North Korea, Sony, Targeted Destructive Malware, and You!
Jan 12, 2015
You’re wondering: what’s this got to do with me? You’ve allheard about the debacle with Sony Pictures and the film: The Interview. Quickrecap. Sony made a film wherein the supreme leader of the DPRK met his death.In response to this, Sony was hacked. Shortly afterward, there was aninvestigation by the US Cyber Emergency Response Team (US-CERT). While theresulting alert does not specifically name Sony, we can make the connection onour own. Here’s the alert: https://www.us-cert.gov/ncas/alerts/TA14-353A.
This is a destructive SMB Worm which would potentially allowthe attacker to transfer files and perform destructive commands on thecomputer. SMB or Server Message Block isa Microsoft file sharing protocol that has been around for years. It’s what youuse when you connect to any Windows file share. The worm (as a worm does) triesto install itself on other computers on the local network. The worm, as the US-CERT article mentions,was implanted via a dropper.
So, here’s where this is relevant to you. The dropper typeof attack is a means to an end and anybody can fall for it. Commonly droppersare distributed as email attachments. The dropper itself is relatively harmless. If the email is well-crafted (spear phishing)and the recipient is uninformed, he might open the attachment and run it. In modern operating systems, you might haveto verify and authorize the installation on several levels. Nevertheless, anuninformed target may willingly click through all warnings and requests forauthorization, ultimately installing the dropper. The dropper will then attemptto install other malware silently.
This is where it got bad for Sony -- and this could happento any company. A computer at Sony, likely a desktop or laptop computer, washijacked and used as a proxy to obtain all sorts of sensitive data. Read theUS-CERT article to get a sense of exactly how destructive this malware can be.The malicious hacker group obtained a huge number of files from Sony. The listof files along with instructions for obtaining specific files was distributedon the internet. One can go and find it right now if one wants to. Somejournalists apparently took the extra step to obtain specific files and reviewthem. Check out this Vox article.
A recent study gives a conservative estimate of $375 Billionin global losses resulting from cybercrime.
Look, I don’t know what really happened in the case of Sonyand I’m sure only a handful of people actually do know what happened.Regardless, this case highlights the importance of internal security andawareness.
Keep your company informed of these threats, phishingscams, dropper scams
Patch operating systems and network devices often
Run regular scans and/or proactive endpoint protection,with products such as ThreatTrack Vipre anti-virus and Malwarebytesanti-malware.
Make security a priority and maintain a securitymindset in your company
It may just be coincidence, but on the same day that US-CERTreleased the Targeted Destructive Malware Alert, a few otheralerts/vulnerabilities were posted.
Perhaps some of them are related and discovered as theresult of the same investigation. In anycase, the FTC “Package Delivery” scam alert is an important one for you. It’s a quick read which links to morein-depth document about Recognizing and Avoiding Email Scams.
If you have the time, and you want to make security apriority in your company, please read this helpful document posted by US-CERT: