Attacks/Breaches
3/25/2013
01:14 PM
50%
50%

How South Korean Bank Malware Spread

Attackers used stolen usernames and passwords for legitimate AhnLab Patch Manager accounts, set wiper software for staggered deletes to maximize damage.

The malware attacks that successfully compromised an estimated 32,000 South Korean systems Wednesday were distributed, at least in part, using legitimate enterprise patch management software.

Attackers used stolen usernames and passwords to access AhnLab Patch Management software running in at least some of the affected businesses. "The credentials were used to gain access to individual patch management systems located on the affected networks," read a statement released Friday by the AhnLab Security Emergency Response Center (ASEC). "Once the attackers had access to the patch management system they used it to distribute the malware much like the system distributes new software and software updates."

The resulting malware infections compromised Windows, Unix and Linux systems at South Korea's Jeju, NongHyup and Shinhan banks, as well as television broadcasters KBS, MBC and YTN. The malicious code used by attackers included "wiper" malware, with a built-in logic bomb set to begin overwriting a computer's master boot record (MBR) data at a preset time Thursday afternoon, and then rebooting, which would render the system inoperable. Some of the Trojan applications used in the attacks could also remotely wipe network-connected Unix and Linux systems.

[ South Korea back-pedals after blaming North Korea for bank hack. Read South Korea Changes Story On Bank Hacks. ]

AhnLab emphasized that when attackers accessed its patch management software, running at targeted sites, they used legitimate access credentials rather than exploiting zero-day vulnerabilities in the code or stealing or compromising any of the digital certificates the company uses to sign its code. "Contrary to early reports, no security hole in any AhnLab server or product was used by the attackers to deliver the malicious code," said AhnLab's statement.

AhnLab also cited a report that Ryou Jae Cheol, a professor of computer engineering and securities at South Korea's Chungnam National University, said that the North Korean government had launched the attack, using Chinese-developed code. In fact, Cheol -- referencing a Thursday report from the Korean Communications Commission (KCC) that the attacks had been launched via an IP address registered in China -- told Bloomberg Thursday that "discovering that the code was from China makes it more likely that the attack was from North Korea, because a lot of North Korean hackers operate there."

By Friday, however, South Korean officials changed their story, noting that they'd been "careless" to ascribe to China an IP address that was actually privately registered to South Korea's NongHyup bank. According to the KCC, at least some of the malware attacks were launched from a single NongHyup system, inside South Korea.

Many of the systems exploited in the attacks were infected with malware at least one day prior. According to research published by Trend Micro, some of the malware used in the attacks was distributed via a spear-phishing campaign that commenced on Tuesday, March 19.

But a threat researcher at security firm F-Secure, who goes by the name "Brod," said in a blog post Monday that a malicious HTML archive used in some of the South Korea attacks was created on March 17, which is three days before the logic bomb was triggered.

The malicious HTML archive claimed to be an account history for Shinhan bank customers, which was one of the businesses exploited in the attacks. "The malware inside the archive is using double extensions combined with a very long filename to hide the real extension," said Brod. "This is a common social engineering tactic that started during the era of mass-mailing worms almost a decade ago. Therefore we believe the archive is most likely sent as attachment in spear phishing e-mails."

Not all of the malware, however, was launched via spear-phishing emails. "Some variants also wipe remote systems using credentials found in configuration files of certain SSH clients installed in infected systems. Therefore an affected system can simply have one of its users, who uses a vulnerable SSH client, infected for it to get toasted," said Brod.

Attackers used software that could not only wipe Windows systems but also remotely wipe Unix and Linux systems. "Felix Deimel and VanDyke SSH clients as well as the RAR archive were used in the attacks," said Brod. "These are either third-party applications or not supported by Windows natively."

Researchers at Symantec reported Friday that they've now recovered four different types of wipers used in the attacks. One of the wipers was written as a DLL file that was injected into LSASS.exe, which is the Windows Local Security Authentication Server, while the other three are standalone position-independent executable (PIE) code.

Timing-wise, two of the wipers were instructed to immediately wipe upon execution, according to a Symantec Security Response blog post. "Another was instructed to wipe specifically at 2PM on March 20, 2013. We have recently come across another sample ... that wipes at 3PM on March 20, independent of year," the post continued.

In the wake of last week's attacks, some security researchers had suggested that the apparently scattershot list of targets may have been designed solely to cause panic. But researchers have since discovered overlapping malware that's able to wipe multiple systems, backed by redundant logic bomb timing seemingly designed to cause maximum damage. "All these specifics give the impression of a targeted attack," said F-Secure's Brod.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5427
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

CVE-2014-5428
Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

CVE-2014-9205
Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

CVE-2015-0528
Published: 2015-03-29
The RPC daemon in EMC Isilon OneFS 6.5.x and 7.0.x before 7.0.2.13, 7.1.0 before 7.1.0.6, 7.1.1 before 7.1.1.2, and 7.2.0 before 7.2.0.1 allows local users to gain privileges by leveraging an ability to modify system files.

CVE-2015-0996
Published: 2015-03-29
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 rely on a hardcoded cleartext password to control read access to Project files and Project Configuration files, which makes it easier for local users to obtain sensitive info...

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.