Compromised patching may have brought down PCs and TVs last week in S.K.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
March 25, 2013
South Korea's massive data wiping malware that knocked out hundreds of personal computers at TV stations and banks last week may have been introduced through a combination of compromised corporate patching systems spread across the country.
Several South Korean financial institutions-- Shinhan Bank, Nonghyup Bank and Jeju Bank and TV broadcaster networks were all impacted by a destructive virus, since identified as DarkSeoul by Sophos and Jokra Trojan by Symantec, which deleted all the data on the hard drives, right down to the operating system of infected PCs, preventing them from booting up upon restart.
Initially, it was believed that the malware spread through local telco LG U+ and may have came from a single Chinese IP address. The Korea Communications Commission said it was mistaken when it identified an internet address in China as the source of the mega-attack.
The IP address involved actually belonged to NongHyup Bank, one of the main victims of the assault, suggesting that the attack could have been an 'inside job'.
Late on Friday afternoon, security appliance firm Fortinet claimed that hackers broke into the servers of an unnamed but local antivirus company and planted malware which was then distributed as an update patch. Local researchers at Fortinet's Threat Response Team working with the Korea Information Security Association came up with the theory before notifying news media about the apparent find.
But later on Friday evening, Guillaume Lovet of Fortinet stated that the security appliance firm no longer stood by its earlier pronouncement.
By early this morning, things had moved on again with South Korean security software firm AhnLab putting out a release saying hacked corporate patching systems were to blame for the wide spread of the malware. It also added that its own security technology wasn't involved in the distribution of the malware, an apparent reference to the premature and since-discredited theory put up by Fortinet.
It now appears that attackers used stolen user IDs and passwords to launch some of the attacks. The credentials were used to gain access to individual patch management systems located on the affected networks. Once the attackers had access to the patch management system, they used it to distribute the malware much like the system distributes new software and their updates.
Contrary to early reports, no security hole in any AhnLab server or product was used by the attackers to deliver the malicious code.
The latest theory suggests hackers first obtained administrator login to a security vendors' patch management server via a targeted attack. Armed with the login information, the hackers then created malware on the PMS server that masqueraded as a normal software update.
This fake update file subsequently infected a large number of PCs all at once, deleting a Master Boot Record on each Windows PC to prevent it from booting up normally. The malware was designed to activate on March 20 at 2.00 PM, South Korea time.
The speed at which the attack spread had already led security tools firm AlienVault to suggest that the wiper malware might have been distributed to already compromised clients in a zombie network. AhnLabs suggests that this compromised network was actually the patching system of the data wiping malware's victims.
However, the prevailing theory remains that North Korea may have instigated the attacks, which follows weeks of heightened tension on the small peninsula. But there's no hard evidence to support this conclusion. We will keep you posted on this and other news stories as they develop.
In other internet security news
A very obvious security flaw has been blamed for the compromise and attempted theft of 300 .uk domains managed by hosting firm in 2012.
Anyone with a hosting package from 123-Reg and an account control panel supplied by that company, simply had to change the final section of the URL manually (to, for example, /someoneelseswebsite.co.uk) to be able to gain full access to someone's else emails, FTP credentials, name servers, private information and billing.
With access to the administrative control panel, would-be domain thieves just had to change the contact details for U.K. registry at Nominet to a new email address and then do a failed password request to have a new password sent to the new email address, locking the original owner out.
In defense, 123-Reg said it had "worked with our registrars to help them tighten security and prevent a repeat of this incident."
Both 123-Reg and Nominet say that there was "a query from a registrant" last year that led to Nominet "discovering some irregularities in registration and renewal patterns".
"As part of Nominet's standard operating procedures they locked the affected domains from any transfer or adjustment while they investigated further, and with our full support," 123-Reg said in an emailed statement.
Nominet said that its investigations into the issue revealed that "a total of 300 .uk domains had been transferred over to a new registrant in the post-expiry period without the permission of the original registrant".
"We have terminated our registrar agreement with one registrar," the dot-UK registry said. Neither firm would comment on how the the security breach had come about or whether the matter had been referred to Britain's Information Commissioner to investigate in such matters.
Nominet added that it couldn't elaborate any further because "we understand there is an ongoing police investigation into this issue".
In other internet security news
Critical internet-facing industrial systems controlling crucial equipment used by nuclear power plants, airports, factories and other sensitive systems are still subjected to sustained attacks within a few hours of appearing online, according to new research by Trend Micro.
The security vulnerabilities of SCADA (supervisory control and data acquisition) industrial control systems are numerous, and have been a major focus of interest in information security circles for the last three years or so thanks to Stuxnet, Duqu, and other similar noteworthy virus attacks.
