File Integrity Monitoring NON STOP FILE INTEGRITY MONITORING

The US- CERT has issued a technical alert warning of two pieces of malware that are said to be used by the North Korean government.

The alert issued by both the Department of Homeland Security and the Federal Bureau of Investigation refers to the prolific APT group known as Hidden Cobra which uses two pieces of malware: remote access Trojan (RAT) Joanap and SMB worm Bambul.

The US-CERT claims, “Hidden Cobra actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally in the United States- including media, aerospace, financial, and critical infrastructure sectors.” Joanap has been spotted by the US Government on 87 compromised network nodes in at least 17 different countries, including China, Spain, Sweden, India, Brazil, and Iran.

The malware is a fully functional RAT that’s capable of receiving multiple commands which can be issued remotely from a command and control server. The alert claims that “Joanap typically infects a system as a file dropped by other Hidden Cobra malware, which users unknowingly downloaded either when they visit sites compromised by Hidden Cobra actors, or when they open malicious email attachments.” The US- CERT adds that the malware operates secretly, moving laterally inside an infected network to any connected nodes.

Brambul, on the other hand, is a brute force authentication worm that spreads through SMB shares. SMBs allow for shared access to file between users on a network. US-CERT added that this malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.”

To combat this malware threat, the DHS recommends you take the following mitigation steps and best practices to protect your computer networks:

  1. Keep operating systems and software up-to-date with the latest patches
  2. Maintain up-to-date antivirus software, and scan all software downloaded from the internet
  3. Restrict users’ permissions to install and run unwanted software applications, and apply the principle of least privilege to all systems and services.
  4. Scan for and remove suspicious email attachments
  5. Disable Microsoft’s File and Printer Sharing service, if not required by the user’s organization. If this service is required, use strong passwords or Active Directory authentication.
  6. Enable a personal firewall on organization workstations and configure it to deny unsolicited connection requests.
NNT Products
USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.
Portland
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: 1-888-898-0674
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310
email [email protected]
Connect
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified
Copyright 2018, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.