Getty Images/iStockphoto

Feds Alert to New North Korean Malware Threats, Mitigation Tactics

DHS CISA, the FBI, and DOD are urging organizations to review insights into three recent malware variants tied to North Korea and recommended mitigation techniques to bolster defenses.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Homeland Security issued an alert regarding three newly identified malware variants being used by the North Korean government, referred to as HIDDEN COBRA.

HIDDEN COBRA has long targeted US industries and is allegedly behind some of the largest hacking incidents, including the global WannaCry cyberattack in 2017. And throughout the COVID-19 pandemic, nation-state hackings groups have continued to target healthcare providers with Coronavirus-related campaigns.

Data from Carbon Black found 45 percent of the healthcare sector’s chief information security officers experienced a cyberattack focused on data destruction in 2018, explaining “these attacks are often carried out by punitive and malicious nation-states, including Russia, China and North Korea.”

The latest CISA alert focuses on three new threats tied to North Korea: COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH. These threats are being used by the North Korean government in conjunction with proxy servers to establish and maintain persistence on victim networks for further network exploitation down the line.

Cybercriminals are increasingly leveraging persistence on victim networks to deliver the most damage and financial payout. Most recently, Check Point reported an increase in double extortion attempts, with hackers lurking on networks long after the initial compromise to proliferate across the enterprise before later deploying ransomware.

The TAINTEDSCRIBE alert described a trojan with a full-featured beaconing implant and its command modules. The threat actor leverages a FakeTLS for session authentication and for network encryption through a Linear Feedback Shift Register (LFSR) algorithm.

“The main executable disguises itself as Microsoft’s Narrator,” according to officials. “It downloads its command execution module from a command and control (C2) server and then has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”

COPPERHEDGE is a Remote Access Tool (RAT) malware variant and part of a family typically used to target cryptocurrency exchanges and related entities. Used by advanced persistent threat (APT) cyber actors, “Manuscrypt is a full-featured RAT capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data.”

“Six distinct variants have been identified based on network and code features,” according to the alert. “The variants are categorized based on common code and a common class structure. A symbol remains in some of the implants identifying a class name of "WinHTTP_Protocol" and later "WebPacket.”

The PEBBLEDASH variant is a trojan that also uses a full-featured beaconing implant through a FakeTLS for session authentication and for network encoding utilizing RC4. A successful exploit would have the ability of downloading, uploading, deleting, and executing files, as well as enabling Windows CLI access, creating and terminating processes, and performing target system enumeration.

The alerts also provide security leaders with mitigations and ways to detect these attacks, as well as recommendations for strengthening the enterprise’s security posture.

To start, antivirus signatures and engines, as well as all operating systems, must be up to date. Organizations should disable file and printing sharing services, if possible. Strong passwords or Active Directory should be leveraged, if these services are required.

User permissions should be restricted from installing and running unwanted software applications and should not be added to the local administrators group unless it’s required. Further, all users should be reminded to exercise caution when opening email attachments, even when the attachment is expected, and the sender appears to be known.

The healthcare sector is a prime target for social engineering and email spoofing attacks, with hackers primarily targeting human nature rather than solely focusing on infrastructure vulnerabilities.

Organizations must also enable a personal firewall on workstations, configured to deny any unsolicited connection requests, while any unnecessary services should be disabled.

The IT or security team should leverage tools to scan and remove any email attachments, in addition to verifying whether the scanned attachment is its “true file type,” such as matching the file header to the extension.

Users’ web browsing habits should also be monitored, and the IT team should restrict access to sites with “unfavorable content.”

“Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.),” according to the alert. “Scan all software downloaded from the internet prior to executing.”

Lastly, organizations must maintain situational awareness of the latest threats, as well as implement strengthened, appropriate access control lists. Healthcare organizations can also review the recently compiled privacy and security resource list from the Office for Civil Rights for ways to bolster cyber hygiene across the enterprise.

The Department of Health and Human Services also developed voluntary best practice cybersecurity guidelines tailored to the size of an organization, which can help those struggling to keep pace with the current threat landscape.

CISA is urging organizations to monitor for indicators of compromise and to report these events to CISA or the FBI Cyber Watch (CyWatch), while warning these attacks should receive the highest priority.

Next Steps

Dig Deeper on Cybersecurity strategies