US-CERT Issues Warning on North Korean Actors exploiting unpatched systems

U.S. CERT has issued an alert on June 15th 2017 warning of pending cyber activity by The Democratic People’s Republic of North Korea. (DPRNK)

Threat ID:: CC-1479
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 21 June 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

U.S. CERT has issued an alert on June 15th 2017 warning of pending cyber activity by The Democratic People’s Republic of North Korea. (DPRNK)

Affected platforms

The following platforms are known to be affected:

Adobe Flash Player

Unpatched Firmware, Operating systems, Applications, Browsers and Browser Plugins including:
Microsoft Silverlight 5.1.41212.0
Adobe Flash Player 18.0.0.324 ,19, 21.0.0.197 and 21.0.0.226

Threat details

In a report which designated North Korean government’s cyber operations as "Hidden Cobra," (aka Lazarus Group and Guardians of the Peace). The report also stated that DPRNK had been responsible for a number of attacks dating back until at least 2009 including against media, aerospace, financial sectors and critical infrastructure targets. The report also reiterated accusations that North Korea may have been responsible for the WannaCry ransomware which impacted on a large number of global organisations in May 2017 including the NHS.

It has been ascertained that DPRKN actors favour older applications including the following Common Vulnerabilities and Exposures:

CVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x Vulnerability
CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
CVE-2016-1019: Adobe Flash Player 21.0.0.197 Vulnerability
CVE-2016-4117: Adobe Flash Player 21.0.0.226 Vulnerability
CVE-2015-6585: Hangul Word Processor Vulnerability

Intelligence suggests the actors concerned have a proven tactic of carrying out online reconnaissance to specifically detect and target those organisations whose systems have not been updated.

The Lazarus Group is suspected of exploiting the NSA hacking Tools which had been released into the wild by TheShadowBrokers. These suspected Russian actors are now offering to sell even more of these tools to subscribers as part of their "Wine Of The Month Club" with the next release of the tools due in July. This creates the possibility that North Korean state-sponsored actors may obtain a new batch of NSA tools and attempt to repeat the WannaCry situation.

Impact
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include: temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation

For further information see US-CERT Alert (TA17-164A) and US-CERT Malware Analysis Report (MAR 10132963).

Remediation steps

Type	Step
	Remain vigilant for authentic looking phishing emails or password reset requests. Ensure AV and other security products are properly configured and kept fully up to date Ensure all firmware, operating systems, applications browsers and browser plugins are fully patched with updates from authenticated vendor sites Use a vulnerability scanner to identify unpatched vulnerabilities and insecure configurations Use application whitelisting to only allow specified programs to run while blocking all others, including malicious software Restrict administrative privileges and ensure administrators use non administrative accounts for day to day computer activity such as checking emails or browsing the web Segment networks and segregate them into security zones to limit the damage from network perimeter breaches and malware outbreaks Validate input on all web applications to mitigate against Structured Query Language (SQL) injection, cross-site scripting, and command injection attacks Use stringent file reputation settings: Some anti-virus products can limit execution to only the highest reputation files, stopping a wide range of untrustworthy code from gaining control Ensure firewalls are configured to best practice

Type

Step

Remain vigilant for authentic looking phishing emails or password reset requests.
Ensure AV and other security products are properly configured and kept fully up to date
Ensure all firmware, operating systems, applications browsers and browser plugins are fully patched with updates from authenticated vendor sites
Use a vulnerability scanner to identify unpatched vulnerabilities and insecure configurations
Use application whitelisting to only allow specified programs to run while blocking all others, including malicious software
Restrict administrative privileges and ensure administrators use non administrative accounts for day to day computer activity such as checking emails or browsing the web
Segment networks and segregate them into security zones to limit the damage from network perimeter breaches and malware outbreaks
Validate input on all web applications to mitigate against Structured Query Language (SQL) injection, cross-site scripting, and command injection attacks
Use stringent file reputation settings: Some anti-virus products can limit execution to only the highest reputation files, stopping a wide range of untrustworthy code from gaining control
Ensure firewalls are configured to best practice

CVE Vulnerabilities

CVE-2015-8651

CVE-2016-0034

CVE-2016-1019

CVE-2016-4117

CVE-2015-6585

Last edited: 17 February 2020 11:40 am