SafeBreach Labs has updated the Hacker's Playbook™ with new simulations for attacks described in US-CERT Alert (AR19-129A) which describes a new technique called “ELECTRICFISH” originating from North Korean (aka. “HIDDEN COBRA”).
This alert is concerned with a malicious 32-bit Windows executable file. The malware implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address. It then continuously attempts to reach out to the source and the destination system, which allows either side to initiate a funneling session. The malware can be configured with a proxy server/port and proxy username and password which allows connectivity to a system sitting inside of a proxy server. This allows the actor to bypass the compromised system’s required authentication to reach outside of the network.
These attacks have appeared in healthcare, finance, government, and defense industries. Their widespread availability presents a challenge for network defenses and threat-actor attribution. SafeBreach recommends all industries and businesses simulate the tools described in this alert to identify whether or not they are protected against these attacks.
To assess security control effectiveness against these techniques, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls available now:
Newly developed playbook methods related to AR19-129A
Playbook # 2287 - Write ELECTRICFISH malware to disk (WINDOWS) (Host-Level)
Playbook # 2288 - Transfer of ELECTRICFISH malware over HTTP/S (Lateral Movement)
Playbook # 2289 - Transfer of ELECTRICFISH malware over HTTP/S (Infiltration)
Playbook # 2290 - Email ELECTRICFISH malware as a ZIP attachment (Lateral Movement)
Playbook # 2291 - Email ELECTRICFISH malware as a ZIP attachment (Infiltration)
Playbook # 2292 - Communication with Proxy Server using ELECTRICFISH Authentication Protocol (Infiltration)
Network Controls - Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?