Attack on Sony
•Descargar como PPTX, PDF•
3 recomendaciones•4,038 vistas
RSA 2015 booth talk
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Destacado (20)
Similar a Attack on Sony
Similar a Attack on Sony (20)
Más de Nick Bilogorskiy
Más de Nick Bilogorskiy (12)
Último
Último (20)
Attack on Sony
- 3. Attack on Sony Pictures Destover Trojan Nick Bilogorskiy @belogor
- 4. Sony Pictures Attack by Destover Trojan o Attack on Sony Pictures…Nov 24, 2014 by GOP - “Guardians of Peace” o 111 Terabytes of Data Stolen o Suspected Origin: North Korea o 7 lawsuits filed against Sony, so far o Controversy over “The Interview” which made $46 million to date o Trojan designed for Sony’s network.
- 5. Attack Timeline for Sony Pictures, Nov – Dec 2014 Destover malware discovered Guardians of Peace claims credit, starts releasing stolen movies Sony decides to release “The Interview” on Dec 25 Wiper activates Nov 21 Nov 24 Nov 27 Dec 1 Dec 3 Dec 11 Dec 15 Dec 17 Dec 19 Dec 23 Sony receives email from ‘God’s Apstls” FBI sends “flash alert” GOP leaks Sony Exec emails Sony hit with 1st class-action lawsuit for failure to protect employee info Sony cancels movie “The Interview” FBI says hack done by North Korea
- 6. What was stolen and leaked? In a word, everything! Personal data on 600 employees Movies and Scripts Performance reports and salary information Source code, Private keys, passwords, certificates Production schedules, Box office projections Executives email correspondence Brad Pitt phone number! and more.. Wiped 3,000 computers and 800 servers
- 7. Destover Workflow Diagram 7 ATTACKER Spreads via SMB port 445Destover Command and Control Servers Drops WIPER DROPPER -w Webserver -d Disk Driver Drops Disk Wiper
- 8. Wiper Command and Control o This Trojan uses encrypted config file net_ver.dat embedded in the resource section that has several IP addresses later used for C&C communication o Once connectivity is established with C2 servers, it initiates a two hour countdown at which time the infected machine will reboot Net_ver.dat (Config File)
- 9. Wiper switches The module can be executed with many parameters: switch description -i Install itself as a service -k Remove the service -d Start file wipe module -s Mount and remote shares with hardcoded passwords and delete files from them -m Drop Eldos Software RawDisk kernel driver to wipe MBR -a Start anti-AV module -w Drop and execute webserver to show the ransom message
- 10. -d switch o usbdrv3.sys - Eldos Software RawDisk (a commercial product to enable raw access to the hard disk from Windows). o After ten attempts to connect to one of the local systems, the process of wiping the hard drive began.
- 11. -d Delete o sends string of “AAAAA”s in a loop to the Eldos driver requesting it to write directly to the hard disk. o It deletes all files in the system except the files with extension exe and dll o The malware is also known to wipe out network drives
- 12. -w Warning • This switch drops a decrypted from resource section webserver. • It runs on the infected machine with the only purpose of showing the user this ransom message.
- 13. Similarity to other APT attacks o August 2012 o Shamoon rendered up to 30,000 computers inoperable at Saudi Aramco, the national oil company of Saudi Arabia. o Credit claimed by Cutting Sword of Justice o 2013 o DarkSeoul, a hacking group with suspected links to North Korea, performed a delayed wipe on 40,000 systems at South Korean banks and caused $700 million in damage. o Credit claimed by Whois
- 14. Insiders? o This Trojan uses stored user name and password combination to get access to the other machines. How did attackers get them? They must have known the internal network, either from insiders or previous attacks.
- 15. North Koreans? o The resource section of the main file shows that the language pack used was Korean.
