Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

04:30 PM
Connect Directly

A Look At Sony Wiper In Action

Crowdstrike demonstrates how attackers could have destroyed Sony assets and how behavior analysis could combat it.

CrowdStrike, today, performed a public demo of the wiper malware that swept Sony Picture Entertainment's IT infrastructure clean, showing how it could have been deployed and distributed, and how a behavior-based security tool like their Falcon product could disrupt the attack.

One of the malware's sophisticated features is that it had the exact names of Sony's file servers hard-coded into it. Therefore, to perform the demo, Crowdstrike researchers Dmitri Alperovitch and Elia Zaitsev built a test environment and gave the infrastructure components the same names that Sony used. They also made small modifications to the wiper -- for example, removing its sleep commands, so that it wouldn't go to sleep mid-demo. These minor modifications had the additional effect of making the malware undetectable by signature-based anti-malware tools.

It is still not known how the attackers initially broke in. For the purposes of this demonstration, the researchers exploited a web server via SQL injection then implanted a small 7-character webshell called ChinaChopper. Regardless of how the attackers got in (SQL injection, spear-phishing, etc.), the next step was to elevate privileges, by searching for admin credentials. 

To do so, the "attacker" uploaded malware to a folder that the originally compromised user had access to -- malware that included the Mimikatz credential stealing program. Mimikatz then dumped all sorts of credentials, including admin accounts with very complex passwords -- again showing how password strength is rendered irrelevant when attackers are going through the backdoor instead of trying to brute force the front door.

The researchers recommend focusing your defensive efforts on this privilege escalation stage. If you can detect and stop the theft of administrator credentials, they say, you can stop attackers in their tracks -- containing them so that they can not move laterally through a network. Further, they said, admin credentials are only stored in a few places, usually, which makes this stage a manageable place to focus your efforts.

The first time they ran the demo they simply tracked the suspicious activity -- which the Falcon tool detected and reported in real-time. The second time they used the tool to also shut down the suspicous processes. This behavior-based approach -- looking for the privilege escalation practices however they're conducted, instead of looking for specific tools -- they say is becoming more important as attackers move away from malware and start using legitimate applications/functions for nefarious purposes.

In the demo, once the "attacker" had obtained admin credentials, they mounted a fileshare to exfiltrate data. Then put the wiper malware to work -- multiplying itself and destroying everything in its path, including the master boot record.

It then launches a Web server that hosts the threat page (the red skeleton image, machine gun fire sounds, and warning message). Whenever a user tried to launch a browser, this page would load.

The wiper malware forced a reboot of any infected hardware after two hours. Upon reboot, all that would show is a plain black screen and an "operating system not found" message -- more terrifying than a red skeleton.

CrowdStrike's recommended countermeasures are to seek indicators of attack -- looking, in real-time, for effects of what malware does, instead of looking for the malware itself. To see an archived version of the demo, go to crowdstrike.com/corporate-destruction.


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/18/2015 | 7:41:14 PM
Re: Falcon
I have first hand daily use knowledge of Falcon, beginning with a successful POC last year resulting in enterprise rollout (which I'm in the middle of now). Seeing it in action in my own environment, I'm a believer. The behavior monitoring discussed in the presentation is indeed impressive and valuable, but there's more to it than that. The capture in real time and storage of every execution, command line entry, file system write of executables (and lots more) plus the interface to easily query against all of that data has been key already to many of the troublesome daily investigations that incident responders have to do. Sometimes (all the time?) network based detectors don't give you the whole story. That said, it's not a completely mature product yet. They've spent their time focusing on the core functions, finding the bad, stopping it, and not failing silently (I.e., when they don't highlight on some activity as an active alert, the data is still there in the system to find it...think Network Flight Recorder for the endpoint). There are upcoming functions that they're working on that will make the product better that aren't yet implemented. That said, they're going in the right directions with those.
User Rank: Ninja
2/18/2015 | 2:53:03 PM
I have seen a demo of this Falcon tool firsthand, and I can attest to its impressiveness. As the article denotes, this endpoint tool was able to detect these types of intrusions in real time. It can be employed with the typical base OS types. Windows, Apple, Linux excluded I believe. As well as mobile devices that have similar architecture such as the Surface Tablet. However, I have not experienced any organizations I have been employed at use it.

Does anyone in this community have firsthand experience with Falcon on a daily basis? What do you think of the tool? Pros/Cons
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.