Hidden Cobra Is Arisen

We are fairly sure that most of you will remember the shady antics of the (alleged) North Korean state sponsored hacking outfit ‘Hidden Cobra’, also known as ‘The Lazarus Group’ (see what we did there) and somewhat ironically ‘The Guardians Of Peace’, probably a name they call themselves.

Well in the week that we have seen a lot of toing and froing between the Norks (for that is what they are called in security blogs) and the Americans (likewise), it comes as really no surprise that the US-CERT rolls out the results of what can only have been a very lengthy piece of research in the form of an alert which goes so far as to name and shame the North Koreans for two very aging but still, it seems, active pieces of malware which are called Joanap (a Remote Access Trojan) and Bramble (a Server Message Block worm).

It is claimed that these nasties have been doing the rounds since as early as 2009, and we certainly saw signature updates for AV in 2015 from all providers, but according to US-CERT they remain a work in progress and are being adapted.

The implications of being infected are quite serious, from data exfiltration to reputational damage, disruption etc. Good news then that the Alert identifies a significant number of indicators of compromise (IOCs). If you are an ITC managed security services customer, you will no doubt be delighted to know that we have added these IOCs to our NetSure360 platform and will alert you if necessary. If you are not a managed services customer and would like to discuss how best to go about using these, or in fact anything else about your cyber security, please contact us at: [email protected] or call 020 7517 3900.

In the meantime the usual best practice recommendations apply; regular patching, update your antivirus, if possible disable Microsoft’s file and printer sharing service (which will prevent lateral SMB infection) etc.

Unlike the ETERNALBLUE SMB zero day produced by the NSA and stolen by The Shadow Brokers, which was you might recall used by WannaCry, the North Korean alternative (Bramble) uses a brute force attack on your user (and system account) passwords, so good password hygiene is of course essential.

Have a good weekend, don’t trust snakes.