Slashdot Mirror
Hackers Used Nasty "SMB Worm" Attack Toolkit Against Sony
wiredmikey writes Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert describing the primary malware used by the attackers, along with indicators of compromise. While not mentioning Sony by name in its advisory, instead referring to the victim as a "major entertainment company," US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks. According to the advisory, the SMB Worm Tool is equipped with five components, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool. US-CERT also provided a list of the Indicators of Compromise (IOCs), which include C2 IP addresses, Snort signatures for the various components, host based Indicators, potential YARA signatures to detect malware binaries on host machines, and recommended security practices and tactical mitigations.
How often do you see Server Message Block spelled out in news stories? I guess someone really wanted to avoid implying that Sony Computer Entertainment's rival Nintendo might be behind the attack.
What I really want to know is how did the FBI figure out it was the work of North Korean government agents. Except for a privileged few, North Koreans are completely blocked off from the outside world and would never hear of this movie even if it won more Oscars than the Titanic. Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value. It seems to me that all the speculation that was in the news recently about Kim's disappearance from public life and his possible overthrow was far more damaging to the cult of the Supreme Leader than some silly comedy.
Hacking activities are happening around us, from companies managing parking garages to Sony to Staples to whatnots ...
I've read Schneier's article which in essence telling us that there is no foolproof way to prevent hacking attempt
I do reckoned that "foolproof" in the IT field is nothing short of fairy tales, but still, I do think there ought to be ways, online and offline, that we can do, to at least cut down, to minimize, our companies' exposure to the (oft state-sponsored) hacking groups
Any link (or links), suggestion, recommendation, whatever, that you guys (and gals) can share?
Thanks !
Muchas Gracias, Señor Edward Snowden !
I prefer to use the "Nice" smb worm. I hate Nasty.
I haven't seen any evidence that the mechanics of the attack itself is at all noteworthy, yet we keep hearing about how this attack was unstoppable, "nasty", etc. -- not just from Sony's PR guys, but from the FBI. As if it could have targeted literally any company and caused just as unmitigated damage.
To me, a "nasty" worm is Stuxnet: it spread in a very standard innocuous way and seemed like any other worm, but ended up being highly targeted.
This Sony hack just seems like your average trojan worm leaking an admin password back to someone. The only noteworthy part of this hack is that Sony had such horrifyingly moronic security practices that one attack was able to compromise such a large and varying corpus of valuable data.
SMB is predominantly a Microsoft technology you idiot.
<troll>Ah, Windows... the gift that keeps on giving.</troll>
Seriously, though... this is pretty ugly. It checks back every five minutes for each machine. You would think that Sony IT would notice that network traffic (or, say, the fact that all of their Windows desktops started listening on port 443). The moral of this story is run an IDS, scan your network, and pay attention to it all! :(
I think Mauve has the most RAM. --PHB (Dilbert Comic)
Thereatpost.com is a good source to stay on top of the latest news and threats. There is new stuff posted several times per week, so staying on top of it takes at least a couple of hours per week.
You can get pretty darn good security at a very reasonable cost, but I can't fit much useful info in a Slashdot post. I read a 586 page book just on securing Apache - there's a ton of information to know and concepts to understand. For a business, especially a web-based business, it probably makes the most sense to hire in the right professional to spend a few hours with you, going over your processes and systems. I've been doing web security for 17 years; before that I did physical security and I'm still learning, so there's just a lot to know.
Maybe the most important principle is to get rid of what isn't needed. Turn off unneeded services on computers, don't store credit card numbers if you don't absolutely have to, don't have multiple copies of sensitive data on different systems. I can't hack what isn't there.
If you consult with a professional, be prepared to alter some of your processes to alternatives that are approximately just as easy to use, but different. Sftp is as easy to use as ftp, so don't let "we've always done it this way" be an excuse to not improve your processes. A FEW changes may be much less convenient, but necessary. That is to say, your professional may say once or twice "yes, this way is more time consuming, but it really is necessary for security ". Be prepared for that, but also expect your professional to work with you to find ways to make security relatively painless most of the time. It'll likely follow strict, but painless, rules if done properly.
Security is mostly about process, not products, and much of the best security software is open source, so the right professional won't be selling you stuff, just spending some time to find what you need and get it set up for you, then help your IT understand a bit and know where to find documentation.
