHS has previously released Alert TA14-353A, which contains additional details on the use of a server message block (SMB) worm tool employed by these actors.




The takeaway for Naked Security readers is to patch the older applications alleged North Korean cyberattacks like to prey on, particularly the following CVEs:


CVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x Vulnerability


CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability


CVE-2016-1019: Adobe Flash Player  21.0.0.197 Vulnerability


CVE-2016-4117: Adobe Flash Player 21.0.0.226 Vulnerability


Interestingly, although these emerged as zero- vulnerabilities, it’s likely that Hidden Cobra exploited them after patches appeared. This suggests a crude but well proven MO in which vulnerabilities are targeted to catch out anyone who hasn’t applied updates.

In order to avoid this attacks computer systems that contains softwares such as Adobe flash & Microsoft silverlight should be updated to the recent version and always make sure your Antivirus is updated regularly.

For more information on this head on to the guys at  Sophos


No comments:

Post a Comment

Intel Tiger Lake CPUs to come with Anti-Malware Protection

Intel’s Tiger Lake CPUs will come with Control-flow Enforcement Technology (CET), aimed at battling common control-flow hijacking attacks. I...