Is Your Organization Prepared? New Details on HIDDEN COBRA Botnet

North Korea’s HIDDEN COBRA botnet is targeting organizations in the finance sector, media, aerospace, and critical infrastructure around the globe with disruptive DDoS attacks.

The team at US-CERT issued an alert including technical details on the tools and infrastructure used by the botnet: DDoS, keyloggers, remote access tools, and wiper malware.

The alert notes common vulnerabilities used by these cyber criminals:

  • CVE-2015-6585: Hangul Word Processor Vulnerability
  • CVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x Vulnerability
  • CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
  • CVE-2016-1019: Adobe Flash Player 21.0.0.197 Vulnerability
  • CVE-2016-4117: Adobe Flash Player 21.0.0.226 Vulnerability

Organizations should update these applications as soon as possible to reflect the latest version and patches. Better yet, if you don’t need Adobe Flash or Microsoft Silverlight, remove them from your system altogether.

Indicators of compromise are included in the alert. Network administrators should review the IP addresses, file hashes, network signatures, and YARA rules provided. Additionally, add the IP addresses associated with HIDDEN COBRA to the watchlist to observe any potential malicious activity.

Key Takeaway

Unpatched applications continue to be a weak point for organizations. Vulnerabilities in Flash and Silverlight are commonly targeted by HIDDEN COBRA to spread malware. The US-CERT alert gives network administrators a good jump start on protecting their systems from the active botnet. Now the onus is on organizations to implement the information.

Print Friendly, PDF & Email