Attacks/Breaches
3/21/2013
09:48 AM
Connect Directly
RSS
E-Mail
50%
50%

South Korea Bank Hacks: 7 Key Facts

Data-wiping attacks on Windows and Linux computers may have just focused on random targets to cause chaos, security researchers say.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
4. Targets May Have Already Been Botnet Zombies

Might the South Korean malware attacks have been designed to cause maximum chaos and disruption, rather than targeting any given organization? One theory -- advanced by Jaime Blasco, labs manager at AlienVault Labs -- is that whoever targeted the South Korean banks and broadcasters may have just used machines that were already infected by the GonDad exploit kit, which has been used to infect a number of PCs in the country.

"From my point of view one of the easiest ways to gain access to several targets without having too much resources/skills would be [to] buy an exploit kit and a malware kit, hack into websites and redirect victims to your malicious infrastructure," Blasco said in a blog post. "Even better, rent a botnet(s) that have access to hundreds of computers and try to find victims inside interesting targets."

[ How hard is it to find patterns in attacks? Read Security Tools Show Many Dots, Few Patterns. ]

Indeed, he said that "if the goal of the attackers was to create panic it means they hadn't to have a specific list of victims, [did] they?" Instead, they could have just identified targets of opportunity.

"If the people behind yesterday's South Korean attacks had access to some of the infrastructure ... they could have gained access to hundreds if not thousands of South Korean systems and then they could have chosen which of the compromised systems were in interesting companies," he said. "Then they could have manually upload another payload to each of the systems and they could have performed lateral movement to own the network. Once they are in the network they can easily execute the wiping payload."

"You should take into account that this is only a theory and it could even be a very small part of all the infrastructure they could have used," he said.

5. Attacks Launched Via Chinese IP Address

A group calling itself the "Whois Team" has claimed credit for the attacks, and defaced some disrupted websites with a message announcing that "This is the Beginning of our Movement" and that "Unfortunately, We have deleted Your Data. We'll be back Soon. See You Again." But who is the Whois Team? That's not clear, and it may just be a front for a nation state or gang.

According to the Korea Communications Commission (KCC), at least some of the malware that was used in the attacks was distributed via IP addresses located in China. That's no smoking gun for either Chinese government involvement or Chinese nationals being behind the attacks. Rather, attackers may have simply rented an inexpensive China-based botnet to target a pre-supplied list of South Korean IP or email addresses with malware attacks.

"Both the exploit kit and the malware mentioned seems to come from China, but the attackers could have bought/[rented] it in the black market," said Blasco at AlienVault Labs.

6. Outage: South Korean Internet Service Provider Targeted

The attackers may have also hacked into the country's South Korean service provider LG UPlus, which told police Wednesday that it had suffered a network outage as a result of a hack attack, reported Reuters. South Korean police said they were investigating that claim. Interestingly, all of the malware-attacked organizations are customers of LG UPlus, but that might just be a coincidence.

7. South Korean Official Suspect North Korea

After any online attack against South Korea, the primary suspect is always North Korea, given tensions between the two neighbors, as well as reports that North Korea has developed a cyberwarfare unit. In the wake of yesterday's attacks, officials in Seoul were urging caution before assigning blame. But by Thursday, South Korean officials started pointing fingers.

The government "is closely analyzing the incident with all possibilities open, while bearing a strong suspicion that North Korea conducted the attack," a high-ranking official of the presidential office Cheong Wa Dae told Yonhap News Agency.

According to Yonhap, Korean intelligence officials said they've traced six online attacks to North Korea in recent years, including a massive 2009 distributed denial of service (DDoS) attack that disabled 26 South Korean government and foreign websites, another DDoS attack in March 2011 against the websites of the South Korean president, national assembly and media outlets, and a June 2012 attack against a conservative newspaper website. At least some of those attacks were launched via Chinese IP addresses.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Computer Repair Whiteplains NY
50%
50%
Computer Repair Whiteplains NY,
User Rank: Apprentice
3/21/2013 | 5:13:05 PM
re: South Korea Bank Hacks: 7 Key Facts
It's incredible to see how even Linux systems get infected. At this point, I would suggest those banks to get off the Internet or, if they need to remain online, to adopt a very high customization and split of their networks.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.