The right professional will also be able to explain the purpose of any recommendations in a way that you can fully understand. "Because security " is not a valid answer and is most frequently used by people who don't understand the "security" measures they are improperly applying, often in a way that weakens your system rather than strengthens it. It might seem strange to emphasize this, but I've seen a LOT of sysadmins severely damage system security by trying to strengthen it but not really understanding what they're doing. In almost all cases, the people doing crap "security" couldn't explain in detail why they did what they did, and became annoyed when asked to explain in detail. It's a good way to distinguish the few who know their stuff from the vast majority, who don't actually know what they're doing.
Instead, there is an ulterior motive for blaming North Korea
I never thought I would want to see people being imprisoned in Gitmo, but for that square-head fatso, hey, that's one helluva perfect permanent resident tailor made for Gitmo
Muchas Gracias, Señor Edward Snowden !
Yet another post from Taco Cowboy that's completely unrelated to its parent. Thanks, Dude - we never get tired of that. Please note that as a modest homage to your technique, I changed my title also.
Not samba, SMB. Samba is just the name of the open source Windows SMB server implementation. Most likely they were targeting Windows machines (though I admit I haven't seen anything on that either way).
Also, it's highly unlikely (but also possible I guess) they had SMB open to the Internet. But they just needed to compromise one internal machine (almost trivial these days) to attack SMB...
I mean OK, you cannot run a Windows system without SMB in a useful way. However how could this spread. SMB is not a protocol that was designed to work outside of broadcast domains. It does, but you loose some of the features people take for granted.
I seriously wonder how this could spread, after all you don't just have a large Ethernet domain in your international company. You have smaller domains routed together, and in between you can trivially filter. SMB is one of the first things to go. Since it's hard and inefficient to run large filers on Windows, the few remaining machines with SMB enabled probably would be running on Linux, which means that they will not have the same security problems the Windows machines have.
So ideally this should have been easily contained within a fraction of the company network.
Link to the actual US-CERT alert:
US-CERT TA14-353A
Sony is a Windows company, you idiot.
Maybe it'd make you happy, but it'd be terrible for Koreans. With no clear heir, his generals would fight over North Korea. In the best case one would emerge victorious and replace Kim, after much blood being spilled. In the worst case, there is no clear victor and we'd have East, West and maybe other Koreas as well, all ready to rain hell on each other.
It makes him think all sorts of other cool stuff too. You should try one, they're a blast at parties.
Is anyone really upset that they got hacked? Has everyone forgot they sent out compact discs loaded with a backdoor to fight argggh pirates?
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
They're not a tech company, they don't even pretend to be. They probably hired a consulting firm to design their systems, the consulting firm did a reasonable job, but then what they built probably got handed off to a bunch of 2-bit contractors who come and go every few months to perhaps a year or two and things went all to hell. Also some managers here and there probably whined about how security measures were hurting productivity and standing in the way of actual movie releases (read Profit) and got the few remaining competent IT folks overruled and the restrictions relaxed even futher. I thought there was also some early evidence of a possible insider (if so it would have been trivial for one of the aforementioned 2-bit contractors to actually be a "professional" black-hat). No company can withstand an insider attack. Air-gapped systems withSome protect the most sensitive data better than others, but it's essentially impossible to protect the systems sufficiently that an individual employee or contractor can't collect ANYTHING at all that they shouldn't release publicly. It would make it impossible to get anything done.
Assuming there was any inside help at all, much better detection and response could have limited the damage to perhaps 10% of what happened here though, but never could have completely avoided it.
So, is there any proof of norks doing this or are we back to the Bush WMD lies?
The artist workstations at Sony Imageworks are Linux.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
> It does, but you loose some of the features people take for granted.
Excuse me, but so what? This is not a "taken for granted" usage of the protocol.
> I seriously wonder how this could spread, after all you don't just have a large Ethernet domain in your international company.
Oh, my dear lord. I'm assuming you've never worked in a large environment. _Of course_ they have a single large or several large domains (in the Microsoft Active Directory sense) for unified email authenticatoin, and potentially for payroll management and corporate ID's. While the particular systems may be somewhat independent, they are _inevitably_ chained together by various poorly secured portals and gateways in a large environment.
If instead you meant "you don't have a large Ethernet domain", again, you clearly haven't dealt with the kind of large environment I have, where the admins leave things open "because we're not a target" or because "if they're inside our network, we're doomed anyway".
> SMB is one of the first things to go.
I'm afraid it's built into every Windows machine. Go looking around for the hidden "C$" share on every windows box, which is critical to the use of "Powershell" for systems administration. Unless you've been extremely cautious about firewalling things in your core switches and quite strict about treating all individual Windows systems as potentially hostile, it's enabled on all of them.