A security expert has challenged a theory on how the infamous Stuxnet worm, best known for tampering with Iranian lab equipment, somehow escaped into the internet. New York Times reporter David Sanger wrote what's become the definitive account of how Stuxnet was jointly developed by a U.S. / Israeli team. The sophisticated malware virus was deployed to sabotage high-speed centrifuges at Iran's nuclear fuel processing plant by infecting and commandeering the site's control systems.
According to Sanger's sources, an Iranian technician's laptop was plugged into a Stuxnet-sabotaged centrifuge device and was almost immediately infected by the malfunctioning equipment.
Trend Micro researcher and SCADA security expert Kyle Wilhoit set out to look into this phenomenon in greater depth by setting up an internet-facing 'honeypot' and record numerous attempted attacks. The honeypot architecture developed by Wilhoit directly mimics those of real industrial control systems and SCADA devices.
The researcher, who was once the lead incident handler and reverse engineer at a large energy company, focusing on ICS/SCADA security and persistent threats, created a total of three honeypots. All three were internet-facing and used three different static IP addresses in different subnets scattered across the United States.
One honeypot featured a programmable logic controller (PLC) system running on a virtual instance of Ubuntu hosted on Amazon EC2, and configured as a web page that mimics that of a water pressure station. Another honeypot featured a web server that mimicked a control interface connected to a PLC production system.
The final honeypot was an actual PLC device set up to mimic temperature controller systems in a factory. All three honeypots included traditional vulnerabilities found across the same or similar systems. Various steps were taken to make sure the honeypots were easily discovered.
The sites were then optimized for searches and published on Google. The researchers also made sure that that honeypot settings would be seeded on devices that were part of HD Moore’s Shodan Project, which indexes vulnerable routers, printers, servers and internet-accessible industrial control systems. Once a search latches onto a vulnerable embedded device, then Metasploit provides a library of possible attacks, which - as security strategist Josh Corman points out - can be run without any detailed knowledge or skill.
The Trend Micro security researchers excluded simple port scans and focused on recording anything that might pose a threat to internet-facing ICS/SCADA systems. This includes unauthorized access to secure areas of sites, attempted modifications of controllers, or any other attack against a protocol specific to SCADA devices, such as Modbus/TCP.
They also logged any targeted attempt to gain access or take out servers running the system. Various tools including popular open-source intrusion detection package Snort, honeyd (modified to mimic common SCADA protocols), tcpdump and some analysis of server log files were used to monitor and record the attacks the honeypots attracted.
The researchers waited less than a day before the attacks began, as Wilhoit explains in a research paper Who’s Really Attacking Your ICS Equipment? It took only 18 hours to find the first signs of attack on one of the honeypots. While the honeypots ran and continued to collect attack statistics, the findings concerning the deployments proved disturbing.
The statistics of this report contain data for 28 days with a total of 39 attacks from 14 different countries. Out of these 39 attacks, 12 were unique and could be classified as “targeted” while 13 were repeated by several of the same actors over a period of several days and could be considered “targeted” and/or “automated.”
All of these attacks were prefaced by port scans performed by the same IP address or an IP address in the same subnet. The attacks included attempts to spear-phish a site administrator, bids to exploit fundamental ICS protocols and malware exploitation attempts on the servers running the honeypot environment.
Other attacks included bids to change the CPU fan speed on systems supposedly controlling a water pump and attempts to harvest systems information. Four samples were collected over the four-week testing period, two of which have not been seen in the wild.
Trend Micro is currently analyzing these pieces of malware to determine their functionality. As well as looking at the type of attack getting thrown against the honeypot system, researchers at Trend Micro also looked at the origin of attempted attacks.
About 34 percent of attacks against the industrial control system honeypot originated in China but one in five (19 percent) originated in the U.S. Security researchers also discovered that a surprisingly high (12 percent) of attacks against a honeypot control system they had established came from the southeast Asian nation of Laos.
Wilhoit, presented his research at the BlackHat Europe conference in Amsterdam, the Netherlands last Friday. “Trend Micro's research reveals that attackers have enough knowledge to analyze and affect industrial control devices' infrastructures,” said Raimund Genes, CTO at Trend Micro.
“This is an alarming wake-up call for operators of these infrastructures to check the security of these systems and ensure they are properly separated from the internet/open networks. The research also shows that it is not only usual suspects attacking, but that these attacks also happen in your own backyard.”
SCADA systems control everything from escalators in metro stations in Madrid to milk-processing factories in Mali and uranium enrichment centrifuges in Iran.
"Security in an ICS/SCADA network is often considered 'bolt-on' or thought of 'after the fact'. When these systems were first brought into service more than 20 or so years ago, security was typically not a concern," Wilhoit explains.
"However, as things changed over time, most of these systems’ purposes have been reestablished, along with the way they were originally configured. A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the internet, with very little hindrance."
Wilhoit called for further research into motives, sources and delivery techniques of the increasingly sophisticated attackers who target industrial control systems. "Internet-facing ICS are readily targeted," Wilhoit warns. "Until proper ICS security is implemented, these types of attack will likely become more prevalent and advanced or destructive in the coming years."
