South Korea data-wipe malware spread by patching system

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.theregister.co.uk/2013/03/25/sk_data_wiping_malware_latest/

South Korea's data wiping malware that knocked out PCs at TV stations
and banks earlier this week may have been introduced through
compromised corporate patching systems.

Several South Korean financial institutions - Shinhan Bank, Nonghyup
Bank and Jeju Bank - and TV broadcaster networks were impacted by a
destructive virus (since identified as DarkSeoul by Sophos and Jokra
Trojan by Symantec), which wiped the hard drives of infected PCs,
preventing them from booting up upon restart.

Initially it was thought that the malware spread through local telco
LG U+ and may have came from a single Chinese IP address. The Korea
Communications Commission said it was mistaken when it identified an
internet address in China as the source of the mega-hack, The New York
Times reports. The IP address involved actually belonged to NongHyup
Bank, one of the main victims of the assault.

Late on Friday afternoon security appliance firm Fortinet claimed
hackers broke into the servers of an (unnamed) but local antivirus
company and planted malware which was then distributed as an update
patch. Local researchers at Fortinet's Threat Response Team working
with the Korea Information Security Association came up with the
theory before notifying news media about the apparent find. However
late on Friday evening Guillaume Lovet of Fortinet called El Reg and
stated that the security appliance firm no longer stood by its earlier
pronouncement.

By Monday morning things had moved on again with South Korean security
software firm AhnLab putting out a release saying hacked corporate
patching systems were to blame for the spread of the malware. It said
its own security technology was not involved in the distribution of
the malware, an apparent reference to the premature and
since-discredited theory put up by Fortinet.

Attackers used stolen user IDs and passwords to launch some of the
attacks. The credentials were used to gain access to individual patch
management systems located on the affected networks. Once the
attackers had access to the patch management system they used it to
distribute the malware much like the system distributes new software
and software updates. Contrary to early reports, no security hole in
any AhnLab server or product was used by the attackers to deliver the
malicious code.

The latest theory suggests hackers first obtained administrator login
to a security vendors' patch management server via a targeted attack.
Armed with the login information, the hackers then created malware on
the PMS server that masqueraded as a normal software update. This fake
update file subsequently infected a large number of PCs all at once,
deleting a Master Boot Record (MBR) on each Windows PC to prevent it
from booting up normally. The malware was designed to activate on
March 20 at 14:00 hrs Korea time on the infected PCs, like a time
bomb.

The speed at which the attack spread had already led security tools
firm AlienVault to suggest that the wiper malware might have been
distributed to already compromised clients in a zombie network.
AhnLabs suggests that this compromised network was actually the
patching system of the data wiping malware's victims.

The prevailing theory remains that North Korea may have instigated the
attacks, which follows weeks of heightened tension on the peninsula.
However there's no hard evidence to support this conclusion.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.