If it isn’t cybersecurity alerts of malware from one despotic regime, it’s warnings relating to another. Just as the world settles down post the Iranian cyber-hype in the aftermath of Suleimani, now multiple U.S. government agencies have warned of a newly intensifying threat from North Korea. Some of the malware is new and some of it is updated. And this particular state-sponsored threat group has pretty terrifying form—remember WannaCry?
As almost always these days, the hackers have mounted a phishing campaign to exploit weaknesses in non-hardened, non-governmental sectors. Defensive holes, lack of patching, network and IoT vulnerabilities and poor user training come to the fore. The objective is not political, it’s financial. The Pyongyang regime remains convinced that cyber attacks on commercial targets can help replenish the funds of the sanctions-stricken country.
“This malware,” says the U.S. government, “is currently used for phishing and remote access by [North Korean] cyber actors to conduct illegal activity, steal funds and evade sanctions.” The warning comes as a result “of analytic efforts between the U.S. Department of Homeland Security, the U.S. Department of Defense, and the FBI to provide technical details on the tools and infrastructure used by cyber actors of the North Korean government.”
That’s a pretty punchy alert.
Today In: Innovation
Putting aside that this is another hammer blow for Windows users who now have more families of malware and malicious incoming messages to avoid, there is a an alarming precedent here in the choreography and the naming of a nation-state suspect in this way. The public disclosures issued on Valentine’s Day follow private warning issued to U.S. industry ahead of time.
While these campaigns are clearly distinct to the continued threat from Iran, there are some parallels. In the scary new world of asymmetric hybrid warfare, the way in which nation states can attack U.S. (and allies) industry as a proxy for attacks on more hardened government targets is now stark.
Last summer we saw government warnings of Iranian threats targeted at Outlook users, and the commercial industry alerts have become the primary theme post-Suleimani. Attacks from Iran are more political than this, but their ransomware and crypto attacks also carry a financial threat. Conversely, financial gain is the primary driver for North Korea.
The alert includes malware analysis reports (MARs) for seven trojans “designed to enable network defenders to identify and reduce exposure to North Korean government malicious cyber activity.” U.S. individual users and security teams within U.S. organizations are being urged to look for activity that fits these patterns, giving the activity “the highest priority for enhanced mitigation.”
Each MAR includes detailed descriptions of the specific malware and its likely infection path, as well as mitigation recommendations, including confirmation of the antivirus software that will detect and prevent an attack.
North Korean Trojan: BISTROMATH
North Korean Trojan: SLICKSHOES
North Korean Trojan: CROWDEDFLOUNDER
North Korean Trojan: HOTCROISSANT
North Korean Trojan: ARTFULPIE
North Korean Trojan: BUFFETLINE
North Korean Trojan: HOPLIGHT (Update)
The U.S. has shared malware samples on VirusTotal, including the six new variants (Bistromath, Slickshoes, Crowdedflounder, Hotcroissant, Artfulpie and Buffetline) and the seventh, Hoplight, which is an update on a previous strain. If allowed to take root, the various strains of malware enable remote access to machines and networks, the download of further malicious software, as well as the exfiltration of credentials and files.
It is assumed that the same attackers thought responsible for the WannaCry ransomware attack in 2017 are likely behind these latest campaigns—referred to as Lazarus by the private sector and “Hidden Cobra” by the U.S. government.
CISA, the primary U.S. cybersecurity agency responsible for advising industry on new threats and defense recommends the usual mitigation: patching as soon as practically possible; applying strong passwords to file sharing and broader IoT set-ups, including printers and other networked devices; use of updated antivirus software; email defense and user training on unknown senders and attachments; some levels of user monitoring to prevent dangerous activity; and restrictions on external drives and internet software downloads.
And that’s the crux here. It actually doesn’t matter that this is a state-sponsored campaign, the fact is that these and similar malware strains can be used by both criminal organizations and nation-state threat groups. The mitigating actions are the same. If you follow the advice, you are significantly more likely to escape unscathed. A hardened system is akin to locked doors and windows—you are encouraging the attackers to go try next door.
The exploits shared today also carry the threat of targeted data exfiltration in the more day-to-day world of national espionage. These same tools can be used to pull data from strategic industries and individuals of interest. That isn’t the focus of the alert, but those industries, including oil and gas, financial services, defense and aerospace, and critical infrastructure should take especial note of the advice.
In the meantime, get patching and ensure your antivirus is up-to-date.
Follow me on Twitter or LinkedIn.