Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

12/4/2014
08:45 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Sony Hackers Knew Details Of Sony's Entire IT Infrastructure

While trying to simultaneously recover from a data breach and a wiper attack, Sony watches attackers publish maps and credentials for everything from production servers to iTunes accounts.

UPDATED Dec. 5, 4 p.m. ET: Whoever they are, the attackers who breached Sony used wiper malware to destroy Sony's systems, and are slowly disclosing stacks of stolen Sony confidential data and intellectual property. And they knew everything there was to know about Sony's IT infrastructure.

Security researchers have discovered that the wiper malware -- called Destover by some, WIPALL by others -- contained hard-coded names of servers inside Sony's network and the credentials to access them. Further, the attackers themselves released a new set of 11,000 files last night that include, as one reporter explained it, "everything needed to manage the day-to-day [IT] operations at Sony."

Sony has been trying to recover from the wiper attacks since they began Nov. 24. Employees' client machines all froze up and locked behind a wallpaper, emblazoned with a red skull, claiming that the company had been pwned by the Guardians of Peace (GOP) because it had not complied with GOP's demands, and warning that the company's secrets were about to be spilled.

True to their word, the attackers began uploading sensitive Sony data to Pastebin. The leaked files contained both corporate data and intellectual property. The files also included full copies of Sony movies that have not yet been released and a script for a new TV pilot by the creator of Breaking Bad. Employee salaries, performance reviews, and criminal background checks were exposed. Plus, according to Identity Finder, over 47,000 unique Social Security numbers were exposed, including those of current and former Sony employees and celebrities, including Sylvester Stallone, Judd Apatow, and Rebel Wilson. Many of those SSNs appeared in multiple documents -- some showed it up in more than 400 places -- so altogether, there were over 1.1 million copies of SSNs.

Meanwhile, the wiper software began destroying all Sony's internal systems. The FBI released a flash alert this week, which did not explicitly mention Sony, but warned of a wiper malware that "has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods.”

Recovering from a data breach and a large-scale system destruction at the same time is exceptionally complex. Complicating matters further is that the treasure trove of data leaked yesterday includes everything attackers would need to compromise Sony all over again, in the manner of their choosing. The data includes RSA SecurID tokens, global network maps detailing databases and enterprise servers, and access credentials/files for QA servers, staging servers, production servers, routers, switches, load balancers, FTP servers, email accounts, and third-party applications -- including UPS, FedEx, McAfee, Google Analytics, iTunes, Sprint, and Verizon.

So, how does a company recover? Burn whatever's left and build something entirely new and different?

"Shut it all down," says Jody Brazil of FireMon. He says that throwing away the entire company isn't a solution. But for now, he recommends shutting down all external communications and all Web access entirely (and bringing it back slowly and carefully), resetting all passwords, instituting change control, doing a massive assessment of all systems, and aiming to get business running appropriately again in weeks, not days. "It's a very drastic approach," he says, "but the right one."

Sony's media relations department did not answer its phone or respond to emailed requests for comment today. They are working with law enforcement and Mandiant on the investigation.

"They're in a really bad situation," says Jaime Blasco of AlienVault, which has examined the wiper.

"From the samples we obtained," Blasco says, "we can say the attackers knew the internal network from Sony, since the malware samples contain hard-coded names of servers inside Sony’s network and even credentials -- usernames and passwords -- that the malware uses to connect to systems inside the network."

In other words, the wiper was customized for Sony's environment after the attackers obtained all the detailed information about the Sony IT infrastructure.

How did they obtain that information? Either they conducted a staged attack -- compromising the network, poking around, obtaining credentials, escalating privileges, etc. -- or they were given the information by an insider.

Blasco isn't willing to guess, but in a Nov. 25 interview with The Verge, someone claiming to be one of the attackers from the Guardians of Peace said "Sony doesn't lock their doors, physically, so we worked with other staff with similar interests to get in."

The source also told The Verge, "We Want equality [sic]. Sony doesn't. It's an upward battle."

So who are the we they name?

