The FBI blamed North Korea for two malware families targeting U.S. media, aerospace, financial, and critical infrastructure sectors’ networks.
In a joint alert posted May 29, the FBI and U.S. Department of Homeland Security (DHS) warned that North Korean state-sponsored hackers, dubbed Hidden Cobra, are behind both Joanap and Brambul malware. These attacks have hit U.S. and global networks since 2009.
Joanap is a remote access tool (RAT). Brambul is a server message block (SMB) worm. Hackers spread the malware by first infecting network servers. Once the malware infects a server, it can move laterally through a victim’s network and any connected networks to infect additional nodes.
The U.S. agencies say North Korea has been using Joanap and Brambul over the past nine years to steal and delete information and remotely control networks.
Joanap can send commands from a remote server. It typically infects a system as a file dropped by other North Korean malware, which users unknowingly download when they visit compromised websites or open malicious email attachments. The U.S. government identified 87 compromised network nodes during its Joanap investigation.
Once Brambul infects a network it attempts to establish contact with systems and IP addresses on local subnets. If successful, the malware attempts to gain unauthorized access via the SMB protocol by launching password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.
The latest malware alert comes a week after the FBI took action against Russian state-sponsored hackers that hit networks in 54 counties including the U.S. Cisco’s Talos threat researchers first provided details about the VPNFilter malware on May 22. It infected at least 500,000 routers and storage devices globally, according to a Talos blog post.
Kaspersky Lab Loses
In September 2017, the DHS ordered government agencies to stop using any security products and services supplied by the Moscow-based vendor, citing ties to Russian intelligence agencies.
Kaspersky filed lawsuits seeking to overturn the ban, and yesterday a federal court judge dismissed both lawsuits, according to the Washington Times.
“The United States government’s networks and computer systems are extremely important strategic national assets,” the judge wrote. “Threats to these systems are constantly expanding and evolving. Their security depends on the government’s ability to act swiftly against perceived threats and to take preventive action to minimize vulnerabilities. These defensive actions may very well have adverse consequences for some third parties. But that does not make them unconstitutional.”
Earlier this month the security vendor said it will move its assembly line and security network data to Zurich as part of its “global transparency initiative.”
“Storing it [data processed by Kaspersky Security Network] in Switzerland under the supervision of an independent organization means that any access to this data is meticulously logged — and the logs can be reviewed at any moment should any concerns arise,” according to a Kaspersky blog post.