Toppling strong leaders didn't go down so well in Iraq and Libya. 11 years later Iraq us even worse than before. The Taliban were toppled in Afghanistan and it's still a disaster 13 years on. ISrael poisoned Ararat with polonium and there is no peace there. And Obama tried to topple Assad in Syria and now it's a hotbed for Islamic extremists. Sometimes the evil dictators are necessary to keep divided countries stable.
Just because apparently several companies are stupid and use unsuitable security practices doesn't mean it's not really bad security. I mean we all refuse to do support for people who put their malware ridden gaming rig into their main LAN, why do companies get away with that?
... is that the US president thinks this is of such importance to address this in a speech. It clearly shows, IMHO, how much influence a media company has.
When you are dumb enough to use operating systems insecure by design. And the whole NK attacked us, seems just to be a political manoeuvre, smoke and mirrors to distract us from the fact Sony is not the best example of corporate governance, has been making huge PR moves, and Windows is worse than a swiss cheese when it takes to security.
I think it was Thomas Hesse, back when Sony distributed Rootkits with their CDs their President of Global Digital Business, who said "Most people, I think, don't even know what a rootkit is, so why should they care about it?".
Well, Sony? I'm fairly convinced your execs don't have the foggiest clue about malware but ... do you care about it?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
that a country which is malnourished and still suffering from the effects of famine in 1998 has resources to devote to hacking full stop
It's the hackers that did it, man!
Get a clue. It wasn't Linux machines that got hacked. It was Micro$oft Windows that got hacked. Stop spreading Micro$hit's lies.
You would, and so would I and probably anyone who doesn't think TCP is the Chinese secret service.
But do you think Sony would pay either your or my "asking price"? For what I would command they could easily hire three "admins". They might consider TCP the Chinese secret service and have generally zero clue about security or anything related, but hey, they will just take twice times the time I need to get something going, and with a salary a third of mine, that's still coming out ahead!
That the reason they spend twice as long is that they use copy/paste configuring and try&error as a way to figure out how to get stuff going, leaving ports open and vulnerable behind them in their battle against the system, who cares? It works, doesn't it?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Toppling strong leaders didn't go down so well in Iraq and Libya. 11 years later Iraq us even worse than before. The Taliban were toppled in Afghanistan and it's still a disaster 13 years on. ISrael poisoned Ararat with polonium and there is no peace there. And Obama tried to topple Assad in Syria and now it's a hotbed for Islamic extremists. Sometimes the evil dictators are necessary to keep divided countries stable.
And sometimes it would have been nice not to install the dictators in the first place. The Taliban were the US choice to fight dirty against the Russians in Afghanistan. It is also the 25th anniversary of the panama war, toppling a dictator who was a spy, drug-baron and enemy of the ruling socialists. Nothing better to have him on our side to fight the drug war, making him rich by removing the other drug dealers and establish a dictatorship. At least in this case only the army had to be wiped out and there weren't a trained (by US) guerilla force.
You really have to be careful choosing your tools. A skill seriously lacking in US foreign politics.
SMB is indeed commonly used outside of broadcast domains, hosts can find each other through dns (or wins etc), and happily communicate across ethernet segments. In many cases most of the servers will be in a different ethernet segment to the workstations etc.
SMB will almost never be filtered internally because it's used for domain logons and file sharing, and users will have a need to access files stored on servers in other parts of the company.
On the other hand, SMB is a terrible protocol... Not only does it allow file sharing, but it can be used for all manner of other things too, so by permitting it for something you need (file sharing) you are opening yourself to all manner of other things you don't need or want.
Doing what you describe is simply not practical for a windows based environment. Sure ideally SMB would be blocked, and a dedicated "file sharing only" protocol would be used, but windows only supports SMB by default.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
The first thing I did was make sure that no computer had any file sharing or any other services running on it, instead users would have to share files by placing them on a properly managed server and printers had their own dedicated print server box or were replaced with network printers. All the PCs then had local firewalls enabled to effectively make sure that there were no open ports on them even if some errant software got installed.
All users were given regular user accounts, no admin access granted. Some users that were doing things like software testing who had to constantly install software were given admin access to a virtual machine so they could do all their testing on that VM.
It was decided that the offices around the world would be linked up so that direct access to the network could be obtained all over the world. Now every office just plugged their new router into the LAN and gave full access to everything. I however installed a firewall on the new WAN link that restricted remote offices to accessing only 2 servers on our network and only on specific ports to access the services that we wanted to provide access to.
