SafeBreach Labs has updated the Hacker's Playbook™ with new simulations for attacks described in US-CERT Alert (TA18-149A), attributed to North Korean government actors, dubbed HIDDEN COBRA.

Additionally, thanks to the depth of the Hacker's Playbook™, a portion of this multi-stage attack campaign has already been simulated, so customers were already able to validate security against parts of this attack. As always, SafeBreach Labs will continue to monitor the situation, and develop new simulations as necessary.

This alert is focused on two families of malware: 1) A remote access tool (RAT), called Joanap; and 2) A Server Message Block (SMB) worm, called Brambul. These two tools are used in combination for remote network exploitation and to maintain a presence on victims’ networks.

These attacks have targeted multiple global industries including the media, aerospace, financial, and critical infrastructure sectors. SafeBreach recommends all industries and businesses simulate this attack to identify whether or not they are protected against this campaign. To assess security control effectiveness against techniques involved in this attack, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:

Playbook methods related to TA18-149A

Playbook #172 - SMB Brute Force

  • Network Controls - Are security controls in place to prevent the initial brute-forcing of credentials that allow subsequent attacks used in this campaign?

Playbook #1564 - Transfer of Joanap/Brambul over HTTP/S

  • Network Controls - Are security controls in place to prevent the download and transfer of the RAT, worm, and dropper tools used in this attack?

Playbook #1565 - Local installation of Joanap/Brambul

  • Endpoint Controls - Are security controls in place to prevent the local deployment of the RAT, worm used in this attack?

Additional breach methods added recently include:


Subscribe to blog post