There has been a great deal of speculation that the attackers are based in North Korea -- either nation-state actors or hacktivists -- who were possibly motivated to attack Sony to protest its newly released movie The Interview -- a comedy about two American entertainers being hired by the CIA to assassinate North Korean leader Kim Jong-un. There were even reports stating that Sony was going to confirm any minute now that North Korea was behind the attack. However, Sony responded to those reports Wednesday saying that they were "not accurate." 

According to Blasco, "The malware samples we have found talk to IP addresses in Italy, Singapore, Poland, the US, Thailand, Bolivia, and Cyprus -- probably hacked systems or VPN/proxies that the attackers use to hide the origin. We also found the attackers were using the Korean language in the systems they used to compile some of the pieces of malware we have found.”

The use of Korean in the compiler, says Blasco, is "the only technical indicator" of a North Korean-based attack, "and that info can be faked."

Kaspersky and Symantec, however, say that there are other reasons to make the connection to North Korea. Symantec reports that the Destover wiper uses a command-and-control server that was also used by the Volgmer Trojan, and shares techniques and components with Jokra. Both Jokra and Volgmer were used in attacks against South Korea. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
johnwinning12
50%
50%
johnwinning12,
User Rank: Apprentice
12/4/2014 | 9:56:45 PM
Also mentioned on Unfilter
They talked about the Sony hacks I see on this weeks episode of Unfilter by Jupiter Broadcasting titled Putin's Pipe Dream"
BillB031
50%
50%
BillB031,
User Rank: Strategist
12/4/2014 | 11:24:34 PM
insider?
Could it have been a disgruntled insider doing this or assisting?  Almost sounds to extensive for it not to be
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/5/2014 | 9:44:13 AM
Re: insider?
The Verge interview certainly implies that access was gained with the help of an insider..Hard to be sure, not knowing whether the anonynmous source is credible or not. More to come, I hope.

 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/5/2014 | 10:28:25 AM
Re: insider?
@Marilyn What struck me about the Verge interview was that the source said "Sony doesn't lock their doors, physically," which makes me think that the attackers got physical access to Sony's systems -- which, they couldn't do from North Korea. It also would have made it much easier for them to walk out with data on portable storage media and install malware without having the usual monitoring software pick up on it.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/5/2014 | 10:54:31 AM
Re: insider?
Excellent points, Sara! You are good detective! If that 's the case  I would hope that at the very minimum, Sony's physical plant security team are locking the doors now.
savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
12/5/2014 | 11:01:08 AM
Re: insider?
Yeah, I can't really agree with this. Risk vs. return on a black bag job is far worse than phishing an unsuspecting techniican.
Adam Boone
50%
50%
Adam Boone,
User Rank: Apprentice
12/5/2014 | 1:14:12 PM
Re: insider?
Great article, Sara. Your take on the anonymous source's comments to The Verge seems very logical to me. But I also wonder if maybe it is not some misdirection. By making it seem like they had the help of an insider and physical access, are the attackers hiding some other vector? So it might be compromised remote access to some internal system and then hopping through Sony's infrastructure like in the Target breach. A little misdirection might keep the holes open.
Sara Peters
100%
0%
Sara Peters,
User Rank: Author
12/8/2014 | 10:03:12 AM
Re: insider?
@Adam Boone  Thanks! And I agree with you: there's always the possibility that a) the people who claim responsibility for the attack didn't actually commit it in the first place, and b) the attackers give misinformation to throw investigators off the trail. I wonder if we'll ever find out what really happened here.
ODA155
50%
50%
ODA155,
User Rank: Ninja
12/8/2014 | 12:10:58 PM
Re: insider?
@Sara Peters,... I don't want to paste the link, but have you seen this news today...

 

Sony Suffers Further Attacks
Disruptions Follow 'Unprecedented' Hack Attack
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/8/2014 | 4:53:43 PM
Re: insider?

"...I wonder if we'll ever find out what really happened here."

 

 

I don't know that that really matters.   The who dun it question really does not address the issue of why supposed "high end security" is constantly being breeched. 

