Nmedia - Fotolia
Hidden Cobra hackers target U.S. with DeltaCharlie malware
News roundup: DeltaCharlie malware is a threat to the U.S., according to a US-CERT warning about Hidden Cobra. Plus, a DVR flaw could create a bigger botnet than Mirai, and more.
A new alert from the United States Computer Emergency Readiness Team warns that the North Korean hacking team Hidden Cobra is targeting U.S. media, aerospace, financial and critical infrastructure sectors with botnet-related malware.
The US-CERT warning comes from the Department of Homeland Security and the FBI, and it describes Hidden Cobra's use of the malware variant DeltaCharlie, which manages the group's distributed denial-of-service (DDoS) botnet infrastructure. Now, Hidden Cobra is actively targeting the U.S. with DeltaCharlie.
According to the US-CERT alert, "A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed." The potential effects of DeltaCharlie malware include the loss of sensitive or proprietary information, the disruption of regular operations, financial losses and harm to the reputation of the affected organization.
The US-CERT alert cited a 2016 report from McLean, Va., advanced analytics company Novetta, "Operation Blockbuster Destructive Malware," as the first evidence of the DeltaCharlie DDoS botnet. "DeltaCharlie is a DDoS bot that relies on the Winpcap NPF driver for the generation of raw network packets," the report stated. DeltaCharlie has several capabilities, including the ability to update its own binary, as well as activate and terminate a DDoS attack, according to the report. The alert from US-CERT added that DeltaCharlie is able to launch domain-name-system attacks, Network Time Protocol attacks and Character Generation Protocol attacks, as well.
The alert from US-CERT provided indicators of compromise, including IP addresses that are connected to systems infected with the DeltaCharlie malware. "DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network," the alert read. "FBI has high confidence that Hidden Cobra actors are using the IP addresses for further network exploitation."
The Hidden Cobra efforts are believed to be the work of the Lazarus Group, which is a North Korean hacking group that has been at work since 2009, but is best known for the 2014 Sony Pictures hack. The Lazarus Group is also reportedly behind malware strains such as Hangman and Wild Positron, and it primarily targets victims in South Korea, India, China, Brazil Russia and Turkey.
In other news:
- A software vulnerability in an estimated 1 million digital video recorders (DVR) could lead to another botnet reminiscent of Mirai. The security consultant firm Pen Test Partners has been researching DVR security since February 2016, which was months before the Mirai botnet spread. Pen Test Partners found "a whole lot of vulnerabilities" that Mirai didn't use. The most notable of these vulnerabilities is "an exploitable buffer overflow over port 80" that opens up the possibility for a new botnet of over 1 million DVRs. "This likely to make for a scary botnet; as port 80 is more likely to be externally available -- it's required for remote access from a smartphone to remotely view DVR video feeds," a Pen Test Partners blog post explains. "We found a number of XM-based DVRs that didn't offer telnet by default, but did publish port 80. This suggests that the potential botnet that could be created could easily be larger than could be created by Mirai."
- A researcher has raised the alarm about the state of security of Georgia's state voting systems. Logan Lamb set out to assess the state's voting systems after the initial reports in 2016 that hackers were targeting voter registration systems. Lamb looked specifically at the website for Kennesaw State University's Center for Election Systems, which tests and programs voting machine for the state of Georgia. Lamb ran a simple script, which pulled 15 GB of data and uncovered a critical vulnerability in the system. On the center's website, Lamb found a database of Georgia's 6.7 million voters, PDFs with instructions and passwords for election workers to use on Election Day, and software for the state's devices that verifies that a voter is registered. According to Lamb's interview with Politico Magazine, he shared his discovery with state officials and the center, both of which "ignored or brushed off" the findings.
- The rate at which small and medium-sized businesses are hit with malware and ransomware has skyrocketed, according to a new report from Malwarebytes. The study looked at SMBs from the first quarter in 2016 through the second quarter in 2017 and found all of those surveyed experienced an increase in malware detections over the course of the year. "In the first quarter of 2017, businesses across the board encountered 165% more malware than they experienced in the same quarter of 2016," Malwarebytes wrote. "Additionally, businesses in all 50 states had an increased number of malware detections, with Arizona, Hawaii and Alaska leading the pack. In 40 states, total malware incidents more than doubled." In addition to malware increases, ransomware has also spiked with a 231% increase year over year. The study found that 10 states dealt with an even higher -- about 500% -- increase in ransomware incidents in Q1 2017 compared to Q1 2016. The report also posits that certain states experienced a much higher rate of malware-related incidents because of the primary industries and business types in those states. For instance, Maine, Texas, Arizona and Alabama had some of the highest rate of malware and their major industries include aerospace, automotive, healthcare, technology, oil and gas -- all of which have a high rate of malware detection.