Organizations need to be on the lookout for North Korea’s “Hidden Cobra” attacks, federal officials said.
The attacker the United States Computer Emergency Readiness Team (US-CERT) is calling “Hidden Cobra” is also known as the Lazarus Group, thought to be the mastermind behind attacks that targeted Sony Pictures among others.
ICS Malware Linked to Grid Attack
WannaCry: Time to Implement Holistic Security
Attack Group Targets Ukraine
Ukraine Attack: An Insider’s Perspective
Latest Ukraine Power Outage a Hack
The joint alert from the FBI and the DHS provides indicators of compromise (IoC) associated with a botnet known as “DeltaCharlie.” The North Korean government has allegedly used DeltaCharlie, highlighted in a Novetta report, to launch DDoS attacks.
“DeltaCharlie is a DDoS tool capable of launching Domain Name System (DNS) attacks, Network Time Protocol (NTP) attacks, and Character Generation Protocol attacks,” US-CERT said in its technical alert. “The malware operates on victims’ systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks.”
US-CERT shared information on exploits, malware, IP addresses, file hashes, network signatures, and YARA rules associated with Hidden Cobra in an effort to help defenders detect the group’s attacks. However, it said “further research is needed to understand the full breadth of this group’s cyber capabilities.”
The agency said in some cases the DDoS malware was present on victims’ networks for a significant period of time.
Network administrators have been advised to follow a series of recommendations for mitigating attacks and responding to unauthorized network access.