HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure

HIDDEN COBRA ROAR!!! No seriously this isn't an anime or WOW.

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group[1] (link is external) and Guardians of Peace.[2] (link is external) DHS and FBI assess that HIDDEN COBRA actors will continue to use cyber operations to advance their government’s military and strategic objectives. Cyber analysts are encouraged to review the information provided in this alert to detect signs of malicious network activity.
Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover,[3] (link is external) Wild Positron/Duuzer,[4] (link is external) and Hangman.[5] (link is external) DHS has previously released Alert TA14-353A,[6] which contains additional details on the use of a server message block (SMB) worm tool employed by these actors. Further research is needed to understand the full breadth of this group’s cyber capabilities. In particular, DHS recommends that more research should be conducted on the North Korean cyber activity that has been reported by cybersecurity and threat research firms.
HIDDEN COBRA actors commonly target systems running older, unsupported versions of Microsoft operating systems. The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation. These actors have also used Adobe Flash player vulnerabilities to gain initial entry into users’ environments.

Ut oh Britain! Your windows XP systems are mine! Just kidding guys fricken relax already.

Just giving everyone who runs an older system a heads up and I know there is a few InfoSec guys here so I thought it would be interesting to share.

Patch applications and operating systems – Most attackers target vulnerable applications and operating systems. Ensuring that applications and operating systems are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker. Use best practices when updating software and patches by only downloading updates from authenticated vendor sites.
Use application whitelisting – Whitelisting is one of the best security strategies because it allows only specified programs to run while blocking all others, including malicious software.
Restrict administrative privileges – Threat actors are increasingly focused on gaining control of legitimate credentials, especially credentials associated with highly privileged accounts. Reduce privileges to only those needed for a user’s duties. Separate administrators into privilege tiers with limited access to other tiers.
Segment networks and segregate them into security zones – Segment networks into logical enclaves and restrict host-to-host communications paths. This helps protect sensitive information and critical services, and limits damage from network perimeter breaches.
Validate input – Input validation is a method of sanitizing untrusted input provided by users of a web application. Implementing input validation can protect against the security flaws of web applications by significantly reducing the probability of successful exploitation. Types of attacks possibly averted include Structured Query Language (SQL) injection, cross-site scripting, and command injection.
Use stringent file reputation settings – Tune the file reputation systems of your anti-virus software to the most aggressive setting possible. Some anti-virus products can limit execution to only the highest reputation files, stopping a wide range of untrustworthy code from gaining control.
Understand firewalls – Firewalls provide security to make your network less susceptible to attack. They can be configured to block data and applications from certain locations (IP whitelisting), while allowing relevant and necessary data through.

Interesting advice from homeland security on how to better protect your network from these kinds of intrusions including signatures for any IPS systems you may be running.

Enjoy!

This advice coming from the same government that left 1,000s of systems accessible with the default Windows Admin
account/password...

~Winter~

a reply to: Winterpain

Can you point out the actual flaws in their recommendations please?

Don't see any in their recommendations at all... Just wish they would audit their own systems to ensure they are following their own recommendations.

The best security experts in the world do no good, if they do not have a quality program/security audits taking place to ensure those recommendations are being followed. More of a rant at our government for allowing the most basic things to slip through the cracks... when they know better.

And it only take one IoT appliance that isn't fully configured properly to compromise your whole home network. So far I've got one Smart TV, a wi-fi web cam, an old laptop and desktop PC. The first two have wi-fi that I can't switch off. The old laptop has a little switch that turns off the wifi-antennae, and the desktop PC doesn't have wi-fi.

Our university sys-admin told us that a home PC shouldn't have a single socket port open, but of course Windows and Linux just love to have servers running for everything; printing, file sharing, videocasting/screencasting. Even Firefox has background processes that connect to Amazon, Facebook and Google (website address filtering for malware).

a reply to: stormcell

Your home router should be acting as a firewall and VPN.

a reply to: toysforadults

Where is your required link to this info pasted??

a reply to: mysterioustranger

US-Cert