A recent study by InfraCritical discovered that 500,000 SCADA (supervisory control and data acquisition) networks were susceptible to attack, highlighting the wide-scale vulnerability of systems that control the operations of power and water plants, among other critical facilities.
According to recent research conducted by ICS-CERT, 171 unique vulnerabilities affecting 55 different ICS vendors were found last year alone. And patching of industrial control systems creates its own issues, according to a study by Tofino Security published last week.
Eric Byres, CTO and vice president of engineering at Tofino Security, says there are as many as 1,805 as-yet-undiscovered security vulnerabilities existing on control system computers. IC systems need FREQUENT patches, but if they're buggy, it ALL falls apart.
The frequency of patching needed to address future SCADA/ICS vulnerabilities in both controllers and computers likely exceeds the tolerance of most SCADA operators for system shutdowns. Unlike IT systems, most industrial processes operate around the clock and demand high uptime. Weekly shutdowns for patching are unacceptable.
But even when patches can be installed, they can be problematic. According to Tofino Security, there is a one in 12 chance that any patch will affect the safety or reliability of a control system, and there is a 60 percent failure rate in patches fixing the reported vulnerability in control system products.
Additionally, security patches often require staff with special skills to be present. In many cases, such experts are often not certified for access to safety regulated industrial sites.
Tofino Security markets industrial network security and SCADA security products that protect industrial control systems from potential attack, even if they aren't patched, so it has a vested interest in talking up the problems of patching.
But the overall picture of exposed and vulnerable industrial control systems is constant with findings from experts at Trend Micro and elsewhere. A SCADA network ought to be segregated from a corporate intranet and air-gapped from the internet - or at least firewalled - but even the most rudimentary protections are often completely absent.
Sean McGurk, former head of cybersecurity for the U.S. Department of Homeland Security turned managing principal for investigative response on Verizon’s RISK Team, say that attacks against the enterprise systems behind utilities are a bigger risk than Stuxnet-style attacks.
The networks of both Saudi Aramco and Rasgas in Qatar were both hobbled by conventional malware attacks last year, for example. Both attacks were later linked to the Shamoon data wiper. Part of the issue is that industrial control systems have a far longer timeline than enterprise servers, computers and routers - typically up to 20 years instead of three to five years.
Additionally, industrial control equipment works with different ports and protocols than conventional enterprise networks, so simply adding a firewall or network segmentation is adequate as a defensive strategy. In addition, industrial control systems often have to work in real time, with low latency and high availability.
"But just to set the record straight, the security patching of legacy systems is ongoing," McGurk said. "But patching is difficult for five-9s high-availability systems. Secure connectivity can only be enhanced with layers of security but you can't gold-plate everything."
Despite the several difficulties, McGurk suggested that many in the security segment are being slow to react to the various threats, and that's a real issue. The U.K. energy sector has been particularly slow to adopt security measures that match new technological developments, such as smart grids - potentially leaving them exposed to large-scale cyber-attacks as a result.
But he acknowledged that the technology was certainly not without its issues, such as potentially making it easier to disconnect the vulnerable or elderly, and no panacea.
"Introducing smart-grid technology is a double edged sword," McGurk explained. "Although you can still enhance interoperability, you can't just throw it in there. There's a greater security focus and it's not just about interoperability anymore," he concluded.
McGurk added that government and industry need to work together to improve both the security and interoperability of the industrial control systems that monitor and manage power generation and distribution systems.
McGurk, who has more than thirty years of experience in ICS cybersecurity and critical infrastructure protection, traveled to London last week to speak at the European Smart Grid Cyber and SCADA Security Conference, a closed event restricted to industry participants and suppliers.
In other internet security news
James Clapper, Director of National Intelligence told Congress on March 12 that America's biggest national security threat could come not from bullets or bombs in a terrorist attack, but from computer hackers, located in the U.S. as well as in other countries.
That's the assessment of a group of the nation's top intelligence officials, who told Congress Tuesday that cyber attacks lead the numerous national security threats the United States has ever faced in its history.
It's the first time since the Sept. 11, 2001 terrorist attacks that anything other than the an extremist threat has been the top concern in the Intelligence Community Worldwide Threat Assessment, which is presented annually to the Senate Select Committee on Intelligence and Security.
Clapper told the panel that cyber and financial threats were being added "to the list of weapons being used against the United States" and which help define a new "soft" kind of war.
"When it comes to the distinct threat areas, our statement this year leads with cyber and it's hard to overemphasize its significance" said Clapper.
According to him, state and non-state actors are increasingly gaining "cyber expertise" which they use "to achieve strategic objectives by gathering sensitive information from public- and private-sector entities, controlling the content and flow of information, and challenging perceived adversaries in cyberspace."
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
Source: The Korea Communications Commission.
You can link to the Internet Security web site as much as you like.