It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group (link is external) and Guardians of Peace. (link is external) DHS and FBI assess that HIDDEN COBRA actors will continue to use cyber operations to advance their government’s military and strategic objectives. Cyber analysts are encouraged to review the information provided in this alert to detect signs of malicious network activity.
Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, (link is external) Wild Positron/Duuzer, (link is external) and Hangman. (link is external) DHS has previously released Alert TA14-353A, which contains additional details on the use of a server message block (SMB) worm tool employed by these actors. Further research is needed to understand the full breadth of this group’s cyber capabilities. In particular, DHS recommends that more research should be conducted on the North Korean cyber activity that has been reported by cybersecurity and threat research firms.
HIDDEN COBRA actors commonly target systems running older, unsupported versions of Microsoft operating systems. The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation. These actors have also used Adobe Flash player vulnerabilities to gain initial entry into users’ environments.
Patch applications and operating systems – Most attackers target vulnerable applications and operating systems. Ensuring that applications and operating systems are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker. Use best practices when updating software and patches by only downloading updates from authenticated vendor sites.
Use application whitelisting – Whitelisting is one of the best security strategies because it allows only specified programs to run while blocking all others, including malicious software.
Restrict administrative privileges – Threat actors are increasingly focused on gaining control of legitimate credentials, especially credentials associated with highly privileged accounts. Reduce privileges to only those needed for a user’s duties. Separate administrators into privilege tiers with limited access to other tiers.
Segment networks and segregate them into security zones – Segment networks into logical enclaves and restrict host-to-host communications paths. This helps protect sensitive information and critical services, and limits damage from network perimeter breaches.
Validate input – Input validation is a method of sanitizing untrusted input provided by users of a web application. Implementing input validation can protect against the security flaws of web applications by significantly reducing the probability of successful exploitation. Types of attacks possibly averted include Structured Query Language (SQL) injection, cross-site scripting, and command injection.
Use stringent file reputation settings – Tune the file reputation systems of your anti-virus software to the most aggressive setting possible. Some anti-virus products can limit execution to only the highest reputation files, stopping a wide range of untrustworthy code from gaining control.
Understand firewalls – Firewalls provide security to make your network less susceptible to attack. They can be configured to block data and applications from certain locations (IP whitelisting), while allowing relevant and necessary data through.