US-CERT issues North Korean cyberattack patch warning

The US has issued an unusually stark public warning to businesses about the threat posed by North Korean cyberattacks and the urgent need to patch old software to defend against them.

No surprise in this, you might say, after all the US has been accusing the Democratic People’s Republic of Korea (DPRK) of causing trouble in cyberspace as far back as the high-profile attack on Sony in 2014.

This alert is a bit different, both in its detail and that it has been made public by the US Department of Homeland Security (DHS) and the FBI through US-CERT, usually taken as a sign of imminent trouble.

The advisory’s first message is that anyone detecting activities by the DPRK, codenamed “Hidden Cobra” (aka the Lazarus Group or Guardians of Peace), should report activity through the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).

Indicators of Compromise (IOCs) cover a gamut of DDoS botnet activity, keylogging, remote access tools (RATs), and disk wiping malware, as well as SMB worm malware of the sort blamed for the recent WannaCry attacks.

It also refers to IP address ranges used for DDoS attacks, dubbed “DeltaCharlie”, and describes some of the tools employed by Hidden Cobra:

…DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Wild Positron/Duuzer, and Hangman. DHS has previously released Alert TA14-353A, which contains additional details on the use of a server message block (SMB) worm tool employed by these actors.

The takeaway for Naked Security readers is to patch the older applications alleged North Korean cyberattacks like to prey on, particularly the following CVEs:

• CVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x Vulnerability
• CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
• CVE-2016-1019: Adobe Flash Player 21.0.0.197 Vulnerability
• CVE-2016-4117: Adobe Flash Player 21.0.0.226 Vulnerability

Interestingly, although these emerged as zero-day vulnerabilities, it’s likely that Hidden Cobra exploited them after patches appeared. This suggests a crude but well proven MO in which vulnerabilities are targeted to catch out anyone who hasn’t applied updates.

As with the other advice given (reducing user privileges, paying attention to web services vulnerabilities) patching old vulnerabilities is something companies should be doing anyway. Threat hunters working in Security Operations Centres (SOCs) get YARA signatures to help with detection.

All in all, US-CERT is making a lot of fuss over the DPRK, including repeating the relatively recent suggestion that Hidden Cobra has been conducting cyberattacks as far back as 2009. Some think it probably goes back to 2007, not long after the US began its own advanced cyberwarfare effort.

This is a lot earlier than anyone has previously acknowledged which, taken at face value, perhaps underlines how long the DPRK has been ignored or under-estimated as a threat.

What marks out cyberattacks connected to the DRPK is their strange vindictiveness. In addition to the grudge attack on Sony, disk wipers were a common theme used to target South Korean businesses, including DarkSeoul malware first identified by Sophos.

Earlier this year, the DPRK was forensically linked to the alarming attack on the SWIFT bank messaging system through a Bangladesh bank that netted $81 million for the attackers.

Then came the real oddity, WannaCry, also attributed in some quarters to North Korea. If this was a cry for attention, it succeeded in its aim.

North Korea is starting to look like a major cyber-worry, an unpredictable actor capable of pulling off financial spectaculars as well as unrestrained revenge stunts.