Feds Alert about North Korean Attacker

Wednesday, May 30, 2018 @ 02:05 PM gHale

A technical alert released on malware used by Hidden Cobra, an attacker whose activities they believe to be directed by the North Korean government.

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have been documenting malware used by the group.

FERC Tightens Device Control for Grid
FDA to Hike Medical Device Security
U.S., UK OT Alert on Russians Hackers
Pipeline Firms Hit; Gas Still Flowing

This time, they warn about Joanap, a remote access tool (RAT) used “to establish peer-to-peer communications and to manage botnets designed to enable other operations,” and Brambul, a brute-force authentication worm that spreads through SMB shares.

“According to reporting of trusted third parties, Hidden Cobra actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors,” said the US-CERT alert.

“Like many of the families of malware used by Hidden Cobra actors, Joanap, Brambul, and other previously reported custom malware tools, may be found on compromised network nodes.”

Compromised network nodes identified as part of the Joanap infrastructure are scattered across the world, the note said.

“FBI has high confidence that HIDDEN COBRA actors are using the IP addresses — listed in this report’s IOC files — to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity,” it said.

US-CERT advises administrators to make use of the provided indicators of compromise and a malware analysis report to check whether their networks have been compromised, as well as provided general advice on strategies that can mitigate the threat these and other malware can pose to them.

Leave a Reply

You must be logged in to post a comment.