Microsoft Patches and DeltaCharlie
By Mark Perry on June 15, 2017
Patch Tuesday has come and gone and with it the final fixes or patches for the many vulnerabilities on the various Windows operating system. Interestingly enough, Microsoft has included the usually non-supported operating systems, such as Windows XP and Windows Server 2003.
The patches can be manually downloaded here.
Some other vulnerabilities that were patched in the Microsoft update include not only the previously discussed SMB RCE CVE-2017-0144 , but also CVE-2017-8543 and CVE-2017-8464.What’s important about these two vulnerabilities is that they have been identified in live attacks against windows machines and have publicly available proof of concepts.
- SMB
- Remote Code Execution
- Windows Memory Objects
- LNK
- Remote Code Execution
- Binary
These are just two highlighted from the overall 96 vulnerabilities patched by Microsoft this month. Below is the link for the plugin module for Nessus security scanner:
https://www.tenable.com/plugins/index.php?view=newest
Out of the blue it seems the FBI and Homeland security have announced an alert for the North Korean State-sponsored hacking operation. US-CERT. This hacking operation is not new, but it seems that maybe there is some need-to-know intel that has motivated this announcement. Hidden Cobra is the name given to this group and they are most famous for there operations and dealing with the malware DeltaCharlie, which was used to create a global DD0S botnet . This group has been known to be operating for over 8yrs since 2009 and have used many malware types including Destover, Wild Positron, and Hangman. Each with a specific purpose including DD0S botnets, Keyloggers, Remote Access Tools, and data wiping. With tensions rising we can assume that there is an area for concern for individual users and companies alike.
Some vulnerabilities known to be utilized by this group include:
- Hangul Word Processor bug (CVE-2015-6585)
- Microsoft Silverlight flaw (CVE-2015-8651)
- Adobe Flash Player 18.0.0.324 and 19.x vulnerability (CVE-2016-0034)
- Adobe Flash Player 21.0.0.197 Vulnerability (CVE-2016-1019)
- Adobe Flash Player 21.0.0.226 Vulnerability (CVE-2016-4117)
The best way to mitigate the exploitation of these vulnerabilities would be to stay current on all updates and patches including the patches just released this month. Network signatures have been identified and can be implemented as rules for IPS systems and firewalls as:
alert tcp any any -> any any (msg:”DPRK_HIDDEN_COBRA_DDoS_HANDSHAKE_SUCCESS”; dsize:6; flow:established,to_server; content:”|18 17 e9 e9 e9 e9|”; fast_pattern:only; sid:1; rev:1;)
________________________________________________________________
alert tcp any any -> any any (msg:”DPRK_HIDDEN_COBRA_Botnet_C2_Host_Beacon”; flow:established,to_server; content:”|1b 17 e9 e9 e9 e9|”; depth:6; fast_pattern; sid:1; rev:1;)
Also with extreme certainty these IP addresses have been identified as malicious and should blacklisted.
FBI and DHS have also announced:
“If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation,”
-
CrushFTP CVE-2025-31161 Vulnerability
CrushFTP CVE-2025-31161 Vulnerability
4/11/2025 -
Active Exploitation of Apache Tomcat CVE-2025-24813 Vulnerability
Active Exploitation of Apache Tomcat CVE-2025-24813 Vulnerability
4/4/2025 -
Next.js Middleware CVE-2025-29927 Vulnerability
Next.js Middleware CVE-2025-29927 Vulnerability
4/4/2025