Attacks/Breaches
3/21/2013
09:48 AM
50%
50%

South Korea Bank Hacks: 7 Key Facts

Data-wiping attacks on Windows and Linux computers may have just focused on random targets to cause chaos, security researchers say.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
4. Targets May Have Already Been Botnet Zombies

Might the South Korean malware attacks have been designed to cause maximum chaos and disruption, rather than targeting any given organization? One theory -- advanced by Jaime Blasco, labs manager at AlienVault Labs -- is that whoever targeted the South Korean banks and broadcasters may have just used machines that were already infected by the GonDad exploit kit, which has been used to infect a number of PCs in the country.

"From my point of view one of the easiest ways to gain access to several targets without having too much resources/skills would be [to] buy an exploit kit and a malware kit, hack into websites and redirect victims to your malicious infrastructure," Blasco said in a blog post. "Even better, rent a botnet(s) that have access to hundreds of computers and try to find victims inside interesting targets."

[ How hard is it to find patterns in attacks? Read Security Tools Show Many Dots, Few Patterns. ]

Indeed, he said that "if the goal of the attackers was to create panic it means they hadn't to have a specific list of victims, [did] they?" Instead, they could have just identified targets of opportunity.

"If the people behind yesterday's South Korean attacks had access to some of the infrastructure ... they could have gained access to hundreds if not thousands of South Korean systems and then they could have chosen which of the compromised systems were in interesting companies," he said. "Then they could have manually upload another payload to each of the systems and they could have performed lateral movement to own the network. Once they are in the network they can easily execute the wiping payload."

"You should take into account that this is only a theory and it could even be a very small part of all the infrastructure they could have used," he said.

5. Attacks Launched Via Chinese IP Address

A group calling itself the "Whois Team" has claimed credit for the attacks, and defaced some disrupted websites with a message announcing that "This is the Beginning of our Movement" and that "Unfortunately, We have deleted Your Data. We'll be back Soon. See You Again." But who is the Whois Team? That's not clear, and it may just be a front for a nation state or gang.

According to the Korea Communications Commission (KCC), at least some of the malware that was used in the attacks was distributed via IP addresses located in China. That's no smoking gun for either Chinese government involvement or Chinese nationals being behind the attacks. Rather, attackers may have simply rented an inexpensive China-based botnet to target a pre-supplied list of South Korean IP or email addresses with malware attacks.

"Both the exploit kit and the malware mentioned seems to come from China, but the attackers could have bought/[rented] it in the black market," said Blasco at AlienVault Labs.

6. Outage: South Korean Internet Service Provider Targeted

The attackers may have also hacked into the country's South Korean service provider LG UPlus, which told police Wednesday that it had suffered a network outage as a result of a hack attack, reported Reuters. South Korean police said they were investigating that claim. Interestingly, all of the malware-attacked organizations are customers of LG UPlus, but that might just be a coincidence.

7. South Korean Official Suspect North Korea

After any online attack against South Korea, the primary suspect is always North Korea, given tensions between the two neighbors, as well as reports that North Korea has developed a cyberwarfare unit. In the wake of yesterday's attacks, officials in Seoul were urging caution before assigning blame. But by Thursday, South Korean officials started pointing fingers.

The government "is closely analyzing the incident with all possibilities open, while bearing a strong suspicion that North Korea conducted the attack," a high-ranking official of the presidential office Cheong Wa Dae told Yonhap News Agency.

According to Yonhap, Korean intelligence officials said they've traced six online attacks to North Korea in recent years, including a massive 2009 distributed denial of service (DDoS) attack that disabled 26 South Korean government and foreign websites, another DDoS attack in March 2011 against the websites of the South Korean president, national assembly and media outlets, and a June 2012 attack against a conservative newspaper website. At least some of those attacks were launched via Chinese IP addresses.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Computer Repair Whiteplains NY
50%
50%
Computer Repair Whiteplains NY,
User Rank: Apprentice
3/21/2013 | 5:13:05 PM
re: South Korea Bank Hacks: 7 Key Facts
It's incredible to see how even Linux systems get infected. At this point, I would suggest those banks to get off the Internet or, if they need to remain online, to adopt a very high customization and split of their networks.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.