U.S. Warns of North Korea's 'Hidden Cobra' Attacks

[tao]

The United States Computer Emergency Readiness Team (US-CERT) released a technical alert on Tuesday on behalf of the DHS and the FBI to warn organizations of North Korea’s “Hidden Cobra” activities, particularly distributed denial-of-service (DDoS) attacks.

 

The threat actor dubbed by the U.S. government “Hidden Cobra” is better known in the infosec community as Lazarus Group, which is believed to be behind several high-profile attacks, including the ones targeting Sony Pictures, Bangladesh’s central bank, and financial organizations in Poland. Links have also been found between the threat actor and the recent WannaCry ransomware attacks, but some experts are skeptical.

 

The joint alert from the FBI and the DHS provides indicators of compromise (IoC) associated with a botnet known as “DeltaCharlie.” The North Korean government has allegedly used DeltaCharlie, which has been detailed in Novetta’s “Operation Blockbuster” report, to launch DDoS attacks.

 

“DeltaCharlie is a DDoS tool capable of launching Domain Name System (DNS) attacks, Network Time Protocol (NTP) attacks, and Character Generation Protocol attacks,” US-CERT said. “The malware operates on victims’ systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks.”

 

US-CERT has shared information on exploits, malware, IP addresses, file hashes, network signatures, and YARA rules associated with Hidden Cobra in an effort to help defenders detect the group’s attacks. However, it noted that “further research is needed to understand the full breadth of this group’s cyber capabilities.”

 

The agency warned that, in some cases, the DDoS malware was present on victims’ networks for a significant period of time.

 

Network administrators have been advised to follow a series of recommendations for mitigating attacks and responding to unauthorized network access.

 

While North Korea is believed to be responsible for several major cyberattacks, experts have also observed sophisticated attacks aimed at the country. Last month, Cylance reported seeing a new fileless attack that seemed to have Chinese origins, and Cisco detailed a RAT used to spy on organizations linked to North Korea.

 

< Here >

 

[CrAKeN]

 

In a US-CERT report released yesterday afternoon, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have published IOCs about a malware family known as DeltaCharlie, used by North Korea to create its private DDoS botnet.

 

This malware is not particularly new, being mentioned in the Operation Blockbuster report released in February 2016, but the DHS and FBI have compiled a list of IP addresses known to be affiliated or infected by this bot, along with YARA rules that will help companies and professionals add detection rules.

 

Correlating data from the DHS and FBI report released yesterday and the Operation Blockbuster write-up, we know now that DeltaCharlie is the third DDoS bot developed by the hacking crew known as Lazarus Group (aka Guardians of Peace), known to be operating out of North Korea under the local government's protection. The DHS and FBI track this group as HIDDEN COBRA.

 

The other two are DeltaAlfa and DeltaBravo.

 

 

In the past eight years, these three malware families have been used to carry out a series of DDoS attacks, later attributed to the Lazarus Group.

 

Quote

July 2009 - A large-scale DDoS attack on US and South Korean websites
March 2011 - “Ten Days of Rain” attack targets South Korean media, financial, and critical infrastructure targets. Compromised computers within South Korea are used to launch DDoS attacks.
April 2011 - DDoS attack ta rgets Nonghyup Bank.

 

DeltaCharlie can launch DNS, NTP, and CHARGEN DDoS attacks

At the technical level, DeltaCharlie is a DDoS bot that can launch Domain Name System (DNS) DDoS attacks, Network Time Protocol (NTP) DDoS attacks, and Character Generation Protocol (CHARGEN) DDoS attacks.

 

The DDoS bot operates on infected computers as a svchost-based service and can also download other executables, update its configuration, update itself, terminate terminating its own processes, and start/stop DDoS attacks.

 

The DHS and FBI say this malware has been used to target and attack the media, aerospace, financial, and critical infrastructure sectors in the United States and globally.

 

"HIDDEN COBRA IOCs related to DeltaCharlie are provided within the accompanying .csv and .stix files of this alert," US-CERT said in the joint report yesterday. "DHS and FBI recommend that network administrators review the IP addresses, file hashes, network signatures, and YARA rules provided, and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization."

 

Although no new DDoS attacks have been spotted that can be attributed to this malware, the purpose of this report is to raise awareness to North Korea's cyber-weapons and cripple their capabilities.

 

Source