The U.S. Computer Emergency Readiness Team has issued a critical technical alert on the tools and infrastructure being used by North Korean agents to target the media, aerospace and financial sectors of the United States and elsewhere, as well as critical infrastructures that could include the healthcare industry.

Decision to cancel the planned swap of FBI headquarters doesn’t lessen need for a new facility, GSA said.
Decision to cancel the planned swap of FBI headquarters doesn’t lessen need for a new facility, GSA said.
FBI

“Working with U.S. Government partners, the Department of Homeland Security and the FBI identified Internet Protocol addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s distributed denial-of-service botnet infrastructure,” according to the alert from CERT.

Older and unsupported versions of Microsoft operating systems are particularly vulnerable to attack, according to the alert. “These actors have also used Adobe Flash player vulnerabilities to gain entry into users’ environments.” Further, five applications are particularly vulnerable:

Also See: Why WannaCry is a wakeup call for healthcare

A botnet, according to TechTarget.com, “is a collection of Internet-connected devices which may include PCs, servers, mobile devices and Internet of Things devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system.” Five applications are particularly vulnerable:

• CVE-2015-6585: Hangul Word Processor Vulnerability

• CVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x Vulnerability

• CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability

• CVE-2016-1019: Adobe Flash Player 21.0.0.197 Vulnerability

• CVE-2016-4117: Adobe Flash Player 21.0.0.226 Vulnerability

The CERT alert further walks though indicators of compromise, malware descriptions, network signatures and rules to detect North Korean cyber activity.

The government is calling the activity HIDDEN COBRA and any such activity detected should be immediately flagged and reported to the DHS National Cybersecurity Communications and Integration Center or the FBI Cyber Watch. Detection of the North Korean tools compels immediate enhanced mitigation.

Other tools used by North Korean actors include keyloggers (record key strokes to gain access to passwords); remote access tools (ability to access remote computers) and wiper malware (wipe data from hard drives and other storage units).

The U.S. CERT alert also includes links to download indicators of compromise. The complete alert is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access