Attacks/Breaches
3/21/2013
09:48 AM
50%
50%

South Korea Bank Hacks: 7 Key Facts

Data-wiping attacks on Windows and Linux computers may have just focused on random targets to cause chaos, security researchers say.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
4. Targets May Have Already Been Botnet Zombies

Might the South Korean malware attacks have been designed to cause maximum chaos and disruption, rather than targeting any given organization? One theory -- advanced by Jaime Blasco, labs manager at AlienVault Labs -- is that whoever targeted the South Korean banks and broadcasters may have just used machines that were already infected by the GonDad exploit kit, which has been used to infect a number of PCs in the country.

"From my point of view one of the easiest ways to gain access to several targets without having too much resources/skills would be [to] buy an exploit kit and a malware kit, hack into websites and redirect victims to your malicious infrastructure," Blasco said in a blog post. "Even better, rent a botnet(s) that have access to hundreds of computers and try to find victims inside interesting targets."

[ How hard is it to find patterns in attacks? Read Security Tools Show Many Dots, Few Patterns. ]

Indeed, he said that "if the goal of the attackers was to create panic it means they hadn't to have a specific list of victims, [did] they?" Instead, they could have just identified targets of opportunity.

"If the people behind yesterday's South Korean attacks had access to some of the infrastructure ... they could have gained access to hundreds if not thousands of South Korean systems and then they could have chosen which of the compromised systems were in interesting companies," he said. "Then they could have manually upload another payload to each of the systems and they could have performed lateral movement to own the network. Once they are in the network they can easily execute the wiping payload."

"You should take into account that this is only a theory and it could even be a very small part of all the infrastructure they could have used," he said.

5. Attacks Launched Via Chinese IP Address

A group calling itself the "Whois Team" has claimed credit for the attacks, and defaced some disrupted websites with a message announcing that "This is the Beginning of our Movement" and that "Unfortunately, We have deleted Your Data. We'll be back Soon. See You Again." But who is the Whois Team? That's not clear, and it may just be a front for a nation state or gang.

According to the Korea Communications Commission (KCC), at least some of the malware that was used in the attacks was distributed via IP addresses located in China. That's no smoking gun for either Chinese government involvement or Chinese nationals being behind the attacks. Rather, attackers may have simply rented an inexpensive China-based botnet to target a pre-supplied list of South Korean IP or email addresses with malware attacks.

"Both the exploit kit and the malware mentioned seems to come from China, but the attackers could have bought/[rented] it in the black market," said Blasco at AlienVault Labs.

6. Outage: South Korean Internet Service Provider Targeted

The attackers may have also hacked into the country's South Korean service provider LG UPlus, which told police Wednesday that it had suffered a network outage as a result of a hack attack, reported Reuters. South Korean police said they were investigating that claim. Interestingly, all of the malware-attacked organizations are customers of LG UPlus, but that might just be a coincidence.

7. South Korean Official Suspect North Korea

After any online attack against South Korea, the primary suspect is always North Korea, given tensions between the two neighbors, as well as reports that North Korea has developed a cyberwarfare unit. In the wake of yesterday's attacks, officials in Seoul were urging caution before assigning blame. But by Thursday, South Korean officials started pointing fingers.

The government "is closely analyzing the incident with all possibilities open, while bearing a strong suspicion that North Korea conducted the attack," a high-ranking official of the presidential office Cheong Wa Dae told Yonhap News Agency.

According to Yonhap, Korean intelligence officials said they've traced six online attacks to North Korea in recent years, including a massive 2009 distributed denial of service (DDoS) attack that disabled 26 South Korean government and foreign websites, another DDoS attack in March 2011 against the websites of the South Korean president, national assembly and media outlets, and a June 2012 attack against a conservative newspaper website. At least some of those attacks were launched via Chinese IP addresses.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Computer Repair Whiteplains NY
50%
50%
Computer Repair Whiteplains NY,
User Rank: Apprentice
3/21/2013 | 5:13:05 PM
re: South Korea Bank Hacks: 7 Key Facts
It's incredible to see how even Linux systems get infected. At this point, I would suggest those banks to get off the Internet or, if they need to remain online, to adopt a very high customization and split of their networks.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2382
Published: 2014-11-20
The DfDiskLo.sys driver in Faronics Deep Freeze Standard and Enterprise 8.10 and earlier allows local administrators to cause a denial of service (crash) and execute arbitrary code via a crafted IOCTL request that writes to arbitrary memory locations, related to the IofCallDriver function.

CVE-2014-3625
Published: 2014-11-20
Directory traversal vulnerability in Pivitol Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

CVE-2014-7194
Published: 2014-11-20
TIBCO Managed File Transfer Internet Server before 7.2.4, Managed File Transfer Command Center before 7.2.4, Slingshot before 1.9.3, and Vault before 1.1.1 allow remote attackers to obtain sensitive information or modify data by leveraging agent access.

CVE-2014-7195
Published: 2014-11-20
Spotfire Web Player Engine in TIBCO Spotfire Web Player 6.0.x before 6.0.2 and 6.5.x before 6.5.2, Spotfire Deployment Kit 6.0.x before 6.0.2 and 6.5.x before 6.5.2, and Silver Fabric Enabler for Spotfire Web Player before 1.6.1 allows remote authenticated users to obtain sensitive information via u...

CVE-2014-8000
Published: 2014-11-20
Cisco Unified Communications Manager IM and Presence Service 9.1(1) produces different returned messages for URL requests depending on whether a username exists, which allows remote attackers to enumerate user accounts via a series of requests, aka Bug ID CSCur63497.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?