HHS warns of fresh WannaCry-like attacks after Microsoft, DHS reports
The U.S. Department of Health and Human Services issued a security alert to healthcare organizations on Thursday, warning of recently discovered Windows vulnerabilities and a new threat with WannaCry-like capabilities.
The alert is a response to two reports released last week by Microsoft and U.S. Department of Homeland Security.
DHS and FBI alerted to a threat called Hidden Cobra, which is targeting U.S. critical infrastructure, media, aerospace and financial sectors. Thus, HHS officials warned, “targeting of the healthcare and public health sector systems and devices in the U.S. is possible.”
The researchers found the IP addresses connected to a malware variant used to manage North Korea’s DDoS botnet infrastructure. The malicious activity dubbed Hidden Cobra covers all malicious North Korean cyber activity that include DDoS botnets, keyloggers, remote access tools and wiper malware.
Hidden Cobra has been in place since 2009 and commonly targets older, outdated and unsupported Microsoft operating systems. The most recent threat highlights the DDoS tool capable of launching DNS attacks, Network Time Protocol attacks and Character Generation protocol attacks.The malware operates on victims’ systems as a svchost-based service and can download executables, change its own configuration, update its binary, terminate its process and both activate and terminate DDoS attacks.
Microsoft made an unprecedented release of three patches last week for vulnerabilities in XP and Server 2003 that could leverage SMB flaws like those used in WannaCry. Two other vulnerabilities allow malicious code to spread through shared drives and networks.
The company said it hopes to combat potential nation-state activity and destructive cyberattacks like WannaCry and Hidden Cobra viruses with its release. However, in its warning, HHS said these patches won’t necessarily protect against Hidden Cobra, as it leverages a wide range of vulnerabilities.
“These vulnerabilities allow an attacker to remotely run programs or attacks on systems,” officials said. “This could allow an attacker to perform a wide range of actions including exfiltrating documents or data, or gain access to other internal systems via the local network once initial access is gained.”