- 16. North Korea? Argument #1 FBI Bulletin, Dec 19 o Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks. o The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack. o Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea. o Hackers used their true IP address o Similar tools o Malware analysis
- 17. North Korea? Argument #2 o Snowden docs show NSA first hacked North Korea in 2010 with help from SK o “early warning radar” was implanted to monitor North Korea o Fourth party collection
- 18. North Korea Bureau 121. o Reconnaissance General Bureau, North Korea’s main intelligence service with 6,000 hackers o Bureau 121, its secretive hacking unit, with a large outpost in China o Hackers in Bureau 121 were among the 100 students who graduate from the University of Automation each year after five years of study. Over 2,500 apply for places at the university, which has a campus in Pyongyang, behind barbed wire.
- 19. North Korea Bureau 121.
- 20. Conclusions 1. Sony attack was sophisticated , targeted and politically motivated 2. In Sony’s case - early compromise harvesting the user account credentials lead to the later stage using malware designed with the credentials embedded 3. The best defense is an approach that continuously monitors network activities and file movements, detects threat activities across threat kill chain, and correlates observations across the enterprise network
- 21. Thank you. Twitter: @belogor Slides on: Cyphort.com/labs/malwares-wanted/
Notas del editor
- So, without further ado, lets talk about the Sony attack. The controversy centers on the Sony Pictures comedy "The Interview," which stars Seth Rogen and James Franco as a producer and TV personality, respectively, who get the chance to interview Kim Jong-un, the leader of North Korea, and are drawn into an assassination attempt by the CIA…. Lets go over the timeline of events as they unfolded. The attack against Sony Pictures Entertainment was carried out by another previously unknown group called the Guardian of Peace (GOP), which claimed to have targeted the company because “Sony and Sony Pictures have made terrible racial discrimination and human rights violation, indiscriminate tyranny and restructuring in recent years.”
- Nov 21 - Sony receives an email threatening great damage signed "God's Apstls", a phrase found in the code of the hack three days later Nov 24 - Wiper activates and bricks Sony's PCs Nov 27 - Guardians of Peace claims credit and starts releasing stolen movies Dec 1 - FBI sends "flash alert", Sony hires forensics firm Dec 3 - Destover malware discovered Dec 11 - GOP leaks Sony's executives emails Dec 15 - Sony is hit with first class-action lawsuit for failing to protect employees private info Dec 17 - Sony cancels the Interview movie Dec 19 - FBI confirms the hack was done by North Korea Dec 23 - Sony decides to release "The Interview" after all on Christmas Day
- What was the impact of this attack on Sony. What data was stolen and leaked online? Password databases, security certificates, MAC addresses for workstations and servers and the usernames of every person with SUDO access A spreadsheet including the names, birth dates, home address and social security numbers of 3,803 employees of Sony Pictures Payroll breakdowns for the entire company in a spreadsheet A spreadsheet detailing all the Sony Pictures employees terminated in 2014, including cause for termination Employee performance reviews The social security numbers of more than 47,000 current and former employees, including celebrities like Sylvester Stallone Salaries for top executives Number of pilot scripts for the 2014 TV seasons Personal information of individuals who worked at Sony Pictures from as far back as 2000 As far as possible damage, this one was the worst I have ever seen.
- The attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks. the SMB Worm Tool is equipped with five components, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool. The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a command and control (C2) infrastructure with servers located in Thailand, Poland, Italy, Bolivia, Singapore and the United States, the advisory said. We managed to find and analyze the Wiper component. It sleeps for 10 minutes (or 600,000 milliseconds as seen below) before it carries out its actual malware routines. (igfxtrayex.exe) sleeps for 10 minutes. After it does this, the malware sleeps for another two hours. It then forces the system to reboot.
- -d : This parameter will start the file wipe module immediately. All files in the local disk that are not in Program Files or Windows folder will be deleted, as well as any file in locally mounted remote shares. -s : this parameter will cause the malware to attempt to mount specific remote shares using a hardcoded username and password. The files in the remote shares will then be enumerated and deleted. -m : Drops a file named usbdrv3.sys in %TEMP% folder and created a service named “usbdrv3” with description “USB 3.0 Host Controller” pointing to it. This module is part of Eldos Software RawDisk kernel driver. See below for description. It will wipe the MBR of the disk rendering it unusable. -a : When executed on Windows 7, this parameter will start the Anti-AV module in some variants of the malware. It will drop both anti-AV modules AMS.EXE and KPH.SYS in %TEMP% folder and start the process. -w : In some variants of the malware, this parameter will drop and execute the Web Server used to display the malware ransom message.
