Tag: exploits

Taming the Hidden Cobra: The DPRK’s malware brigade

What is Hidden Cobra?

While it may sound like the final technique learned from Jackie Chan in a young adult movie, Hidden Cobra is actually the moniker given to state-sponsored actors executing cyber crime activities on behalf of the North Korean government. Before federal agencies reported on the activities of DPRK’s Hidden Cobra, the group was dubbed by the private sector as Lazarus Group or Guardians of Peace. Hidden Cobra is an extension of the North Korean government and targets both public and private entities with malware, data wipers, DDoS, and SMB worm tools. Known variants of Destover, Duuzer , and Hangman exploits are common modus operandi for Hidden Cobra. In addition, Hidden Cobra is notorious for their use of powerful DDoS attacks with their denial-of-service tool, DeltaCharlie.

Flushing Out the Snake

Hidden Cobra tends to target systems that run older, unpatched operating systems. The lack of firmware updates and plethora of attack surfaces found in obsolete Microsoft operating systems makes for low-hanging fruit the serpents are able to reach. A Technical Alert issued by the Department of Homeland Security and Federal Bureau of Investigation includes a database of recognized IP addresses and network signatures that they consider Indicators of Compromise (IOCs).

Indicators of Compromise

[Clicking will begin a .csv download]

In addition to these IOC’s, DHS has published a Malware Analysis Report detailing the unique functionalities and common tactics demonstrated by Hidden Cobra actors.

MAR 10132963

[Clicking will open a .pdf]

Known Vulnerabilities

Like real snakes, we have accumulated antidotes for a majority of the Hidden Cobra’s venoms. The following Common Vulnerabilities and Exposures (CVEs) are typical susceptibilities targeted by Hidden Cobra:

If Adobe Flash and Microsoft Silverlight are no longer necessary applications in your system, we highly recommend removing these programs completely.

Delta Charlie

Perhaps the most perilous tool operated by Hidden Cobra is their DDOS tool, DeltaCharlie. Sporting a standard botnet infrastructure, DeltaCharlie is used to launch DNS attacks, NTP attacks, and CGN attacks. DeltaCharlie disguises itself as a svchost service. The tool can download and operate macros, alter its own structure, and perform denial-of-service attacks on command.

If You’ve Been Targeted

Report the attack to DHS or FBI – Federal agencies are very interested in keeping tabs on the activity of North Korea’s state-sponsored cyber warfare adjuncts. You can report malware to the DHS here. They will certainly appreciate the information.
Review visitor logs for IOCs – If you suspect Hidden Cobra is responsible for a raid on your network, cross-check records from your perimeter defenses against those IP addresses outlined in the Indicators of Compromise spreadsheet provided above.
Run YARA – For readers unfamiliar with YARA, it is a tool developed by malware researchers to detect attack signatures. The Technical Alert issued by DHS and FBI include a variety of YARA rule definitions that can quickly and effectively track down signs of Hidden Cobra malware.

Preventing Hidden Cobra Attacks

Limit admin privilegesWe’ve talked about this one before. When an attacker gets into your system, you don’t want everyone inside carrying around skeleton keys.
Update your firmware – Hm. This one sounds familiar too. The straight-forward warning: the older your operating system, applications, or security patches, the more likely you are to be on the receiving end of cyber crime. This is as self-explanatory as comparing a modern digital security system to a string of rattling cans strung across the lawn.
Go invite-only for your applications– The practice of whitelisting applications drastically cuts down potential attack surfaces in your network. In short, whitelisting is allowing only prescreened applications access to your system. If it’s not on the list, it stays outside.
Leverage your firewall – Firewalls provide gateway security, content filtering, IP whitelisting, application controls, user groups, and more. There are a vast number of security options available to organizations to protect their data against the likes of Hidden Cobra, but most of them require a firewall appliance to operate. Think of your firewall as the command center of your security infrastructure. Next-generation firewalls are platforms designed to provide all of the security resources you need in one powerful appliance, known as Unified Threat Management.

Learn about UTMs offered by our manufacturer partners!



The History of Orpheus’ Lyre: A tale as old as time, a vuln as old as Windows

The world of cyber security and classic Hellenistic Greece are colliding. We are speaking, of course, about the Orpheus’ Lyre security hole making rounds in security news. We’re sounding the Gjallarhorn in hopes that you’ll join us down in the info sec underworld as we discover what three-headed dogs, Thrace, and the granddaddy of the modern guitar have in common with your network.

Setting the Stage – the Classical Age

Orpheus – First mentioned by a sixth-century epic poet named Ibycus and later made famous by Thebian lyric poet Pindar, Orpheus is an epic hero popular in ancient Greek myth. Orpheus is known as a legendary musician with the ability to trick, persuade, and charm his way around obstacles thanks to his supernatural lyre playing. The lyre, which is how the ancient Romans played Wonderwall at insulae parties, is a predecessor of the guitar often mistaken for a harp.

