​​InfoSec Alert – Hidden Cobra

​​InfoSec Alert - Hidden Cobra

Microsoft and Adobe have issued security patches for systems (to include legacy/unsupported platforms, such as Windows XP, Server 2003, Vista) to address multiple vulnerabilities on systems that are believed to be at imminent risk.    These security advisories were released concurrently with alerts regarding a North Korea DDOS Botnet Infrastructure – HIDDEN COBRA

Security Bulletins:

US-CERT Alert: TA17-164A

https://www.us-cert.gov/ncas/alerts/TA17-164A

Microsoft Security Advisory 4025685

https://technet.microsoft.com/en-us/library/security/4025685.aspx

Adobe Bulletins: APSB17-17 and APSB17-18

https://helpx.adobe.com/security/products/flash-player/apsb17-17.html

https://helpx.adobe.com/security/products/shockwave/apsb17-18.html

rmsource Recommendations:

System Patching

Given the severity of the vulnerabilities and the quantity of exploits, rmsource recommends that Microsoft and Adobe security patches be installed at the earliest available window, and recommends that any company utilizing unsupported systems, such as Windows XP and Server 2003 continue to migrate to supported platforms.

Intrusion Prevention

Geo-Protection:

While US-Cert has provided indicators of compromise (IOC) to include watch-list source IP addresses, the list is too extensive for practical Access Control List implementation.  rmsource recommends implementing Intrusion Prevention-Geo-Protection, to block attacks by source location (IOC source addresses found on US-CERT Alert: TA17-164A, link above). 

Please note: Geo-Protection is an Advanced Threat Mitigation feature and my not be available on all firewall platforms.  If Geo-Protection is enabled, care and planning must be given to ensure legitimate traffic is not blocked.

 

Signature Set:

rmsource recommends updating all Intrusion Prevention platforms to detect or prevent on signatures addressing the following CVEs.

Please note: depending on IPS platform, it is possible that not all CVEs have been addressed.  rmsource recommends continued monitoring of signature releases for any CVE not currently addressed by an IPS signature.

CVE-2017-0267

CVE-2017-0280 

CVE-2017-7269

CVE-2017-8461 

CVE-2017-8464

CVE-2017-8487 

CVE-2017-8543 

CVE-2017-8552

CVE-2017-3075

CVE-2017-3081

CVE-2017-3083

CVE-2017-3084

CVE-2017-3076

CVE-2017-3077

CVE-2017-3078

CVE-2017-3079

CVE-2017-3082

CVE-2017-3086

CVE-2017-0176

CVE-2017-0222

CVE-2017-0143 

CVE-2017-0144

CVE-2017-0145

CVE-2017-0146

CVE-2017-0148

CVE-2009-2526

CVE-2009-2532

CVE-2009-3103

CVE-2008-4250​