09:48 AM

South Korea Bank Hacks: 7 Key Facts

Data-wiping attacks on Windows and Linux computers may have just focused on random targets to cause chaos, security researchers say.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
4. Targets May Have Already Been Botnet Zombies

Might the South Korean malware attacks have been designed to cause maximum chaos and disruption, rather than targeting any given organization? One theory -- advanced by Jaime Blasco, labs manager at AlienVault Labs -- is that whoever targeted the South Korean banks and broadcasters may have just used machines that were already infected by the GonDad exploit kit, which has been used to infect a number of PCs in the country.

"From my point of view one of the easiest ways to gain access to several targets without having too much resources/skills would be [to] buy an exploit kit and a malware kit, hack into websites and redirect victims to your malicious infrastructure," Blasco said in a blog post. "Even better, rent a botnet(s) that have access to hundreds of computers and try to find victims inside interesting targets."

[ How hard is it to find patterns in attacks? Read Security Tools Show Many Dots, Few Patterns. ]

Indeed, he said that "if the goal of the attackers was to create panic it means they hadn't to have a specific list of victims, [did] they?" Instead, they could have just identified targets of opportunity.

"If the people behind yesterday's South Korean attacks had access to some of the infrastructure ... they could have gained access to hundreds if not thousands of South Korean systems and then they could have chosen which of the compromised systems were in interesting companies," he said. "Then they could have manually upload another payload to each of the systems and they could have performed lateral movement to own the network. Once they are in the network they can easily execute the wiping payload."

"You should take into account that this is only a theory and it could even be a very small part of all the infrastructure they could have used," he said.

5. Attacks Launched Via Chinese IP Address

A group calling itself the "Whois Team" has claimed credit for the attacks, and defaced some disrupted websites with a message announcing that "This is the Beginning of our Movement" and that "Unfortunately, We have deleted Your Data. We'll be back Soon. See You Again." But who is the Whois Team? That's not clear, and it may just be a front for a nation state or gang.

According to the Korea Communications Commission (KCC), at least some of the malware that was used in the attacks was distributed via IP addresses located in China. That's no smoking gun for either Chinese government involvement or Chinese nationals being behind the attacks. Rather, attackers may have simply rented an inexpensive China-based botnet to target a pre-supplied list of South Korean IP or email addresses with malware attacks.

"Both the exploit kit and the malware mentioned seems to come from China, but the attackers could have bought/[rented] it in the black market," said Blasco at AlienVault Labs.

6. Outage: South Korean Internet Service Provider Targeted

The attackers may have also hacked into the country's South Korean service provider LG UPlus, which told police Wednesday that it had suffered a network outage as a result of a hack attack, reported Reuters. South Korean police said they were investigating that claim. Interestingly, all of the malware-attacked organizations are customers of LG UPlus, but that might just be a coincidence.

7. South Korean Official Suspect North Korea

After any online attack against South Korea, the primary suspect is always North Korea, given tensions between the two neighbors, as well as reports that North Korea has developed a cyberwarfare unit. In the wake of yesterday's attacks, officials in Seoul were urging caution before assigning blame. But by Thursday, South Korean officials started pointing fingers.

The government "is closely analyzing the incident with all possibilities open, while bearing a strong suspicion that North Korea conducted the attack," a high-ranking official of the presidential office Cheong Wa Dae told Yonhap News Agency.

According to Yonhap, Korean intelligence officials said they've traced six online attacks to North Korea in recent years, including a massive 2009 distributed denial of service (DDoS) attack that disabled 26 South Korean government and foreign websites, another DDoS attack in March 2011 against the websites of the South Korean president, national assembly and media outlets, and a June 2012 attack against a conservative newspaper website. At least some of those attacks were launched via Chinese IP addresses.

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Computer Repair Whiteplains NY
Computer Repair Whiteplains NY,
User Rank: Apprentice
3/21/2013 | 5:13:05 PM
re: South Korea Bank Hacks: 7 Key Facts
It's incredible to see how even Linux systems get infected. At this point, I would suggest those banks to get off the Internet or, if they need to remain online, to adopt a very high customization and split of their networks.
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio