Lessons from South Korea Attack

Wednesday, April 3, 2013 @ 05:04 PM gHale

The reports are out and it appears nation states are attacking organizations in other countries in either a retaliatory strike or a pure offensive attack, but at the end of the day everyone has to remain vigilant and not get caught up in the rhetoric flying around.
A perfect example is the attack on South Korea late last month.

While the technical details surrounding the malware used in the March 20, 2013, attack on South Korean assets have been varied and inconsistent, there is some insight into what that malware, called DarkSeoul, is all about.

APT Attacks Shut Down
Cyber Attack Against S. Korea
China a Cyber Attack Victim
New Plan to Secure Trade Secrets

Computer networks at South Korean TV broadcasters and two major banks ended up shut down by malicious cyber attacks. South Korea said the attacks came from North Korea. The South Korean military raised its defense level as a result of the attacks.

Meanwhile, prior to that attack, North Koreans blamed South Korea and the United States for temporarily shutting down their websites in Pyongyang. For weeks, North Korea has been increasing the threat level against South Korea and the U.S.

So, after the South Korea attacks, the United States Computer Emergency Response Team (US-CERT) found common attributes of the attack campaign:
1. The malicious file wipes the master boot record (MBR) and other files.
2. The malware was hard coded with a specific execution date and time and searches machines for credentials with administrative/root access to servers.
3. The malware specifically targets South Korean victims.
4. The attack is effective on multiple operating systems.
5. The design is low sophistication – high damage.

When assessing the potential risk to U.S. Critical Infrastructure and Key Resources (CIKR), it is important to understand the coding for DarkSeoul appears to have targeted a way to evade typical South Korean antivirus processes.

As this malware currently exists, it is a low risk to the U.S. CIKR. One observation is, though, the concepts underpinning this attack would likely succeed in common enterprise environments.

For this reason, U.S. CIKR owners and operators should continue the best standard security practices to avoid infection and propagation of a wiper or other type of malware that may impact their systems, US-CERT said.

US-CERT said users and administrators should understand the importance of best practices to strengthen the security posture of their organization’s systems. CIKR owners and operators should work toward a resilient network model that assumes such an attack will occur against their enterprise. It is a cliché, but it is true, it is not a matter of if you will suffer an attack, but when. The goal is to minimize damage, and provide pathways for restoration of critical business functions in the shortest amount of time possible.

Users should:
• Encourage users to transfer critical files to network shares, to allow for centralized backups. Leverage technical solutions to automate centralized storage where possible to reduce reliance on end-user voluntary compliance.
• Execute daily backups of all critical systems, including offline and offsite copies of backup media.
• Periodically execute a practice data restoration from backups, including key databases to ensure integrity of existing backups and processes.
• Establish emergency communications plans should network resources become unavailable.
• Isolate any critical networks (including operations networks) from business systems, and where possible segment the business networks.
• Identify critical systems and evaluate the need to have on-hand spares to quickly restore service.
• Recognize that without proper internal monitoring, an organization’s “Enterprise Trust Anchors” (Active Directory, PKI, two-factor authentication, etc.) and centralized management services (remote helpdesk access, patch management and asset inventory suites, etc.) could suffer compromise and end up used to subvert all other security controls.
• Maintain up‐to‐date antivirus signatures and engines.
• Restrict users’ ability (permissions) to install and run unwanted software applications through Microsoft Software Restriction Policy (application directory whitelisting) or AppLocker, application whitelisting products, or host-based intrusion prevention software.
• Enforce a strong password policy and implement regular password changes.
• Keep operating system patches up to date.
• Disable unnecessary services on workstations and servers.
• Scan for and remove suspicious email attachments; ensure the scanned attachment is its ‘true file type’ (i.e., the extension matches the file header).
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
• Scan all software downloaded from the Internet prior to executing by properly authorized personnel.
• Disable credential caching for all desktop devices with particular importance on critical systems such as servers and restrict the number of cached credentials for all portable devices to no more than three, if possible. This can occur through a Group Policy Object (GPO).
• Consider restricting account privileges. US-CERT recommends all daily operations should use standard user accounts unless administrative privileges are required for that specific function. Standard and administrative accounts should have access only to services required for nominal daily duties, enforcing the concept of separation of duties and least privilege/least access. Users should disable Web and email capabilities on administrative accounts. Compromise of administrative accounts is one vector that allows malicious activity to become truly persistent in a network environment.

Leave a Reply

You must be logged in to post a comment.