Slashdot Mirror
Hackers Used Nasty "SMB Worm" Attack Toolkit Against Sony
wiredmikey writes Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert describing the primary malware used by the attackers, along with indicators of compromise. While not mentioning Sony by name in its advisory, instead referring to the victim as a "major entertainment company," US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks. According to the advisory, the SMB Worm Tool is equipped with five components, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool. US-CERT also provided a list of the Indicators of Compromise (IOCs), which include C2 IP addresses, Snort signatures for the various components, host based Indicators, potential YARA signatures to detect malware binaries on host machines, and recommended security practices and tactical mitigations.
How often do you see Server Message Block spelled out in news stories? I guess someone really wanted to avoid implying that Sony Computer Entertainment's rival Nintendo might be behind the attack.
What I really want to know is how did the FBI figure out it was the work of North Korean government agents. Except for a privileged few, North Koreans are completely blocked off from the outside world and would never hear of this movie even if it won more Oscars than the Titanic. Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value. It seems to me that all the speculation that was in the news recently about Kim's disappearance from public life and his possible overthrow was far more damaging to the cult of the Supreme Leader than some silly comedy.
Hacking activities are happening around us, from companies managing parking garages to Sony to Staples to whatnots ...
I've read Schneier's article which in essence telling us that there is no foolproof way to prevent hacking attempt
I do reckoned that "foolproof" in the IT field is nothing short of fairy tales, but still, I do think there ought to be ways, online and offline, that we can do, to at least cut down, to minimize, our companies' exposure to the (oft state-sponsored) hacking groups
Any link (or links), suggestion, recommendation, whatever, that you guys (and gals) can share?
Thanks !
Muchas Gracias, Señor Edward Snowden !
I haven't seen any evidence that the mechanics of the attack itself is at all noteworthy, yet we keep hearing about how this attack was unstoppable, "nasty", etc. -- not just from Sony's PR guys, but from the FBI. As if it could have targeted literally any company and caused just as unmitigated damage.
To me, a "nasty" worm is Stuxnet: it spread in a very standard innocuous way and seemed like any other worm, but ended up being highly targeted.
This Sony hack just seems like your average trojan worm leaking an admin password back to someone. The only noteworthy part of this hack is that Sony had such horrifyingly moronic security practices that one attack was able to compromise such a large and varying corpus of valuable data.
<troll>Ah, Windows... the gift that keeps on giving.</troll>
Seriously, though... this is pretty ugly. It checks back every five minutes for each machine. You would think that Sony IT would notice that network traffic (or, say, the fact that all of their Windows desktops started listening on port 443). The moral of this story is run an IDS, scan your network, and pay attention to it all! :(
I think Mauve has the most RAM. --PHB (Dilbert Comic)
Thereatpost.com is a good source to stay on top of the latest news and threats. There is new stuff posted several times per week, so staying on top of it takes at least a couple of hours per week.
You can get pretty darn good security at a very reasonable cost, but I can't fit much useful info in a Slashdot post. I read a 586 page book just on securing Apache - there's a ton of information to know and concepts to understand. For a business, especially a web-based business, it probably makes the most sense to hire in the right professional to spend a few hours with you, going over your processes and systems. I've been doing web security for 17 years; before that I did physical security and I'm still learning, so there's just a lot to know.
Maybe the most important principle is to get rid of what isn't needed. Turn off unneeded services on computers, don't store credit card numbers if you don't absolutely have to, don't have multiple copies of sensitive data on different systems. I can't hack what isn't there.
If you consult with a professional, be prepared to alter some of your processes to alternatives that are approximately just as easy to use, but different. Sftp is as easy to use as ftp, so don't let "we've always done it this way" be an excuse to not improve your processes. A FEW changes may be much less convenient, but necessary. That is to say, your professional may say once or twice "yes, this way is more time consuming, but it really is necessary for security ". Be prepared for that, but also expect your professional to work with you to find ways to make security relatively painless most of the time. It'll likely follow strict, but painless, rules if done properly.
Security is mostly about process, not products, and much of the best security software is open source, so the right professional won't be selling you stuff, just spending some time to find what you need and get it set up for you, then help your IT understand a bit and know where to find documentation.
The right professional will also be able to explain the purpose of any recommendations in a way that you can fully understand. "Because security " is not a valid answer and is most frequently used by people who don't understand the "security" measures they are improperly applying, often in a way that weakens your system rather than strengthens it. It might seem strange to emphasize this, but I've seen a LOT of sysadmins severely damage system security by trying to strengthen it but not really understanding what they're doing. In almost all cases, the people doing crap "security" couldn't explain in detail why they did what they did, and became annoyed when asked to explain in detail. It's a good way to distinguish the few who know their stuff from the vast majority, who don't actually know what they're doing.
Instead, there is an ulterior motive for blaming North Korea
I never thought I would want to see people being imprisoned in Gitmo, but for that square-head fatso, hey, that's one helluva perfect permanent resident tailor made for Gitmo
Muchas Gracias, Señor Edward Snowden !
Not samba, SMB. Samba is just the name of the open source Windows SMB server implementation. Most likely they were targeting Windows machines (though I admit I haven't seen anything on that either way).
Also, it's highly unlikely (but also possible I guess) they had SMB open to the Internet. But they just needed to compromise one internal machine (almost trivial these days) to attack SMB...
I mean OK, you cannot run a Windows system without SMB in a useful way. However how could this spread. SMB is not a protocol that was designed to work outside of broadcast domains. It does, but you loose some of the features people take for granted.
I seriously wonder how this could spread, after all you don't just have a large Ethernet domain in your international company. You have smaller domains routed together, and in between you can trivially filter. SMB is one of the first things to go. Since it's hard and inefficient to run large filers on Windows, the few remaining machines with SMB enabled probably would be running on Linux, which means that they will not have the same security problems the Windows machines have.
So ideally this should have been easily contained within a fraction of the company network.
Link to the actual US-CERT alert:
US-CERT TA14-353A
Is anyone really upset that they got hacked? Has everyone forgot they sent out compact discs loaded with a backdoor to fight argggh pirates?
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
The artist workstations at Sony Imageworks are Linux.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
> It does, but you loose some of the features people take for granted.
Excuse me, but so what? This is not a "taken for granted" usage of the protocol.
> I seriously wonder how this could spread, after all you don't just have a large Ethernet domain in your international company.
Oh, my dear lord. I'm assuming you've never worked in a large environment. _Of course_ they have a single large or several large domains (in the Microsoft Active Directory sense) for unified email authenticatoin, and potentially for payroll management and corporate ID's. While the particular systems may be somewhat independent, they are _inevitably_ chained together by various poorly secured portals and gateways in a large environment.
If instead you meant "you don't have a large Ethernet domain", again, you clearly haven't dealt with the kind of large environment I have, where the admins leave things open "because we're not a target" or because "if they're inside our network, we're doomed anyway".
> SMB is one of the first things to go.
I'm afraid it's built into every Windows machine. Go looking around for the hidden "C$" share on every windows box, which is critical to the use of "Powershell" for systems administration. Unless you've been extremely cautious about firewalling things in your core switches and quite strict about treating all individual Windows systems as potentially hostile, it's enabled on all of them.
Toppling strong leaders didn't go down so well in Iraq and Libya. 11 years later Iraq us even worse than before. The Taliban were toppled in Afghanistan and it's still a disaster 13 years on. ISrael poisoned Ararat with polonium and there is no peace there. And Obama tried to topple Assad in Syria and now it's a hotbed for Islamic extremists. Sometimes the evil dictators are necessary to keep divided countries stable.
Just because apparently several companies are stupid and use unsuitable security practices doesn't mean it's not really bad security. I mean we all refuse to do support for people who put their malware ridden gaming rig into their main LAN, why do companies get away with that?
They are the new feudal lords and do not produce anything palpable. Have you not noticed? They are Obamas bosses.
When you are dumb enough to use operating systems insecure by design. And the whole NK attacked us, seems just to be a political manoeuvre, smoke and mirrors to distract us from the fact Sony is not the best example of corporate governance, has been making huge PR moves, and Windows is worse than a swiss cheese when it takes to security.
I think it was Thomas Hesse, back when Sony distributed Rootkits with their CDs their President of Global Digital Business, who said "Most people, I think, don't even know what a rootkit is, so why should they care about it?".
Well, Sony? I'm fairly convinced your execs don't have the foggiest clue about malware but ... do you care about it?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
that a country which is malnourished and still suffering from the effects of famine in 1998 has resources to devote to hacking full stop
You would, and so would I and probably anyone who doesn't think TCP is the Chinese secret service.
But do you think Sony would pay either your or my "asking price"? For what I would command they could easily hire three "admins". They might consider TCP the Chinese secret service and have generally zero clue about security or anything related, but hey, they will just take twice times the time I need to get something going, and with a salary a third of mine, that's still coming out ahead!
That the reason they spend twice as long is that they use copy/paste configuring and try&error as a way to figure out how to get stuff going, leaving ports open and vulnerable behind them in their battle against the system, who cares? It works, doesn't it?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
SMB is indeed commonly used outside of broadcast domains, hosts can find each other through dns (or wins etc), and happily communicate across ethernet segments. In many cases most of the servers will be in a different ethernet segment to the workstations etc.
SMB will almost never be filtered internally because it's used for domain logons and file sharing, and users will have a need to access files stored on servers in other parts of the company.
On the other hand, SMB is a terrible protocol... Not only does it allow file sharing, but it can be used for all manner of other things too, so by permitting it for something you need (file sharing) you are opening yourself to all manner of other things you don't need or want.
Doing what you describe is simply not practical for a windows based environment. Sure ideally SMB would be blocked, and a dedicated "file sharing only" protocol would be used, but windows only supports SMB by default.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
The first thing I did was make sure that no computer had any file sharing or any other services running on it, instead users would have to share files by placing them on a properly managed server and printers had their own dedicated print server box or were replaced with network printers. All the PCs then had local firewalls enabled to effectively make sure that there were no open ports on them even if some errant software got installed.
All users were given regular user accounts, no admin access granted. Some users that were doing things like software testing who had to constantly install software were given admin access to a virtual machine so they could do all their testing on that VM.
It was decided that the offices around the world would be linked up so that direct access to the network could be obtained all over the world. Now every office just plugged their new router into the LAN and gave full access to everything. I however installed a firewall on the new WAN link that restricted remote offices to accessing only 2 servers on our network and only on specific ports to access the services that we wanted to provide access to.
I was so pleased I did all this as one day the WAN link seemed to be going slow, so I broke out the network monitor to see what was going on to find thousands of connection attempts coming from all of our international offices. As it turns out one of the US PCs had got infected with a worm and it was spreading over the whole global network. I could smugly say that apart from the slow WAN performance we were not effected at all. Our offices ran as normal while the rest of the company lost days of productivity trying to clear up the mess. It was at that point that finally the company started to listen to my calls for better security.
Why couldn't Sony just yank all the Internet connectivity until the machines were fixed?
> Just because apparently several companies are stupid and use unsuitable security practices doesn't mean it's not really bad security
It's more than "several", I'm afraid. It's extremely common place. A significant portion of my annual salary comes from helping teach and implement improved security practices. And a large part of that income comes from explaining the trade-offs, time and risk and resources.
> I mean we all refuse to do support for people who put their malware ridden gaming rig into their main LAN, why do companies get away with that?
I'm forced to applaud your optimism. But I'm also forced to pity your naivete. The use of VPN's from home and transfer of laptops into and out of the corporate networks are, themselves, a huge attack vector for environments that consider themselves to have implemented basic firewall and anti-virus tools. "Refusing to do support" for these personnel is basically "refusing to collect a paycheck" for most IT personnel.
Sony is a Windows company, you idiot.
The PS4 runs BSD...
"Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
Oh really? RHEL? They've favored RH based distros in the past.
Why don't we hear anything from the Japanese's government? Sony Is a Japanese Corporation.
Jack of all trades,master of none
I don't know which distro, I just know my friend griped about me sending him links to sites that use Flash because they frequently crashed Firefox. Heh
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
It isn't happening to Amazon or Google or Paypal or any other company with tech chops.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
ie 'nothing that bad has ever happened before and therefore it's probably not happening to us'
http://en.wikipedia.org/wiki/N...
There's another bias where you feel you emotionally can't take any more responsibility and thus just pray that the worst case scenario isn't happening. Not sure it's been studied yet.
@Anonymous Coward: "SMB is predominantly a Microsoft technology you idiot."
I'm not an 'idiot', I'm merely pointing out how the main article failed to point this out !!!
Two indicators come to mind. First, Korea used to be known as the Hermit Kingdom. Today, that title accurately describes North Korea, a country with limited communications links which suggests that they would need a lot of "outside help" to pull off this stunt. Second, the depth and breadth of the attack appears to be so massive that it almost looks like everything on their servers was copied and carted out. If they actually did this from outside, the Russian hackers must be green with envy. An additional thought: If you have this kind of capability, why blow it on a small target? For comparison, look at the Allies' preparations for D-Day in 1944 and notice how we cloaked our capabilities and methods. As I'm writing this, Leo Laporte, the Computer Guy, came on the air making the same points. Way to go, Leo.
They are the new feudal lords and do not produce anything palpable
You may have noticed that the media companies are one of the very very few American sectors that produce works that are in great demand and sold abroad. That's the government will bend over for them. They're one of the most important sectors of the economy.
... is that the US president thinks this is of such importance to address this in a speech. It clearly shows, IMHO, how much influence a media company has.
You don't think a media company is as important as another company of similar size/revenue/employee count? If another nation does as much catastrophic damage to an American company (it is an American subsidiary of a Japanese corporation), yes, it's the President's job to address it. Why would you think this isn't important?
Seriously, who are they kidding. No way North Korea could pull of a hacking stunt like that. Ever see the pics of the Supreme Leader and all his midget-sized elderly Generals in Military Uniform thoroughly taking notes (with pencil and paper) overlooking a "computer-whizz"? The closest they've been to Sony is the warn-off smudged logo on a 80's Walkman someone smuggled over the border