Fortunately, there is something that can be done about Hidden Cobra and its components. Innella pointed out that while North Korea and its cyber forces are persistent, they’re not unbeatable. “On the scale of global cyber warfare, I wouldn’t say they’re the most impressive adversary,” Innella said. He added that they’re not the equal of China or Russia in terms of their ability to wage cyber-war.
While Innella said that North Korea is a very big cyber-threat, most CISOs should be able to prevent them from exploiting their networks.
“There’s nothing significantly different about their attacks,” Innella said. “Any robust defense program is going to have some level of threat awareness. Your CISO you would have already seen the CERT notice and made the changes.”
The recommendations by US-CERT provides enough information to enable your network security team to perform the necessary white listing, and should also be able to see from their routers and firewalls whether any traffic from FallChill or its Trojan companion, Volgmer, has passed in or out of your network. The alerts include the IP addresses that the malware uses for reporting and for command and control, enabling your IT security specialists to block those addresses.
The US-CERT note also makes specific recommendations that are important for keeping the North Korean malware at bay. They include application whitelisting, so that you can prevent anything from running on your servers except specific software, keeping operating systems up to date, keeping your antivirus and anti-malware software up to date and by restricting permissions to the level that is required for people to do their jobs and nothing more.
In addition, the recommendations include making sure your staff knows not to click on unknown links and not to go to suspicious websites. Innella said that most of the infections he’s seeing started with visits to dubious sites where a user did something dumb, such as clicking on a link that downloaded malware.
US-CERT also urged organization to train all staff to recognize and avoid email scams, and that you not enable to macros in email software.
You may have noticed a theme here. Good system hygiene is critical, and most of the steps for avoiding it are the same whether the threat is from North Korea or a cyber-criminal trying to get rich on ransomware.
And yes, we’ve seen that theme many times before. But perhaps the thought of Kim Jung Un leafing through your intellectual property files is enough to drive home the idea. You know the things you have to do to be safe, but for them to work, you have to actually do them.