The most famous story of Orpheus is that of rescuing his wife, Eurydice, from the underworld. When Eurydice is attacked by a satyr (mischievous goat-man played by Danny Devito in Disney’s “Hercules”), she falls into a pit of vipers, is bitten on the heel, and succumbs to their venom. Stricken with grief, Orpheus plays a song so mournful that the gods themselves are moved to tears. They offer him advice: descend into the underworld yourself and strike a deal to get Eurydice back. Orpheus descends into the underground, soon finding himself face-to-face with the ferocious Cerberus, guardian of the gates into the underworld. Orpheus tames Cerberus with some hot lyre riffs and snags an appointment with Hades, lord of the underworld, to successfully negotiate the return of Eurydice to the world of the living. Unfortunately, the tale takes a turn south from there with Orpheus falling for the classic religious no-no of “looking behind you” while fleeing. Because he peeks back over his shoulder during their exit from the underworld despite clear warning from Hades, Eurydice vanishes forever. Orpheus is later torn apart by a wandering band of vicious feral women upset by Orpheus snubbing their favored rock n roll god.

Cerberus – The hound of hell, three-headed guardian of the underworld, son of Tartarus-bound Typhon and Echidna. Cerberus has made cameos in “Harry Potter & the Philosopher’s Stone”, several Disney movies, and most every RPG game with a summoning system. This tri-skulled canine is among the most prominent icons for gatekeeping and security around. In the legends of Orpheus, Cerberus succumbs to the honey-sweet grooves of a lyre to allow the legendary musician to pass where countless others had failed.

Heimdallr – Heimdallr and his namesake are only peripheral references in our story, so let’s make this quick. Heimdallr is a Norse god that carries a giant horn, Gjallarhorn, and is said to be an ever-vigilant sentry watching for the inevitable approach of Ragnarok, which is like a Rammstein music video version of the apocalypse.

Setting the Stage – The Information Age

Orpheus’ Lyre – Orpheus’ Lyre is the name given to an exploit present in the Kerberos network security protocol. A patch for Orpheus’ Lyre was published with the Windows July 2017 security patches.

Kerberos – Kerberos is a security protocol that has been utilized by Windows for over 20 years. Kerberos is a “ticket” system in terms of security. Rather than exchanging unique authentications between the several servers that you may request access to, Kerberos acts as a central authority, distributing “server tickets” that come pre-written with encrypted data detailing what server you requested access to, how long your authentication is valid, and more. Think of Kerberos as the guy whose only job is tear your ticket stub off at the movie theater. You can go buy your movie tickets at the will-call desk, on Fandango, or from the sketchy guy out front who for some reason has 60 extra tickets to “The Emoji Movie.” But if you want into a screening room (server), you must stop at the kiosk in the lobby and have your ticket checked.

Heimdal – Heimdal is one of two common variants of Kerberos. The other variant, MIT Kerberos, was developed by the Massachusetts Institute of Technology and is leveraged by Windows for a majority of network security uses while Heimdal Kerberos is generally supported by smaller operating systems. While the July 2017 Windows security patch addressed exploits in MIT Kerberos, Heimdal Kerberos is still at risk. Look for patches for Heimdal to be released by Apple in the future.

How does it work?

Great, so some cyber attackers came up with clever pet names for their project. What’s this thing actually do?

Keep in mind the analogy above in regard to Kerberos being the primary ticket-checker of a Windows network security apparatus. Since these are packets of encrypted data, however, let’s add that these tickets are being transported in opaque envelopes. When a data packet approaches Kerberos, the security protocol opens the envelope, records the information inside, and routes the packet to its destination. However, there’s a bit of a catch. Some of that data, seemingly innocuous stuff like which server you’re traveling to, is also written on the outside of the envelope in plain text.
So what if someone could convince the ticket-checker, Kerberos, that the plain text data scribbled on the outside of the envelop is actually the secure data encrypted inside? Or, in the case of Orpheus’ Lyre, enough data to receive a positive authentication and gain open-ended access to a server. Now you have a packet slipping past the ticket-checker carrying an envelope with mysterious contents. And you know what happens when someone figures out how to sneak something around gateway security!

For reasons unknown to the modern world, when Kerberos was designed long ago, they felt the need to duplicate some data from inside the packet and paste it as plain text on the outside of the packet. The Orpheus’ Lyre exploit takes advantage of this short-sighted slip by convincing Kerberos that the plain text authentication data (which can be easily modified) is, in fact, the encrypted data inside, which cannot be modified. In short, Orpheus’ Lyre takes advantage of the fact that Kerberos will be forced to choose between two sets of similar data and the exploit influences Kerberos to choose the version that attackers are able to modify.

So the attacker buys a movie ticket for “The Emoji Movie” at 8:00 pm. He grabs an eraser and snubs out the modifiable data on the envelop and writes “Dunkirk” at 8:30. He approaches Kerberos, the ticket-checker, flashes him the modified data in a convincing manner, and strolls on into the lobby. Now that the attacker is granted access, they are free to mosey about the corridors, popping their head into whatever screening room they feel like.

Or, to carry the theme of Greek mythology, Orpheus descends into the underworld and charms Cerberus, the hell hound, with his magical lyre and is free to traipse around the land of the dead at his leisure.

How do we keep Orpheus and his Lyre out?

Luckily, Microsoft has done most of the leg work for you. The Windows July 2017 patch CVE-2017-8495 includes a fix for Orpheus’ Lyre, at least in regards to MIT Kerberos. If you do not use Windows, keep an eye peeled for a patch coming down the pipe from Apple. As long as you are a good cyber security warrior and keep your security patches updated, you should be fine!

update vulnerability exploit

Looking for a hell-hound of your own to guard your network?