- This signed driver is a part of Eldos RawDisk library that offers user mode applications direct access to files, disks and partitions of the disks bypassing security limitations of Windows OS. The driver has been also used with previous versions of wiper to directly write to hard disk.
- Shamoon that is believed to have been used in August 2012 to render up to 30,000 computers inoperable at Saudi Aramco, the national oil company of Saudi Arabia. Shamoon also used the commercial driver to wipe files. DarkSeoul, a hacking group with suspected links to North Korea struck South Korean banks and media companies in 2013, and also performaed a delayed wipe. That attack knocked out almost 50,000 computers and servers in South Korea for several days at five banks and television broadcasters. The hackers were patient, spending nine months probing the South Korean systems. But they also made the mistake seen in the Sony hack, at one point revealing what South Korean analysts believe to have been their true I.P. addresses. Lim Jong-in, dean of the Graduate School of Information Security at Korea University, said those addresses were traced back to Shenyang, and fell within a spectrum of I.P. addresses linked to North Korean companies.
- Note that the SPE stands for the Sony Pictures Entertainment domain Working on the premise that it would take an insider with detailed knowledge of the Sony systems in order to gain access and navigate the breadth of the network to selectively exfiltrate the most sensitive of data, researchers from Norse Corporation are focusing on this group based in part on leaked human resources documents that included data on a series of layoffs at Sony that took place in the Spring of 2014. The researchers tracked the activities of the ex-employee on underground forums where individuals in the U.S., Europe and Asia may have communicated prior to the attack. Norse investigators believe the disgruntled former employee or employees may have joined forces with pro-piracy hacktivists, who have long resented the Sony’s anti-piracy stance, to infiltrate the company’s networks..
- skilled hackers use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware to throw investigators off their trail. When hackersare identified and apprehended, it’s generally because they’ve made mistakes or because a cohort got arrested and turned informant.
- "Fourth party collection" is the practice of spying on spy agencies to gather all the data they're taking in. “ "Fifth-party collection" is the practice of spying on spies who are spying on other spies. Really. According to David Sanger (reporter that first uncovered US role in Stuxnet) The evidence gathered by the “early warning radar” of software painstakingly hidden to monitor North Korea’s activities proved critical in persuading President Obama to accuse the government of Kim Jong-un of ordering the Sony attack, according to the officials and experts, who spoke on the condition of anonymity about the classified N.S.A. operation. Mr. Obama’s decision to accuse North Korea of ordering the largest destructive attack against an American target — and to promise retaliation, which has begun in the form of new economic sanctions — was highly unusual: The United States had never explicitly charged another government with mounting a cyberattack on American targets. The trail that led American officials to blame North Korea for the destructive cyberattack on Sony Pictures Entertainment in November winds back to 2010, when the National Security Agency broke into North Korea [David Sanger]. American spy agency drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers and penetrated directly into the North with the help of South Korea and other American allies, according to former United States and foreign officials, computer experts later briefed on the operations and a newly disclosed N.S.A. document.
- According to a Korean defector Mr. Kim, the military began training computer “warriors” in earnest in 1996 and two years later opened Bureau 121, now the primary cyberattack unit. Members were dispatched for two years of training in China and Russia. These guys were envied, in part because of their freedom to travel. When they returned, they formed the core of the External Information Intelligence Office, which hacked into websites, penetrated fire walls and stole information abroad. Because the North had so few connections to the outside world, the hackers did much of their work in China and Japan. He said the hackers in Bureau 121 were among the 100 students who graduate from the University of Automation each year after five years of study. Over 2,500 apply for places at the university, which has a campus in Pyongyang, behind barbed wire.
- North Koreans had stolen the “credentials” of a Sony systems administrator, which allowed the hackers to roam freely inside Sony’s systems. Hackers spent more than two months, mapping Sony’s computer systems, according to David Sanger’s article in NYT. So let’s now turn towards the biggest threats of 2014.