The US Homeland Security Department and FBI recently published a joint technical security alert. In the report, the government departments detail how hackers working for the North Korean government used unsupported Microsoft software. The alert highlights the botnet infrastructure and tools used in the breach.
Both US agencies call the malicious activity “Hidden Cobra” but it also known as Lazarus Group by security firms. Cyber actors for the North Korean government are targeting U.S. critical infrastructure such as finance and media.
Through the use of a malware called DeltaCharlie, they are able to install DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.
Hidden Cobra is managing to access infrastructure by exploiting older version of Microsoft programs and Adobe Flash vulnerabilities. The latter has long been a security risk, resulting in web browsers turning their back on the dated software.
In its alert, the Homeland Security Department and FBI list the exploited services:
- CVE-2015-6585: Hangul Word Processor Vulnerability
- CVE-2015-8651: Adobe Flash Player 18.104.22.1684 and 19.x Vulnerability
- CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
- CVE-2016-1019: Adobe Flash Player 22.214.171.124 Vulnerability
- CVE-2016-4117: Adobe Flash Player 126.96.36.199 Vulnerability
The varying attacks include data stealing and disruptive malware.
Considering the version of Microsoft Silverlight being exploited is now unsupported, it is unclear whether the company will issue a patch.
Last week, the company took the unprecedented step of patching an unsupported Windows build. The much-loved Windows XP left support in 2014 and is over a decade and a half old. However, a Windows backdoor used by the NSA was leaked and the now infamous WannaCry malware spread to hundreds of millions of machines worldwide.
Microsoft decided to patch all unsupported Windows versions to prevent further exploit. It is almost unheard of that the company would return to patch an unsupported build.