Slashdot Mirror
Hackers Used Nasty "SMB Worm" Attack Toolkit Against Sony
wiredmikey writes Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert describing the primary malware used by the attackers, along with indicators of compromise. While not mentioning Sony by name in its advisory, instead referring to the victim as a "major entertainment company," US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks. According to the advisory, the SMB Worm Tool is equipped with five components, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool. US-CERT also provided a list of the Indicators of Compromise (IOCs), which include C2 IP addresses, Snort signatures for the various components, host based Indicators, potential YARA signatures to detect malware binaries on host machines, and recommended security practices and tactical mitigations.
How often do you see Server Message Block spelled out in news stories? I guess someone really wanted to avoid implying that Sony Computer Entertainment's rival Nintendo might be behind the attack.
What I really want to know is how did the FBI figure out it was the work of North Korean government agents. Except for a privileged few, North Koreans are completely blocked off from the outside world and would never hear of this movie even if it won more Oscars than the Titanic. Why would North Korea reveal its capabilities and tactics in such dramatic fashion to achieve nothing of any value. It seems to me that all the speculation that was in the news recently about Kim's disappearance from public life and his possible overthrow was far more damaging to the cult of the Supreme Leader than some silly comedy.
I haven't seen any evidence that the mechanics of the attack itself is at all noteworthy, yet we keep hearing about how this attack was unstoppable, "nasty", etc. -- not just from Sony's PR guys, but from the FBI. As if it could have targeted literally any company and caused just as unmitigated damage.
To me, a "nasty" worm is Stuxnet: it spread in a very standard innocuous way and seemed like any other worm, but ended up being highly targeted.
This Sony hack just seems like your average trojan worm leaking an admin password back to someone. The only noteworthy part of this hack is that Sony had such horrifyingly moronic security practices that one attack was able to compromise such a large and varying corpus of valuable data.
Thereatpost.com is a good source to stay on top of the latest news and threats. There is new stuff posted several times per week, so staying on top of it takes at least a couple of hours per week.
You can get pretty darn good security at a very reasonable cost, but I can't fit much useful info in a Slashdot post. I read a 586 page book just on securing Apache - there's a ton of information to know and concepts to understand. For a business, especially a web-based business, it probably makes the most sense to hire in the right professional to spend a few hours with you, going over your processes and systems. I've been doing web security for 17 years; before that I did physical security and I'm still learning, so there's just a lot to know.
Maybe the most important principle is to get rid of what isn't needed. Turn off unneeded services on computers, don't store credit card numbers if you don't absolutely have to, don't have multiple copies of sensitive data on different systems. I can't hack what isn't there.
If you consult with a professional, be prepared to alter some of your processes to alternatives that are approximately just as easy to use, but different. Sftp is as easy to use as ftp, so don't let "we've always done it this way" be an excuse to not improve your processes. A FEW changes may be much less convenient, but necessary. That is to say, your professional may say once or twice "yes, this way is more time consuming, but it really is necessary for security ". Be prepared for that, but also expect your professional to work with you to find ways to make security relatively painless most of the time. It'll likely follow strict, but painless, rules if done properly.
Security is mostly about process, not products, and much of the best security software is open source, so the right professional won't be selling you stuff, just spending some time to find what you need and get it set up for you, then help your IT understand a bit and know where to find documentation.
The right professional will also be able to explain the purpose of any recommendations in a way that you can fully understand. "Because security " is not a valid answer and is most frequently used by people who don't understand the "security" measures they are improperly applying, often in a way that weakens your system rather than strengthens it. It might seem strange to emphasize this, but I've seen a LOT of sysadmins severely damage system security by trying to strengthen it but not really understanding what they're doing. In almost all cases, the people doing crap "security" couldn't explain in detail why they did what they did, and became annoyed when asked to explain in detail. It's a good way to distinguish the few who know their stuff from the vast majority, who don't actually know what they're doing.
Link to the actual US-CERT alert:
US-CERT TA14-353A
Is anyone really upset that they got hacked? Has everyone forgot they sent out compact discs loaded with a backdoor to fight argggh pirates?
