CrowdStrike, today, performed a public demo of the wiper malware that swept Sony Picture Entertainment's IT infrastructure clean, showing how it could have been deployed and distributed, and how a behavior-based security tool like their Falcon product could disrupt the attack.
One of the malware's sophisticated features is that it had the exact names of Sony's file servers hard-coded into it. Therefore, to perform the demo, Crowdstrike researchers Dmitri Alperovitch and Elia Zaitsev built a test environment and gave the infrastructure components the same names that Sony used. They also made small modifications to the wiper -- for example, removing its sleep commands, so that it wouldn't go to sleep mid-demo. These minor modifications had the additional effect of making the malware undetectable by signature-based anti-malware tools.
It is still not known how the attackers initially broke in. For the purposes of this demonstration, the researchers exploited a web server via SQL injection then implanted a small 7-character webshell called ChinaChopper. Regardless of how the attackers got in (SQL injection, spear-phishing, etc.), the next step was to elevate privileges, by searching for admin credentials.
To do so, the "attacker" uploaded malware to a folder that the originally compromised user had access to -- malware that included the Mimikatz credential stealing program. Mimikatz then dumped all sorts of credentials, including admin accounts with very complex passwords -- again showing how password strength is rendered irrelevant when attackers are going through the backdoor instead of trying to brute force the front door.
The researchers recommend focusing your defensive efforts on this privilege escalation stage. If you can detect and stop the theft of administrator credentials, they say, you can stop attackers in their tracks -- containing them so that they can not move laterally through a network. Further, they said, admin credentials are only stored in a few places, usually, which makes this stage a manageable place to focus your efforts.
The first time they ran the demo they simply tracked the suspicious activity -- which the Falcon tool detected and reported in real-time. The second time they used the tool to also shut down the suspicous processes. This behavior-based approach -- looking for the privilege escalation practices however they're conducted, instead of looking for specific tools -- they say is becoming more important as attackers move away from malware and start using legitimate applications/functions for nefarious purposes.
In the demo, once the "attacker" had obtained admin credentials, they mounted a fileshare to exfiltrate data. Then put the wiper malware to work -- multiplying itself and destroying everything in its path, including the master boot record.
It then launches a Web server that hosts the threat page (the red skeleton image, machine gun fire sounds, and warning message). Whenever a user tried to launch a browser, this page would load.
The wiper malware forced a reboot of any infected hardware after two hours. Upon reboot, all that would show is a plain black screen and an "operating system not found" message -- more terrifying than a red skeleton.
CrowdStrike's recommended countermeasures are to seek indicators of attack -- looking, in real-time, for effects of what malware does, instead of looking for the malware itself. To see an archived version of the demo, go to crowdstrike.com/corporate-destruction.