Companies seem to be fooling themselves and "security" is quickly becoming a question of just how much data and sensative information you want to expose to risk, that is if you have the choice.

savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
12/5/2014 | 10:19:43 AM
Attribution
Unlike government organizations, which are unencumbered by shareholder wealth, commercial organizations have an incentive to dilute the reputational impact associated with a breach of this magnitude. An easy way to do this is to attribute the breach to a sophisticated adversary, which clevely offsets a certain amount of responsibility. This would have worked in Sony's favor had the attack more closely resembled nation-state activity. But the post mortem analysis that shows disclosure of social security numbers, contracts, passport photographs, etc. is not a national interest. Nor is an entertainment company, regardless of the underlying "they made a bad move about us" tall tale that has been floated.
TerryB
50%
50%
TerryB,
User Rank: Ninja
12/5/2014 | 1:58:30 PM
Backups?
I know I'm pretty much a dinosaur as far as tech today but can't they just wipe the hardware and restore from latest backups to get rid of the malware?  What am I missing on this?
stevechalmers
50%
50%
stevechalmers,
User Rank: Apprentice
12/5/2014 | 2:28:04 PM
Re: Backups?
Hmmm...it looks like the attackers had a lot of time inside the Sony network, to find their way around, before the "attack".  The backups from a week ago probably represent systems that were already compromised.  So how far back do you go to be sure the backups themselves don't include the "infection", and do logs exist which allow all transactions since that point in time to be replayed (re done)?

Seems like this is beyond the scope of what a normal disaster recovery plan would cover...

 
ODA155
50%
50%
ODA155,
User Rank: Ninja
12/5/2014 | 3:02:07 PM
Re: Backups?
@stevechalmers, I'm posting to your comment because I can't add a new comment... hhmmm.

Anyway, take the number 3. What's that you ask, that's how many times Sony networks in one form or another have been hacked since 2010. Now, with that in mind how much confidence do you or should you have that Sony has spent the resources (time, manpower, money... whatever) to investigate, determine how those hacks occurred and properly address them? I don't, why... because it's happened again. Something to remember, any good hacker as does any good PenTester will do their homework, it's called reconnaissance, regardless how long it takes. And for all we know someone doing reconnaissance could have been mapping Sony's network for years, why, because it's an easy mark... low hanging fruit, I don't know.

When you talk about inside information, how many people do you think would actually know this much detailed information about ANY network unless you built it or are responsible for it's security? Does Sony have a SIEM, I'd start there... email is always a great place to start because other than a computer it's most likely the only thing common to all of your users.

"Recovering from a data breach and a large-scale system destruction at the same time is exceptionally complex. Complicating matters further is that the treasure trove of data leaked yesterday includes everything attackers would need to compromise Sony all over again, in the manner of their choosing. " This is exactly my point, who's to say this current network exposure isn't a direct result of the breaches? You ask "So, how does a company recover? Burn whatever's left and build something entirely new and different?"... in this case yes, I think that would be prudent, and I would also add to that statement... build it with new people.

My personal opinion is this, at this point it really doesn't matter who did it, Sony had\has a target on it's back for a while and they failed (really bad) to address that problem and protect it's resources, therefore Sony is to blame and to me it is that simple.
Louisb924
100%
0%
Louisb924,
User Rank: Apprentice
12/8/2014 | 9:54:39 AM
Re: Backups?
1) The malware (or other malware/rootkit that made the compromise possible) may be on the backup.

2) Credentials were compromised. Sure, they can restore, and just get everything re-hacked. At least there's nothing to get compromised now by onlookers who now have those compromised credentials. To put it all back up now is to give another shot at unauthorized access, imho.
Technocrati
0%
100%
Technocrati,
User Rank: Ninja
12/6/2014 | 10:49:21 PM
Sony Learning the Hard Way: Technology and Arrogance Do Not Mix

I knew you would be all over this story Sara ! : )     This one really tops the cake.  I have not stopped laughing since I heard the news !  Matter of fact I am laugh now.

Easily one of the most arrogant companies around -  Sony  thought they could take a light hearted ( an oxymoron for sure in the case of Sony ) poke at a leader of a country known to harbor hackers or at least have an connection to the network of hackers that routinely breeches U.S. systems from banking to retail ?

Knowing that their systems have already been compromised.  Can you say "arrogance" ?  And once the arrogant bully was hit in the eye - he ran to the FBI and cried foul.  ( I can barely finished this post - as the chuckle rises from my belly.)

So initially it was a handful of yet to be released ( block busters ) , and now we learn the damage includes salaries and social security numbers !  

I am not laughing anymore.  And neither are the people who have been compromised by Sony's habitual incompetence and arrogance.

 

Sony a technology company ?   I think that is a reach to be honest.

Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/6/2014 | 10:54:42 PM
Sony's Form Of Tech (Job) Security

...The FBI released a flash alert this week, which did not explicitly mention Sony, but warned of a wiper malware that "has the capability to overwrite a victim host's master boot record (MBR) and all data files."

 

 

Sounds like alot of re-imaged machines to me.

Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/6/2014 | 10:56:51 PM
Sony Please Take Heed.....

"Shut it all down,"

 

I have been saying that for years when it comes to Sony.

Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/6/2014 | 11:00:15 PM
Layoffs and Payback ?

".....And they knew everything there was to know about Sony's IT infrastructure."

 

Sounds like a disgruntled ex-employee or two ( or ten )  to me.

Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/7/2014 | 9:49:58 PM
"Shut it all down"
The "shut it all down" advice is especially well-taken.  At a major information security conference I attended recently, pretty much those exact words were used to describe the tack one must take when other voices in an organization are saying, "Oh, we can't do that, blah blah blah."

It's all about knowing what your crown jewels are -- that which you are willing to disrupt your business to protect -- and doing what it takes to protect them.  That's where the real ROI of security comes in.
anon0601247988
50%
50%
anon0601247988,
User Rank: Apprentice
12/8/2014 | 3:53:40 AM
Re: "Shut it all down"
Hang on! The NSA who hoovers up every single bit of data in its various forms the world over can have someone arrested for viewing a suspicious web page for example, but not prevent or go after the folks who do this sort of thing? I guess what books Joe the plumber gets from the library are of more interest to them than things like actual criminals?
ODA155
50%
50%
ODA155,
User Rank: Ninja
12/8/2014 | 12:01:27 PM
Re: "Shut it all down"
@anon0601247988,... Read their charter... the NSA is NOT a law enforcement body, they cannot "go after" anyone... beside what would you have them do? Maybe Sony and these other corporations should take security more seriously, as for "Joe the Plummer"... who cares what he reads of if he can read?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/12/2014 | 8:52:48 PM
Re: "Shut it all down"
Point of information: The Snowden docs etc. revealed that the NSA does collaborate and give information from their SIGINT ops to other actual domestic law enforcement agencies, like the DEA.
ODA155
50%
50%
ODA155,
User Rank: Ninja
12/13/2014 | 10:57:00 AM
Re: "Shut it all down"
Collaboration and actual enforcement are two separate things... wouldn't you agree?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/14/2014 | 11:44:39 PM
Re: "Shut it all down"
Sure -- but information the NSA garners appears to have been/be being used for law enforcement purposes.  So the semantics/pedantics don't really make much difference here, yes?
ODA155
50%
50%
ODA155,
User Rank: Ninja
12/15/2014 | 9:57:49 AM
Re: "Shut it all down"
So... in affect, it's OK to be mad (as we should) when the NSA breaks the law and it's also OK to ask them to break the law when it suits us?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/22/2014 | 6:59:12 AM
Re: "Shut it all down"
@ODA: I wasn't endorsing it; I was merely pointing out the fact that it happens.
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
12/8/2014 | 4:47:55 PM
Re: "Shut it all down"

@Joe  Exactly. This is the real truth of it all. It is blatantly evident that most enterprise security is well behind the abilities of serious hackers.   

Those in positions of responsibility should understand this - but often they "drink their own Kool-Aid".   Admit there are only so many things that can be done once compromised and it is just a matter of time before you are.

