Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

2/17/2015
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

A Look At Sony Wiper In Action

Crowdstrike demonstrates how attackers could have destroyed Sony assets and how behavior analysis could combat it.

CrowdStrike, today, performed a public demo of the wiper malware that swept Sony Picture Entertainment's IT infrastructure clean, showing how it could have been deployed and distributed, and how a behavior-based security tool like their Falcon product could disrupt the attack.

One of the malware's sophisticated features is that it had the exact names of Sony's file servers hard-coded into it. Therefore, to perform the demo, Crowdstrike researchers Dmitri Alperovitch and Elia Zaitsev built a test environment and gave the infrastructure components the same names that Sony used. They also made small modifications to the wiper -- for example, removing its sleep commands, so that it wouldn't go to sleep mid-demo. These minor modifications had the additional effect of making the malware undetectable by signature-based anti-malware tools.

It is still not known how the attackers initially broke in. For the purposes of this demonstration, the researchers exploited a web server via SQL injection then implanted a small 7-character webshell called ChinaChopper. Regardless of how the attackers got in (SQL injection, spear-phishing, etc.), the next step was to elevate privileges, by searching for admin credentials. 

To do so, the "attacker" uploaded malware to a folder that the originally compromised user had access to -- malware that included the Mimikatz credential stealing program. Mimikatz then dumped all sorts of credentials, including admin accounts with very complex passwords -- again showing how password strength is rendered irrelevant when attackers are going through the backdoor instead of trying to brute force the front door.

The researchers recommend focusing your defensive efforts on this privilege escalation stage. If you can detect and stop the theft of administrator credentials, they say, you can stop attackers in their tracks -- containing them so that they can not move laterally through a network. Further, they said, admin credentials are only stored in a few places, usually, which makes this stage a manageable place to focus your efforts.

The first time they ran the demo they simply tracked the suspicious activity -- which the Falcon tool detected and reported in real-time. The second time they used the tool to also shut down the suspicous processes. This behavior-based approach -- looking for the privilege escalation practices however they're conducted, instead of looking for specific tools -- they say is becoming more important as attackers move away from malware and start using legitimate applications/functions for nefarious purposes.

In the demo, once the "attacker" had obtained admin credentials, they mounted a fileshare to exfiltrate data. Then put the wiper malware to work -- multiplying itself and destroying everything in its path, including the master boot record.

It then launches a Web server that hosts the threat page (the red skeleton image, machine gun fire sounds, and warning message). Whenever a user tried to launch a browser, this page would load.

The wiper malware forced a reboot of any infected hardware after two hours. Upon reboot, all that would show is a plain black screen and an "operating system not found" message -- more terrifying than a red skeleton.

CrowdStrike's recommended countermeasures are to seek indicators of attack -- looking, in real-time, for effects of what malware does, instead of looking for the malware itself. To see an archived version of the demo, go to crowdstrike.com/corporate-destruction.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jzepp
50%
50%
jzepp,
User Rank: Apprentice
2/18/2015 | 7:41:14 PM
Re: Falcon
I have first hand daily use knowledge of Falcon, beginning with a successful POC last year resulting in enterprise rollout (which I'm in the middle of now). Seeing it in action in my own environment, I'm a believer. The behavior monitoring discussed in the presentation is indeed impressive and valuable, but there's more to it than that. The capture in real time and storage of every execution, command line entry, file system write of executables (and lots more) plus the interface to easily query against all of that data has been key already to many of the troublesome daily investigations that incident responders have to do. Sometimes (all the time?) network based detectors don't give you the whole story. That said, it's not a completely mature product yet. They've spent their time focusing on the core functions, finding the bad, stopping it, and not failing silently (I.e., when they don't highlight on some activity as an active alert, the data is still there in the system to find it...think Network Flight Recorder for the endpoint). There are upcoming functions that they're working on that will make the product better that aren't yet implemented. That said, they're going in the right directions with those.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/18/2015 | 2:53:03 PM
Falcon
I have seen a demo of this Falcon tool firsthand, and I can attest to its impressiveness. As the article denotes, this endpoint tool was able to detect these types of intrusions in real time. It can be employed with the typical base OS types. Windows, Apple, Linux excluded I believe. As well as mobile devices that have similar architecture such as the Surface Tablet. However, I have not experienced any organizations I have been employed at use it.


Does anyone in this community have firsthand experience with Falcon on a daily basis? What do you think of the tool? Pros/Cons
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.