Content, Breach, Malware

DHS, FBI Issue Joanap and Brambul Malware Attack Warning

North Korea's Hidden Cobra hacker team is using Joanap and Brambul malware to attack and access networks, a Department of Homeland Security (DHS) and FBI warning alleges.

The warning comes roughly one month after a McAfee report deeply detailed alleged Hidden Cobra cyber activities. According to the DHS and FBI warning:

"According to reporting of trusted third parties, HIDDEN COBRA actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors."

Joanap is a remote access tool (RAT) that can secretly receive multiple commands from Hidden Cobra team members.

By contrast, Brambul is a brute-force authentication worm that spreads through server message block (SMB) shares. Brambul typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks, the report says.

Brambul and Joanap: Potential Malware Impact

The potential impact from Brambul and Joanap can be quite serious, according to the report, including such potential fallout as:

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files; and
  • potential harm to an organization’s reputation.

So far, the U.S. government has identified 87 compromised network nodes. The nodes with infected IP addresses are registered in such countries as Argentina, Belgium, Brazil, Cambodia, China, Colombia, Egypt, India, Iran, Jordan, Pakistan, Saudi Arabia, Spain, Sri Lanka, Sweden, Taiwan, and Tunisia, the report said.

Brambul and Joanap: Malware Risk Mitigation

To mitigate such threats, DHS and FBI officials say MSSPs and organizations should:

  • Keep operating systems and software up-to-date with the latest patches. Most attacks target vulnerable applications and operating systems. Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Maintain up-to-date antivirus software, and scan all software downloaded from the internet before executing.
  • Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of least privilege to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Scan for and remove suspicious email attachments. If a user opens a malicious attachment and enables macros, embedded code will execute the malware on the machine. Enterprises and organizations should consider blocking email messages from suspicious sources that contain attachments.
  • Disable Microsoft’s File and Printer Sharing service, if not required by the user’s organization. If this service is required, use strong passwords or Active Directory authentication.
  • Enable a personal firewall on organization workstations and configure it to deny unsolicited connection requests.

Additional guidance is available here.

The alleged cyber activity comes as U.S. and North Korean officials try to hammer out terms for a meeting between President Trump and Supreme Leader Kim Jong-un. Trump had called off the proposed June 12 meeting last week, but left the door open for a possible sit-down if North Korea agreed to various terms ahead of such a gathering.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.