Members
Stats
  • Total Posts: 28510
  • Total Topics: 8239
  • Online Today: 852
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Kaspersky Lab provide us additional details on the Sony-plundering malware...  (Read 680 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Kaspersky bod Kurt Baumgartner has released more details on the Sony-plundering malware and links it to attacks on Saudi Aramco and South Korea.

Research conducted in the wake of the epic Sony breach last month: http://uk.reuters.com/article/2014/12/02/uk-sony-cybersecurity-malware-idUKKCN0JF3FM20141202 had connected those behind the attack known as the Guardians of Peace (GOP) with the 2012 hacking of Saudi Aramco by 'WhoIs Team' that hit 30,000 computers with the Shamoon malware: http://pastebin.com/HqAgaQRj at a time when tensions were high between Saudi Arabia and Iran: http://www.alarabiya.net/articles/2012/06/26/222774.html
 
The malware served to Sony disabled or destroyed corporate machines forcing the firm to enter an IT lock-down. It was dubbed BKDR_WIPALL by Trend Micro and Destover by Kaspersky.

Baumgartner's work added further weight to claims the malware used in both attacks: http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-the-destructive-malware-behind-fbi-warnings/ and the 2013 Dark Seoul hacks were deployed by the same actors: http://english.yonhapnews.co.kr/national/2013/03/20/40/0301000000AEN20130320008051315F.HTML

"In all three cases: Shamoon, Dark Seoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own," Baumgartner: http://twitter.com/k_sec wrote in an analysis piece: http://securelist.com/blog/research/67985/destover/

"All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.

"Images from the Dark Seoul Whois and Destover GOP groups included a 'hacked by' claim, accompanied by a 'warning' and threats regarding stolen data. Both threatened that this was only the beginning and that the group will be back."

A further point linking the Sony and South Korea attacks was in the styling of the defacements used, which used skulls and the same colours. The GOP bore a group name with a similar cheesy 90 hacker phonetic structure to the Saudi Aramco culprits known as the 'Cutting Sword of Justice'.

There were technological similarities too. Shamoon and Wiper used off-the-shelf EldoS RawDisk drivers maintained in the dropper's resource section, while Shamoon and Dark Seoul dropped political messages to overwrite disk data and the master boot record.

The hackers worked to a tight deadline in the Dark Seoul and Sony attacks compiling executables two days before attack.

Shamoon components were similarly rushed having been built five days from d-day.

The commonalities were no smoking gun pointing to North Korea, but the links between the attack campaigns was "extraordinary" given the high profile nature of the victims, Baumgartner said.

"... it should be noted that the reactionary events and the groups' operational and tool set characteristics all carry marked similarities [and] it is extraordinary that such unusual and focused acts of large scale cyber-destruction are being carried out with clearly recognisable similarities," he said.

Sony would be likely able to recover its wiped data if the malware was close-enough to that used in Shamoon and Dark Seoul, Baumgartner said.

(ElReg)

Samker's Computer Forum - SCforum.info





 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising