US warns two North Korean malware strains targeting critical infrastructure for past 9 years
The US has issued a fresh warning about two malware strains linked to the North Korean government that allows hackers to remotely access devices, steal sensitive information and manipulate networks. The Department of Homeland Security (DHS) and FBI released a joint technical alert detailing the cyberespionage remote access tool (RAT) named Joanap and server message block (SMB) worm dubbed Brambul.
Officials have asserted with "high confidence" that hackers associated with Pyongyang have used both pieces of malware since at least 2009 to target critical infrastructure, aerospace, financial and media organizations across the globe including the US.
The two-stage Joanap RAT is used to establish peer-to-peer communications, manage botnets, exfiltrate data, run additional payloads and initiate proxy communications on a compromised Windows device.
Meanwhile, Brambul is a malicious Windows 32-bit SMB worm that works as a service dynamic link library file or a portable executable file that is installed on targeted victim networks using a dropper malware. Once executed, the malware looks to establish content with victim systems and IP addresses on victims' local subnets and infiltrate the targeted system via SMB protocol (ports 139 and 445) through brute-force attacks.
"Analysts suspect the malware targets insecure or unsecured user accounts and spreads through poorly secured network shares," the CERT alert reads. "Once the malware establishes unauthorized access on the victim’s systems, it communicates information about victim’s systems to HIDDEN COBRA actors using malicious email addresses. This information includes the IP address and host name—as well as the username and password—of each victim’s system. HIDDEN COBRA actors can use this information to remotely access a compromised system via the SMB protocol."
The DHS and FBI have identified over 85 networks, published indicators of compromise (IOCs) and suggested mitigation strategies. They have also urged private sector firms to report any activity related to Joanap and Brambul to the Department of Homeland Security National Cybersecurity and Communications Integration Center or the FBI Cyber Watch and "give it the highest priority for enhanced mitigation."
US officials have previously released information and alerts on cybercriminal activities and hacking efforts linked to Hidden Cobra, the government's name for North Korean state-sponsored hackers. In December, the Trump administration blamed North Korea for the massive WannaCry ransomware attack that swept the globe and infected hundreds of thousands of computers worldwide, based on evidence gathered by other governments and private tech companies such as Microsoft.. Pyongyang dismissed the accusation as baseless.
The newly issued alert also comes after North Korea dispatched former four-star army general and military chief Kim Yong Chol, to New York to meet with Secretary of State Mike Pompeo. The high-level advisor is suspected to have been behind the 2014 Sony Pictures Entertainment hack over "The Interview" - a satirical film about a plot to assassinate the North Korean leader. The meeting is expected to lay the groundwork for the possible on-again, off-again summit between President Donald Trump and North Korean leader Kim Jong Un in Singapore scheduled for June 12.