Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

US-CERT Issues North Korean Cyberattack Patch Warning

June 19, 2017

Naked Security reported on June 15^th that US-CERT had issued an unusually blunt public warning to businesses about the threat posed by North Korean cyberattacks and the urgent need to patch old software to defend against them.

In one way, it is no surprise since the US has been accusing the Democratic People's Republic of Korea (DPRK) of causing trouble in cyberspace as far back as the high-profile attack on Sony in 2014. Amazing how that seems like ancient history.

This alert is different, both in its detail and in that it has been made public by the US Department of Homeland Security (DHS) and the FBI through US-CERT, usually taken as a sign of imminent trouble.

The advisory's first message is that anyone detecting activities by the DPRK, codenamed "Hidden Cobra" (aka the Lazarus Group or Guardians of Peace), should report activity through the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).

Indicators of Compromise (IOCs) cover a gamut of DDoS botnet activity, keylogging, remote access tools (RATs), and disk wiping malware, as well as SMB worm malware of the sort blamed for the recent WannaCry attacks. It also refers to IP address ranges used for DDoS attacks, dubbed "DeltaCharlie", and describes some of the tools employed by Hidden Cobra:

But the real takeaway is to patch the older applications alleged North Korean cyberattacks favor preying on, particularly the following Common Vulnerabilities and Exposures (CVE):

CVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x Vulnerability

CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability

CVE-2016-1019: Adobe Flash Player 21.0.0.197 Vulnerability

CVE-2016-4117: Adobe Flash Player 21.0.0.226 Vulnerability

Interestingly, although these emerged as zero-day vulnerabilities, it's likely that Hidden Cobra exploited them after patches appeared. This suggests a rudimentary but well proven tactic in which vulnerabilities are targeted to catch anyone who hasn't applied updates. Have I talked recently about the need to apply patches quickly?

Yes, I thought so.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

US-CERT Issues North Korean Cyberattack Patch Warning

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer