NOTICE: Branded Content
NOTICE: Certain versions of content (“Material”) accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.
Protect Your Assets
cancel

HIDDEN COBRA

HIDDEN COBRA

Security_Guest Absent Member.

The United States Computer Emergency Readiness Team (US CERT) released updated indicators of compromise (IOCs) for HIDDEN COBRA on Nov 14th of this year, giving organizations more ways to detect this malware in their environment.  The Department of Homeland Security and the FBI have identified new Internet Protocol (IP) addresses and other IOCs associated with a Trojan malware variant used by the North Korean government, commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.

Hidden Cobra.jpgAccording to the alert, the FBI has high confidence that HIDDEN COBRA threat actors are using the IP addresses identified to infiltrate victims’ networks, maintain a presence, and conduct further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.

The Micro Focus Activate security content team has created a solution for this threat.  Within the ArcSight Activate Framework we provide the ability for customers to rapidly ingest these IOC’s identified by US-CERT. 

The ArcSight Activate Framework is a modular content development method designed to quickly deploy actionable use cases. The framework provides a standardized approach to creating content that can be shared with the community to keep up easily on the latest IT security threats. This results in a robust SIEM that is easier to set up and maintain.  Micro Focus has distilled 10+ years of ArcSight SIEM content development experience into this framework. It is a recipe to realize return on investment (ROI) as quickly as possible. This is achieved by leading one through a SIEM maturity path focused on collecting the right data feeds overlaid by actionable content that flows through the Activate Multi-Sensor Data Fusion and Attack Life Cycle Models. 

Using our Activate Framework in conjunction with the IOC’s identified by US-CERT will allow customers to quickly correlate and understand which systems and/or entities are exposed to the HIDDEN COBRA threat across the enterprise.  

To help you identify HIDDEN COBRA in your environment, the Micro Focus Activate security content team has created a ready-to-deploy Activate package for this use case which can be easily imported into the Activate Framework today.  We have updated our L1 Threat Intelligence package  on the Marketplace to use IOCs to detect this vulnerability.  Users can go to the “L1-Threat Intelligence – Indicators and Warnings” package and use the link in the “description” to obtain the data feeds (i.e. IOC files).

IOC list:  https://www.us-cert.gov/sites/default/files/publications/TA%20VOLGMER%20IOCs.csv 

 

0 Kudos
About the Author

Security_Guest