HPE Software is now Micro Focus
HPE Software is now Micro Focus
Protect Your Assets
cancel

HIDDEN COBRA

HIDDEN COBRA

Security_Guest

The United States Computer Emergency Readiness Team (US CERT) released updated indicators of compromise (IOCs) for HIDDEN COBRA on Nov 14th of this year, giving organizations more ways to detect this malware in their environment.  The Department of Homeland Security and the FBI have identified new Internet Protocol (IP) addresses and other IOCs associated with a Trojan malware variant used by the North Korean government, commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.

Hidden Cobra.jpgAccording to the alert, the FBI has high confidence that HIDDEN COBRA threat actors are using the IP addresses identified to infiltrate victims’ networks, maintain a presence, and conduct further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.

The Micro Focus Activate security content team has created a solution for this threat.  Within the ArcSight Activate Framework we provide the ability for customers to rapidly ingest these IOC’s identified by US-CERT. 

The ArcSight Activate Framework is a modular content development method designed to quickly deploy actionable use cases. The framework provides a standardized approach to creating content that can be shared with the community to keep up easily on the latest IT security threats. This results in a robust SIEM that is easier to set up and maintain.  Micro Focus has distilled 10+ years of ArcSight SIEM content development experience into this framework. It is a recipe to realize return on investment (ROI) as quickly as possible. This is achieved by leading one through a SIEM maturity path focused on collecting the right data feeds overlaid by actionable content that flows through the Activate Multi-Sensor Data Fusion and Attack Life Cycle Models. 

Using our Activate Framework in conjunction with the IOC’s identified by US-CERT will allow customers to quickly correlate and understand which systems and/or entities are exposed to the HIDDEN COBRA threat across the enterprise.  For more details regarding the Activate Framework and installation process, please visit the Activate Framework installation and configuration guide.

This use case leverages our Activate Level 1 Threat Intelligence package which is used to detect and contextualize potential malicious activity based on intelligence derived from a site-specific mix of threat intelligence sources.  View more details regarding this use case and package here

To help you identify HIDDEN COBRA in your environment, the Micro Focus Activate security content team has created a ready-to-deploy Activate package for this use case which can be easily imported into the Activate Framework today.  We have updated our L1 Threat Intelligence package  on the Marketplace to use IOCs to detect this vulnerability.  Users can go to the “L1-Threat Intelligence – Indicators and Warnings” package and use the link in the “description” to obtain the data feeds (i.e. IOC files) and follow the instructions in the wiki page to import them into ESM.

IOC list:  https://www.us-cert.gov/sites/default/files/publications/TA%20VOLGMER%20IOCs.csv 

 

  • Threat intelligence
0 Kudos
About the Author

Security_Guest