I was so pleased I did all this as one day the WAN link seemed to be going slow, so I broke out the network monitor to see what was going on to find thousands of connection attempts coming from all of our international offices. As it turns out one of the US PCs had got infected with a worm and it was spreading over the whole global network. I could smugly say that apart from the slow WAN performance we were not effected at all. Our offices ran as normal while the rest of the company lost days of productivity trying to clear up the mess. It was at that point that finally the company started to listen to my calls for better security.
It wasn't MLB spying on us, it's the NFL.
Why couldn't Sony just yank all the Internet connectivity until the machines were fixed?
> Just because apparently several companies are stupid and use unsuitable security practices doesn't mean it's not really bad security
It's more than "several", I'm afraid. It's extremely common place. A significant portion of my annual salary comes from helping teach and implement improved security practices. And a large part of that income comes from explaining the trade-offs, time and risk and resources.
> I mean we all refuse to do support for people who put their malware ridden gaming rig into their main LAN, why do companies get away with that?
I'm forced to applaud your optimism. But I'm also forced to pity your naivete. The use of VPN's from home and transfer of laptops into and out of the corporate networks are, themselves, a huge attack vector for environments that consider themselves to have implemented basic firewall and anti-virus tools. "Refusing to do support" for these personnel is basically "refusing to collect a paycheck" for most IT personnel.
Good guess but actually I think the fascists in government and banks in many countries including the US and China are trying to bring about a kind of serfdom style socialism globally. China was already like this anyway. They don't want the name of an existing totalitarian nation smeared. They want it emboldened. Big corporate interests are behind it I think - from Israel probably - same place Stuxnet came from. A country that already has a track record with this kind of stuff.
Sony is a Windows company, you idiot.
The PS4 runs BSD...
"Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
Again, more things indicating it could not have been achieved by a country whose Internet infrastructure can not even compare to what western countries had 15 years ago. It was carried out by the U.S most likely, in an effort to further demonize North Korea, and of course the American pawns/population are quick to hate whoever their government and media tells them to hate.
Oh really? RHEL? They've favored RH based distros in the past.
Why don't we hear anything from the Japanese's government? Sony Is a Japanese Corporation.
Jack of all trades,master of none
People have said it before, but many super-corpos still run this "intranet protected by firewall" thing. Now a single firefox exploit can infect one computer and from that let a worm loose which uses the entire M$ Crapola (SMB, M$ DNS and so on) as its vector.
Whats the fix ? Burning most of our accustomed concepts, including the shite language "C". And being less a Commerce Whore and more of a Software Engineer. Sandboxing must be pervasive and so must be memory-safe languages. Not necessarily with a garbage collector though.
We had this security in the well-built Burrougs and Russian ELBRUS stuff. We have replaced it by the chepeast SHIT Bell Labs could foist on this world: C and Unix. And the Windows crapola, which shares the same concept-vulnerabilities.
signed
Der Kombjuder.
"our" propganda wants to make us think.
You better expect 50% lies laced with 50% truth.
...it could not happen to ALL companies, but my best guess is 75% of companies.
Moderm management is Commerce Whores and most IT people are so,too. They need to survive under these whores.
I don't know which distro, I just know my friend griped about me sending him links to sites that use Flash because they frequently crashed Firefox. Heh
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
ie 'nothing that bad has ever happened before and therefore it's probably not happening to us'
http://en.wikipedia.org/wiki/N...
There's another bias where you feel you emotionally can't take any more responsibility and thus just pray that the worst case scenario isn't happening. Not sure it's been studied yet.
@Anonymous Coward: "SMB is predominantly a Microsoft technology you idiot."
I'm not an 'idiot', I'm merely pointing out how the main article failed to point this out !!!
Two indicators come to mind. First, Korea used to be known as the Hermit Kingdom. Today, that title accurately describes North Korea, a country with limited communications links which suggests that they would need a lot of "outside help" to pull off this stunt. Second, the depth and breadth of the attack appears to be so massive that it almost looks like everything on their servers was copied and carted out. If they actually did this from outside, the Russian hackers must be green with envy. An additional thought: If you have this kind of capability, why blow it on a small target? For comparison, look at the Allies' preparations for D-Day in 1944 and notice how we cloaked our capabilities and methods. As I'm writing this, Leo Laporte, the Computer Guy, came on the air making the same points. Way to go, Leo.
Seriously, who are they kidding. No way North Korea could pull of a hacking stunt like that. Ever see the pics of the Supreme Leader and all his midget-sized elderly Generals in Military Uniform thoroughly taking notes (with pencil and paper) overlooking a "computer-whizz"? The closest they've been to Sony is the warn-off smudged logo on a 80's Walkman someone smuggled over the border