Embed Size (px)
Citation preview
Attack on Sony PicturesDestover Trojan
Nick Bilogorskiy@belogor
Sony Pictures Attack by Destover Trojan
o Attack on Sony Pictures…Nov 24, 2014 by GOP - “Guardians of Peace”o 111 Terabytes of Data Stoleno Suspected Origin: North Koreao 7 lawsuits filed against Sony, so faro Controversy over “The Interview”
which made $46 million to dateo Trojan designed for Sony’s network.
Attack Timeline for Sony Pictures, Nov – Dec 2014
Destover malware discovered
Guardians of Peace claims credit, starts releasing stolen movies
Sony decides to release “The Interview” on Dec 25
Wiper activates
Nov 21 Nov 24 Nov 27 Dec 1 Dec 3 Dec 11 Dec 15 Dec 17 Dec 19 Dec 23
Sony receives email from ‘God’s Apstls”
FBI sends “flash alert”
GOP leaks Sony Exec emails
Sony hit with 1st class-action lawsuit for failure to protect employee info
Sony cancels movie “The Interview”
FBI says hack done by North Korea
What was stolen and leaked?
In a word, everything!
Personal data on 600 employees Movies and Scripts Performance reports and salary information Source code, Private keys, passwords, certificates Production schedules, Box office projections Executives email correspondence Brad Pitt phone number! and more..
Wiped 3,000 computers and 800 servers
7
Destover Workflow Diagram
ATTACKER
Spreads via SMB port 445Destover
Command and Control
Servers
DropsWIPER
DROPPER-w Webserver -d Disk Driver
Drops
Disk Wiper
Wiper Command and Control
o This Trojan uses encrypted config file net_ver.dat embedded in the resource section that has several IP addresses later used for C&C communication
o Once connectivity is established with C2 servers, it initiates a two hour countdown at which time the infected machine will reboot
Net_ver.dat (Config File)
Wiper switchesThe module can be executed with many parameters:
switch description
-i Install itself as a service-k Remove the service-d Start file wipe module-s Mount and remote shares with hardcoded passwords and delete
files from them-m Drop Eldos Software RawDisk kernel driver to wipe MBR-a Start anti-AV module-w Drop and execute webserver to show the ransom message
-d switch
o usbdrv3.sys - Eldos Software RawDisk (a commercial product to enable raw access to the hard disk from Windows).
o After ten attempts to connect to one of the local systems, the process of wiping the hard drive began.
-d Delete
o sends string of “AAAAA”s in a loop to the Eldos driver requesting it to write directly to the hard disk.
o It deletes all files in the system except the files with extension exe and dll
o The malware is also known to wipe out network drives
-w Warning
• This switch drops a decrypted from resource section webserver.
• It runs on the infected machine with the only purpose of showing the user this ransom message.
Similarity to other APT attacks
o August 2012o Shamoon rendered up to 30,000 computers inoperable at
Saudi Aramco, the national oil company of Saudi Arabia. o Credit claimed by Cutting Sword of Justice
o 2013o DarkSeoul, a hacking group with suspected links to North
Korea, performed a delayed wipe on 40,000 systems at South Korean banks and caused $700 million in damage.
o Credit claimed by Whois
Insiders?
o This Trojan uses stored user name and password combination to get access to the other machines.
How did attackers get them? They must have known the internal network, either from insiders or previous attacks.
North Koreans?
o The resource section of the main file shows that the language pack used was Korean.
North Korea? Argument #1
FBI Bulletin, Dec 19o Technical analysis of the data deletion malware used in this attack revealed links
to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
o The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
o Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
o Hackers used their true IP addresso Similar toolso Malware analysis
North Korea? Argument #2o Snowden docs show NSA first hacked North Korea in 2010 with help from SKo “early warning radar” was implanted to monitor North Koreao Fourth party collection
North Korea Bureau 121.
o Reconnaissance General Bureau, North Korea’s main intelligence service with 6,000 hackers
o Bureau 121, its secretive hacking unit, with a large outpost in China
o Hackers in Bureau 121 were among the 100 students who graduate from the University of Automation each year after five years of study. Over 2,500 apply for places at the university, which has a campus in Pyongyang, behind barbed wire.
North Korea Bureau 121.
Conclusions1. Sony attack was sophisticated , targeted and politically
motivated
2. In Sony’s case - early compromise harvesting the user account credentials lead to the later stage using malware designed with the credentials embedded
3. The best defense is an approach that continuously monitors network activities and file movements, detects threat activities across threat kill chain, and correlates observations across the enterprise network
Thank you.Twitter: @belogor
Slides on:Cyphort.com/labs/malwares-wanted/
