Naked Security reported on June 15th that US-CERT had issued an unusually blunt public warning to businesses about the threat posed by North Korean cyberattacks and the urgent need to patch old software to defend against them.
In one way, it is no surprise since the US has been accusing the Democratic People's Republic of Korea (DPRK) of causing trouble in cyberspace as far back as the high-profile attack on Sony in 2014. Amazing how that seems like ancient history.
This alert is different, both in its detail and in that it has been made public by the US Department of Homeland Security (DHS) and the FBI through US-CERT, usually taken as a sign of imminent trouble.
The advisory's first message is that anyone detecting activities by the DPRK, codenamed "Hidden Cobra" (aka the Lazarus Group or Guardians of Peace), should report activity through the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).
Indicators of Compromise (IOCs) cover a gamut of DDoS botnet activity, keylogging, remote access tools (RATs), and disk wiping malware, as well as SMB worm malware of the sort blamed for the recent WannaCry attacks. It also refers to IP address ranges used for DDoS attacks, dubbed "DeltaCharlie", and describes some of the tools employed by Hidden Cobra:
But the real takeaway is to patch the older applications alleged North Korean cyberattacks favor preying on, particularly the following Common Vulnerabilities and Exposures (CVE):
CVE-2015-8651: Adobe Flash Player 220.127.116.114 and 19.x Vulnerability
CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
CVE-2016-1019: Adobe Flash Player 18.104.22.168 Vulnerability
CVE-2016-4117: Adobe Flash Player 22.214.171.124 Vulnerability
Interestingly, although these emerged as zero-day vulnerabilities, it's likely that Hidden Cobra exploited them after patches appeared. This suggests a rudimentary but well proven tactic in which vulnerabilities are targeted to catch anyone who hasn't applied updates. Have I talked recently about the need to apply patches quickly?
Yes, I thought so.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology