Feds issue an urgent alert on North Korean cyber threat

The U.S. Computer Emergency Readiness Team has issued a critical technical alert on the tools and infrastructure being used by North Korean agents to target the media, aerospace and financial sectors of the United States and elsewhere, as well as critical infrastructures that could include the healthcare industry.

“Working with U.S. Government partners, the Department of Homeland Security and the FBI identified Internet Protocol addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s distributed denial-of-service botnet infrastructure,” according to the alert from CERT.

Older and unsupported versions of Microsoft operating systems are particularly vulnerable to attack, according to the alert. “These actors have also used Adobe Flash player vulnerabilities to gain entry into users’ environments.” Further, five applications are particularly vulnerable:

Also See: Why WannaCry is a wakeup call for healthcare

A botnet, according to TechTarget.com, “is a collection of Internet-connected devices which may include PCs, servers, mobile devices and Internet of Things devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system.” Five applications are particularly vulnerable:

• CVE-2015-6585: Hangul Word Processor Vulnerability

• CVE-2015-8651: Adobe Flash Player and 19.x Vulnerability

• CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability

• CVE-2016-1019: Adobe Flash Player Vulnerability

• CVE-2016-4117: Adobe Flash Player Vulnerability

The CERT alert further walks though indicators of compromise, malware descriptions, network signatures and rules to detect North Korean cyber activity.

The government is calling the activity HIDDEN COBRA and any such activity detected should be immediately flagged and reported to the DHS National Cybersecurity Communications and Integration Center or the FBI Cyber Watch. Detection of the North Korean tools compels immediate enhanced mitigation.

Other tools used by North Korean actors include keyloggers (record key strokes to gain access to passwords); remote access tools (ability to access remote computers) and wiper malware (wipe data from hard drives and other storage units).

The U.S. CERT alert also includes links to download indicators of compromise. The complete alert is available here.

For reprint and licensing requests for this article, click here.