 

So when the act does happen - you immediate cut losses and that means among other considerations - to "Shut it Down ! "

ODA155
50%
50%
ODA155,
User Rank: Ninja
12/9/2014 | 12:52:22 PM
Re: "Shut it all down"
@Technocrati,... "This is the real truth of it all. It is blatantly evident that most enterprise security is well behind the abilities of serious hackers."

I disagree somewhat to that statement because while it is true that security department are "behind", I don't think it's because of a lack of expertise. In my experience I would argue that security is naturally behind because a) you don't know if it works until it's been tested in the real world, in other words you don't know what the next thing is going to be so you do the usuaul protective things try to plan for what is being reported and react if you need to. Then b), security will always lag behind unless someone can make a really compelling case for spending what it REALLY takes or someone in management understands and gets it. The business makes the money and security spends money, it doesn't make a dime, we're takers and if you haven't tried to convience management to spend money and resources on something that you cannot prove or justify is going to happen tomorrow, fuhgeddaboudit, they'll keep blowing you off until "next quarter", in other words... fuhgeddaboudit.
aws0513
50%
50%
aws0513,
User Rank: Ninja
12/15/2014 | 12:02:50 PM
Just throwing jet fuel on the fire
Sony is apparently riding on a different rail now.
Sony just issued a cease and desist letter to three different major news media outlets telling them to stop reporting on the content of the hacked information.
(I'm sure you can find the details behind this latest development on several news media outlets by now.)

To me...  this is not a good method for conducting damage control for this kind of situation. 
It will simply call more vultures to the feast.

It does raise the question on what rights the press has with "non-regulatory" exfiltrated content released by hackers and what rights the victims of such attacks may have for the same content.

I know this isn't a 100% IT security concern, but it does feed in to damage control and contingency plans for fluid situations where non-regulatory data is involved.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/22/2014 | 7:02:14 AM
Re: Just throwing jet fuel on the fire
One thing that's often overlooked (of course, it has rarely sought to be enforced except when sexting is involved) when it comes to reporting on hacked/leaked info is the issue of intellectual property.

To report on a few facets, for instance, of Amy Pascal's emails would not be an IP violation, but it would potentially be a copyright infringement to copy the emails wholesale (as the hackers have done).

 

(Disclaimer: The above is provided for informational, educational, and/or entertainment purposes only. Neither this nor other posts here constitute legal advice or the creation, implication, or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)
ODA155
50%
50%
ODA155,
User Rank: Ninja
12/22/2014 | 9:38:50 AM
Re: Just throwing jet fuel on the fire
@Joe Stanganelli,... First, I love the disclaimer... ad you do make good points too. Whoever, the biggest problem that I see coming out of this is the ONLY point of view is that Sony is the victim, and because that's all the media and "talking heads" seem to be interested in, which I guess is true when you look at it from the view of "who was hacked". But as I have said in other places, Sony has allot to answer for, they've been hacked at lease three times in 5 years, but that hasn't been discussed, which begs the question, "just how easy is it to gain access to that network?".

In my opinion this event, because it involves North Korea, we should be looking at our privately owned (national) infrastructure of public utilities, water, electric... other power generation and banking. It's been proved many times over that some of these critical systems are open to the Internet, if not vulnerable to a dedicated script-kiddy. We (the US) invented STUXNET... Duqu... Flame and possibly others that we haven't heard about (yet). I don't know about you but there is no way that I can believe that America is the only "Nation State" with this capability, we're just the only ones whose been caught using it.  We're wasting time.

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25595
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be ...
CVE-2020-5783
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, the login functionality does not contain any CSRF protection mechanisms.
CVE-2020-11031
PUBLISHED: 2020-09-23
In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library c...
CVE-2020-5781
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, the langSelection parameter is stored in the luci configuration file (/etc/config/luci) by the authenticator.htmlauth function. When modified with arbitrary javascript, this causes a denial-of-service condition for all other users.
CVE-2020-5782
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, if a user logs in and sets the ‘wan_type’ parameter, the wan interface for the device will become unreachable, which results in a denial of service condition for devices dependent on this connection.