The team at US-CERT issued an alert including technical details on the tools and infrastructure used by the botnet: DDoS, keyloggers, remote access tools, and wiper malware.
The alert notes common vulnerabilities used by these cyber criminals:
- CVE-2015-6585: Hangul Word Processor Vulnerability
- CVE-2015-8651: Adobe Flash Player 184.108.40.2064 and 19.x Vulnerability
- CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
- CVE-2016-1019: Adobe Flash Player 220.127.116.11 Vulnerability
- CVE-2016-4117: Adobe Flash Player 18.104.22.168 Vulnerability
Organizations should update these applications as soon as possible to reflect the latest version and patches. Better yet, if you don’t need Adobe Flash or Microsoft Silverlight, remove them from your system altogether.
Indicators of compromise are included in the alert. Network administrators should review the IP addresses, file hashes, network signatures, and YARA rules provided. Additionally, add the IP addresses associated with HIDDEN COBRA to the watchlist to observe any potential malicious activity.
Unpatched applications continue to be a weak point for organizations. Vulnerabilities in Flash and Silverlight are commonly targeted by HIDDEN COBRA to spread malware. The US-CERT alert gives network administrators a good jump start on protecting their systems from the active botnet. Now the onus is on organizations to implement the information.