Hackers Used Nasty "SMB Worm" Attack Toolkit Against Sony

wiredmikey writes Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert describing the primary malware used by the attackers, along with indicators of compromise. While not mentioning Sony by name in its advisory, instead referring to the victim as a "major entertainment company," US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks. According to the advisory, the SMB Worm Tool is equipped with five components, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool. US-CERT also provided a list of the Indicators of Compromise (IOCs), which include C2 IP addresses, Snort signatures for the various components, host based Indicators, potential YARA signatures to detect malware binaries on host machines, and recommended security practices and tactical mitigations.

Supreme Leader

[Dorianny]

What I really want to know is how did the FBI figure out it was the work of North Korean government agents. Except for a privileged few, North Koreans are completely blocked off from the outside world and would never hear of this movie even if it won more Oscars than the Titanic. Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value. It seems to me that all the speculation that was in the news recently about Kim's disappearance from public life and his possible overthrow was far more damaging to the cult of the Supreme Leader than some silly comedy.

Re:Supreme Leader

[whoever57]

What I really want to know is how did the FBI figure out it was the work of North Korean government agents.

"Never let a good crisis go to waste". They don't seriously think it was North Korea. Instead, there is an ulterior motive for blaming North Korea.

Re:Supreme Leader

[X.25]

What I really want to know is how did the FBI figure out it was the work of North Korean government agents. Except for a privileged few, North Koreans are completely blocked off from the outside world and would never hear of this movie even if it won more Oscars than the Titanic. Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value. It seems to me that all the speculation that was in the news recently about Kim's disappearance from public life and his possible overthrow was far more damaging to the cult of the Supreme Leader than some silly comedy.

Ssssssssssshhhhhhhhhh. You're asking questions, you shouldn't do that.

Just trust the government.

Re:Supreme Leader

[rockout]

No, ask all the questions you want. Just realize, when you assure people that it "must" be a ruse to provide an excuse to attack North Korea, you sound as loony as the NK leadership.

I'm not saying NK definitely did plan a cyberattack against Sony; it's an open question at this point. But when you smugly assert that you know it's our own government, with your only proof being your own paranoid crazy logic, you're really not advancing the conversation any.

Can we stop the embellishment?

[PhrostyMcByte]

I haven't seen any evidence that the mechanics of the attack itself is at all noteworthy, yet we keep hearing about how this attack was unstoppable, "nasty", etc. -- not just from Sony's PR guys, but from the FBI. As if it could have targeted literally any company and caused just as unmitigated damage.

To me, a "nasty" worm is Stuxnet: it spread in a very standard innocuous way and seemed like any other worm, but ended up being highly targeted.

This Sony hack just seems like your average trojan worm leaking an admin password back to someone. The only noteworthy part of this hack is that Sony had such horrifyingly moronic security practices that one attack was able to compromise such a large and varying corpus of valuable data.

Re:Can we stop the embellishment?

[Dahamma]

Really? Apparently they quickly took control of almost every one one of Sony's servers and workstations. Literally took entire control, stole all of the useful data, wiped out all of their servers, and then owned all of the workstations so that they were useless but able to broadcast any message they wanted to them.

That's a *bit* more coordinated than "your average trojan worm". Unless you really think based on extremely limited information you know more than all of the security researchers and government investigators looking into it... (hint: sorry, you don't).

Re:Can we stop the embellishment?

[Bert64]

Yes, yes they are...
Most companies have a horrendously insecure internal network, with virtually everything tied to an active directory domain which is laughably easy to compromise. They follow what they believe are best practices by installing patches every month, using strong passwords, setting account lockouts etc, but because of how the system is designed it only takes one weakness to make everything fall down. And then they will probably spend a lot of money buying "security software" that just makes the systems run far slower, while not fixing any of the underlying weaknesses.

Most company networks are like a tardis, they use a network firewall to ensure that only a tiny fraction is visible from the outside, but once you get inside it's much bigger. All it takes is for one minor breach in the firewall by someone semi competent and 99% of companies would be looking at a catastrophic breach. If it hasn't happened to your company yet then it's either a) luck, or b) it has happened but the perpetrators have other motives than publicity

Threatpost, professional, processes

[raymorris]

Thereatpost.com is a good source to stay on top of the latest news and threats. There is new stuff posted several times per week, so staying on top of it takes at least a couple of hours per week.

You can get pretty darn good security at a very reasonable cost, but I can't fit much useful info in a Slashdot post. I read a 586 page book just on securing Apache - there's a ton of information to know and concepts to understand. For a business, especially a web-based business, it probably makes the most sense to hire in the right professional to spend a few hours with you, going over your processes and systems. I've been doing web security for 17 years; before that I did physical security and I'm still learning, so there's just a lot to know.

Maybe the most important principle is to get rid of what isn't needed. Turn off unneeded services on computers, don't store credit card numbers if you don't absolutely have to, don't have multiple copies of sensitive data on different systems. I can't hack what isn't there.