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
Toppling strong leaders didn't go down so well in Iraq and Libya. 11 years later Iraq us even worse than before. The Taliban were toppled in Afghanistan and it's still a disaster 13 years on. ISrael poisoned Ararat with polonium and there is no peace there. And Obama tried to topple Assad in Syria and now it's a hotbed for Islamic extremists. Sometimes the evil dictators are necessary to keep divided countries stable.
I think it was Thomas Hesse, back when Sony distributed Rootkits with their CDs their President of Global Digital Business, who said "Most people, I think, don't even know what a rootkit is, so why should they care about it?".
Well, Sony? I'm fairly convinced your execs don't have the foggiest clue about malware but ... do you care about it?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You're assuming that it spread by trying to guess usernames and passwords, which is highly unlikely.
Chances are it spreads using usernames and password hashes that it already knows. If you compromise a single windows host you can extract the local admin hashes (which are often the same across many hosts because they were all built from a stock image), you can also extract the hashes as well as the plain text password of any currently logged in account including domain accounts, and any account which is saved in the registry for use to start services (i've seen networks where the antivirus is running as a domain admin on every host - ensuring that an admin password is extractable from every single host).
Using this hash passing approach you can almost always spread throughout a network.
As for logging...
Your IPS will probably ignore SMB traffic, because it's extremely common and expected.
The hacker will target the workstations first, they are probably not configured to send their logs back somewhere centrally... Chances are at least one workstation will have a valid domain admin hash available on it at some point. You only start hitting the servers once you have confirmed valid logins, valid SMB logins from internal workstations won't trigger any IPS because they are expected.
Windows logging especially is usually quite shit, it's either far too verbose (the attack gets lost in the noise), or utterly useless... You might be able to detect a flood of invalid login attempts against the domain or directly against core servers, but a competent hacker is highly unlikely to try that.
Otherwise your logs are only really useful "after the fact" to try and determine what went wrong, because by that point you now have time and budget to sit and comb through them. Ofcourse this also only works if your logs are sufficiently detailed, and are still intact. If the system hosting your logs was on the domain, or accessed from workstations which are part of the domain then your logs are effectively worthless, a competent hacker would have deleted or modified them to cover their own actions.
So they're stuck with poorly designed tools (ie windows), that have gaping design flaws that make such attacks easy to perform and hard to detect or stop. You could go to significant effort and expense to make such attacks more difficult, but many companies just won't have the budget for that in terms of the number and quality of staff (competent people are expensive), all the various expensive third party software and all the extra time (or extra staff) required to do things in a more secure but far more time consuming way.
In reality, people cut corners. Even those who should know better, want to save themselves time or have to save themselves time because the company hasn't hired enough people for what they need.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
The first thing I did was make sure that no computer had any file sharing or any other services running on it, instead users would have to share files by placing them on a properly managed server and printers had their own dedicated print server box or were replaced with network printers. All the PCs then had local firewalls enabled to effectively make sure that there were no open ports on them even if some errant software got installed.
All users were given regular user accounts, no admin access granted. Some users that were doing things like software testing who had to constantly install software were given admin access to a virtual machine so they could do all their testing on that VM.
It was decided that the offices around the world would be linked up so that direct access to the network could be obtained all over the world. Now every office just plugged their new router into the LAN and gave full access to everything. I however installed a firewall on the new WAN link that restricted remote offices to accessing only 2 servers on our network and only on specific ports to access the services that we wanted to provide access to.
I was so pleased I did all this as one day the WAN link seemed to be going slow, so I broke out the network monitor to see what was going on to find thousands of connection attempts coming from all of our international offices. As it turns out one of the US PCs had got infected with a worm and it was spreading over the whole global network. I could smugly say that apart from the slow WAN performance we were not effected at all. Our offices ran as normal while the rest of the company lost days of productivity trying to clear up the mess. It was at that point that finally the company started to listen to my calls for better security.
I don't even bother "compromising" an initial host on many engagements when the engagement has me to go on site. Its trivially easy to tailgate your way onto most corporate campuses; and set yourself up in an empty conference room.
Then you wait for LLMNR or NetBIOS/tcp messages on your subnet; which nobody disables, ever. Then you just collect the hashes for a while. No need even to mess around with PTH half the time, more often than not hashcat can crack at least one before you finish your first soda and you have your foot hold.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html