The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a technical alert on Hidden Cobra, the malicious cyber activities by the North Korean government. North Korea’s DDoS botnet infrastructure is also sometimes referred to as Hidden Cobra.
The alert provides technical details on the tools and infrastructure, including IP addresses associated with DeltaCharlie, a malware variant used to manage North Korea’s distributed denial of service (DDoS) botnet infrastructure. Also listed were indicators of compromise, malware descriptions, network signatures, and host-based rules that network admins can use to detect activity conducted by the North Korean government on their networks.
The technical alert encourages users and administrators who detect the use of Hidden Cobra custom tools to report such activities to the DHS or FBI.
Imperva Incapsula has put together some frequently asked questions and is continuing to monitor the situation.
- What is Hidden Cobra?
- The U.S. Government refers to the malicious cyber activity by the North Korean government as Hidden Cobra.
Activities now identified as Hidden Cobra began in 2009. These activities include exploits by threat actors on victims in the public and private sector, theft of data and disruption of website availability.
- What is DeltaCharlie and how does it differ from Hidden Cobra?
- According to the US-CERT report, DeltaCharlie is the malware used to infect machines converting them to “zombie” bots. Infected bots collectively become a botnet that is controlled by threat actors.
The DeltaCharlie malware was discovered by Novetta in its 2016 Operation Blockbuster Malware Report. There is evidence that the malware may have been present on victims’ networks for a significant period.
- What are the capabilities of Hidden Cobra and DeltaCharlie?
- According to Novetta’s report, threat actors use Hidden Cobra tools and capabilities such as DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.
Hidden Cobra threat actors use DeltaCharlie as a DDoS tool. DeltaCharlie has been used in several exploits since it was first reported.
- How does DeltaCharlie launch DDoS attacks?
- DeltaCharlie can launch DNS, NTP and character generation protocol DDoS attacks by operating on victims’ systems as a svchost-based service (a system that hosts multiple Windows services in Windows NT). It can download executable files, change its configuration, update its own binaries, terminate its own processes, and activate and terminate denial of service attacks.
- How do the Lazarus Group and Guardians of Peace relate to all this?
- According to the US-CERT report, Hidden Cobra has been previously reported as the Lazarus Group and Guardians of Peace.
The Lazarus Group was first reported in Operation Blockbuster by Novetta. It has been active since 2007 and has been conducting attacks as recently as May 2017. It is most well-known for its high-profile attack on Sony Pictures Entertainment in 2014.
On November 24, 2014, a post on Reddit reported that Sony Pictures had been hacked. A group identified itself as the Guardians of Peace and hacked into the Sony network, leaving it unavailable for days. The Guardians of Peace accessed information on employees, email and unreleased films. Guardians of Peace claimed it had been in the Sony network for a year before being discovered.
How to Mitigate DDoS Attacks
The US-CERT report suggests how network admins can defend their systems.
Patch applications and operating systems – Update software and patches frequently and download updates only from trusted vendor sites.
Whitelist applications – Use whitelisting to allow only specified programs to run and block malicious software.
Restrict administrative privileges – Reduce privileges to fit a user’s role. Keep administrators in privileged tiers and limit access to other tiers.
Segment networks and segregate them into security zones – By segmenting networks, admins can help protect sensitive information and critical services, and minimise damage from network perimeter breaches.
Validate input – Input validation can protect against security gaps in web applications and potentially block attacks such as SQL injection, cross-site scripting, and command injection.
Use stringent file reputation settings – Keep the file reputation lists of your anti-virus software at the most aggressive setting allowable. This can help prevent a wide range of untrustworthy code from gaining control.
Leverage firewalls – Firewalls keep your network less likely from being attacked. Web application firewalls can block data and applications from certain IPs, while allowing necessary data through.