Hackers Used Nasty "SMB Worm" Attack Toolkit Against Sony

wiredmikey writes Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert describing the primary malware used by the attackers, along with indicators of compromise. While not mentioning Sony by name in its advisory, instead referring to the victim as a "major entertainment company," US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks. According to the advisory, the SMB Worm Tool is equipped with five components, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool. US-CERT also provided a list of the Indicators of Compromise (IOCs), which include C2 IP addresses, Snort signatures for the various components, host based Indicators, potential YARA signatures to detect malware binaries on host machines, and recommended security practices and tactical mitigations.

Re:Supreme Leader

[Frosty+Piss]

Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value.

Because they are obsessed with the "respect" to their Dear Leader. It is a cult obcession with these people, don't try to read logic into it. Think "Scientologists".

Re:Can we stop the embellishment?

[TubeSteak]

Really? Apparently they quickly took control of almost every one one of Sony's servers and workstations.

Wired mentions (without giving a source) an interview with a self-proclaimed member of GoP who claims Sony's network was infiltrated for a year.

I'm not sure what you consider "quickly," but a year is a long time, even while rooting around in a corporate network as large as Sony's.

Then maybe we can finally answer an old question

[Opportunist]

I think it was Thomas Hesse, back when Sony distributed Rootkits with their CDs their President of Global Digital Business, who said "Most people, I think, don't even know what a rootkit is, so why should they care about it?".

Well, Sony? I'm fairly convinced your execs don't have the foggiest clue about malware but ... do you care about it?

Re:Can we stop the embellishment?

[Bert64]

It's common practice to put all of your servers and workstations in an active directory domain, and once you have a tiny foothold on an active directory domain it is almost always trivially easy to get administrative privileges over the whole domain (have been working as a pentester for 10+ years and never failed to get domain admin when the job scope allowed it)...
Once you have domain admin, you typically have access to pretty much everything. Even if the organisation has devices which aren't linked to active directory (typically unix boxes, routers, switches etc), you will probably find that the guys responsible for managing these devices do so from a windows workstation which is part of the domain, so you just find their workstation and start keylogging (or in many cases just find the textfile full of passwords).
Also in my experience, very few companies notice once you take control of their domain, and as a legitimate pentester i'm not trying to cover my tracks. The chances of most organisations noticing someone who is being careful is virtually 0.

Threatpost, professional, processes

[Going_Digital]

The state of corporate IT can be shocking. When I took over the IT at the UK branch of an international technology company I couldn't believe what I saw. Regular office staff had file sharing switched on individual PCs, Software developers had systems operated as root or administrator. People routinely downloaded whatever they wanted and installed it on their computers.

The first thing I did was make sure that no computer had any file sharing or any other services running on it, instead users would have to share files by placing them on a properly managed server and printers had their own dedicated print server box or were replaced with network printers. All the PCs then had local firewalls enabled to effectively make sure that there were no open ports on them even if some errant software got installed.

All users were given regular user accounts, no admin access granted. Some users that were doing things like software testing who had to constantly install software were given admin access to a virtual machine so they could do all their testing on that VM.

It was decided that the offices around the world would be linked up so that direct access to the network could be obtained all over the world. Now every office just plugged their new router into the LAN and gave full access to everything. I however installed a firewall on the new WAN link that restricted remote offices to accessing only 2 servers on our network and only on specific ports to access the services that we wanted to provide access to.

I was so pleased I did all this as one day the WAN link seemed to be going slow, so I broke out the network monitor to see what was going on to find thousands of connection attempts coming from all of our international offices. As it turns out one of the US PCs had got infected with a worm and it was spreading over the whole global network. I could smugly say that apart from the slow WAN performance we were not effected at all. Our offices ran as normal while the rest of the company lost days of productivity trying to clear up the mess. It was at that point that finally the company started to listen to my calls for better security.