If you consult with a professional, be prepared to alter some of your processes to alternatives that are approximately just as easy to use, but different. Sftp is as easy to use as ftp, so don't let "we've always done it this way" be an excuse to not improve your processes. A FEW changes may be much less convenient, but necessary. That is to say, your professional may say once or twice "yes, this way is more time consuming, but it really is necessary for security ". Be prepared for that, but also expect your professional to work with you to find ways to make security relatively painless most of the time. It'll likely follow strict, but painless, rules if done properly.

Security is mostly about process, not products, and much of the best security software is open source, so the right professional won't be selling you stuff, just spending some time to find what you need and get it set up for you, then help your IT understand a bit and know where to find documentation.

      The right professional will also be able to explain the purpose of any recommendations in a way that you can fully understand. "Because security " is not a valid answer and is most frequently used by people who don't understand the "security" measures they are improperly applying, often in a way that weakens your system rather than strengthens it. It might seem strange to emphasize this, but I've seen a LOT of sysadmins severely damage system security by trying to strengthen it but not really understanding what they're doing. In almost all cases, the people doing crap "security" couldn't explain in detail why they did what they did, and became annoyed when asked to explain in detail. It's a good way to distinguish the few who know their stuff from the vast majority, who don't actually know what they're doing.

Re:Threatpost, professional, processes

[turbidostato]

"The state of corporate IT can be shocking. When I took over the IT at the UK branch of an international technology company I couldn't believe what I saw. Regular office staff had file sharing switched on individual PCs, Software developers had systems operated as root or administrator. People routinely downloaded whatever they wanted and installed it on their computers.
The first thing I did was make sure that no computer had any file sharing or any other services running on it"

You were doing it wrong, then, and probably the company employees hate you.

The first thing you should have done is understanding why computers/lans were configured that way. I can't count the times I've seen security just going all the place closing this and that without providing working alternatives to the function the user was achieving that way, just to put productivity to a halting grind.

People don't go out of their way to share their hard disks or to install this or that simply because they have nothing better to do but because they need to do something and do it that way because they don't know anything better.

Corporate security is more about providing secure ways to do what it's needed to be done (as defined by the end user, not the top brass) and less about tying users' hands but very short numbers of "IT security people" seem to understand that.

Re: Inviting that squarehead fatso to Gitmo, perha

Toppling strong leaders didn't go down so well in Iraq and Libya. 11 years later Iraq us even worse than before. The Taliban were toppled in Afghanistan and it's still a disaster 13 years on. ISrael poisoned Ararat with polonium and there is no peace there. And Obama tried to topple Assad in Syria and now it's a hotbed for Islamic extremists. Sometimes the evil dictators are necessary to keep divided countries stable.

Re:SMB, eh?

[Bert64]

You're assuming that it spread by trying to guess usernames and passwords, which is highly unlikely.

Chances are it spreads using usernames and password hashes that it already knows. If you compromise a single windows host you can extract the local admin hashes (which are often the same across many hosts because they were all built from a stock image), you can also extract the hashes as well as the plain text password of any currently logged in account including domain accounts, and any account which is saved in the registry for use to start services (i've seen networks where the antivirus is running as a domain admin on every host - ensuring that an admin password is extractable from every single host).

Using this hash passing approach you can almost always spread throughout a network.

As for logging...

Your IPS will probably ignore SMB traffic, because it's extremely common and expected.
The hacker will target the workstations first, they are probably not configured to send their logs back somewhere centrally... Chances are at least one workstation will have a valid domain admin hash available on it at some point. You only start hitting the servers once you have confirmed valid logins, valid SMB logins from internal workstations won't trigger any IPS because they are expected.
Windows logging especially is usually quite shit, it's either far too verbose (the attack gets lost in the noise), or utterly useless... You might be able to detect a flood of invalid login attempts against the domain or directly against core servers, but a competent hacker is highly unlikely to try that.
Otherwise your logs are only really useful "after the fact" to try and determine what went wrong, because by that point you now have time and budget to sit and comb through them. Ofcourse this also only works if your logs are sufficiently detailed, and are still intact. If the system hosting your logs was on the domain, or accessed from workstations which are part of the domain then your logs are effectively worthless, a competent hacker would have deleted or modified them to cover their own actions.

So they're stuck with poorly designed tools (ie windows), that have gaping design flaws that make such attacks easy to perform and hard to detect or stop. You could go to significant effort and expense to make such attacks more difficult, but many companies just won't have the budget for that in terms of the number and quality of staff (competent people are expensive), all the various expensive third party software and all the extra time (or extra staff) required to do things in a more secure but far more time consuming way.
In reality, people cut corners. Even those who should know better, want to save themselves time or have to save themselves time because the company hasn't hired enough people for what they need.