Sony: Risk Management in Real Time

Wednesday, January 7, 2015 @ 02:01 PM gHale

By Gregory Hale
It plays out almost like a classic kidnapping crime story: The victim’s family or associates receive a ransom note and they have set time to pay or else the victim will meet an untimely demise. Law enforcement gets involved and they recommend against paying the ransom, but after few angst-ridden moments, the family decides to pay off the bad guys.

In Hollywood sometimes the ploy works and sometimes it doesn’t. But there is always great theater. How ironic is it that Sony was the victim and fielding the ransom demands all at the same time.

Talk to Me: Elevating Security Awareness
Defending ICS Against Dragonfly Attacks
Rockwell: Security an Enabler
Deploying IPS to Secure ICS

Back in late November hackers calling themselves the “Guardians of Peace” got into the computer systems of Sony Pictures Entertainment and released a boatload of sensitive and embarrassing corporate and employee records. The FBI has since blamed the North Korean government of orchestrating the attack, apparently over the comedy film called “The Interview” and its portrayal of an attempt to assassinate North Korean leader Kim Jong Un.

How ironic is it Sony decided to “pay off” the bad guys and not distribute “The Interview” across the country. At the time they said:

“In light of the decision by the majority of our exhibitors not to show the film ‘The Interview,’ we have decided not to move forward with the planned December 25 theatrical release. We respect and understand our partners’ decision and, of course, completely share their paramount interest in the safety of employees and theater-goers. Sony Pictures has been the victim of an unprecedented criminal assault against our employees, our customers, and our business. Those who attacked us stole our intellectual property, private emails, and sensitive and proprietary material, and sought to destroy our spirit and our morale – all apparently to thwart the release of a movie they did not like. We are deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company, our employees, and the American public. We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.”

In short, Sony caved in and that will set a tone for years to come on holding major corporations hostage until the bad guys get what they want.

With hindsight being 20/20, it is interesting to see how the whole hostage scenario played out over the holidays. Whether real or a way to hype the movie, there was a degree of hysteria around when the film was going to release. The fear uncertainty and doubt factor was huge. That was when the decision to pull the plug came into play. To add salt to the open wound, Sony’s top corporate executive, Chief Executive Kazuo Hirai, this past Monday condemned the hack attack against its film division, saying his employees were victims of a “vicious and malicious cyber attack,” and added he’s proud of them for standing against “the extortionist efforts of criminals.” Too bad Sony’s corporate leaders didn’t follow suit.

Sony initially said the film would not release to major theaters in the face of terrorist threats by the hackers, but after the company received major criticism for that decision, it scrambled to release the film to independent theaters and through streaming Internet outlets. A true water-downed effort to appease both sides of the argument.

Worm Details
After the FBI and President Obama blamed North Korea for being responsible for the Sony attack, US-CERT issued an alert saying the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks.

The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a command and control (C&C) infrastructure with servers in Thailand, Poland, Italy, Bolivia, Singapore and the United States, the advisory said.

An FBI “flash memo” also warned about the dangerous malware, which has been referred to as “Destover” by some security vendors.

The US-CERT advisory gave more details for each component.

SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C&C) infrastructure if it has successfully spread to other Windows hosts via SMB port 445.

Listening Implant: During installation of this tool, a portion of the binaries ends up decrypted using AES, with a key derived from the phrase “National Football League.” Additionally, this implant listens for connections on TCP port 195 (for “sensvc.exe” and “msensvc.exe”) and TCP port 444 (for “netcfg.dll”).

Lightweight Backdoor: This is a backdoor listener designed as a service DLL. It includes functionality such as file transfer, system survey, process manipulation, file time matching and proxy capability. The listener can also perform arbitrary code execution and execute commands on the command line. This tool includes functionality to open ports in a victim host’s firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks.

Proxy Tool: Implants in this malware family typically load via a dropper installed as a service, then ends up configured to listen on TCP port 443. The implant may have an associated configuration file which can contain a configurable port. This proxy tool has basic backdoor functionality, including the ability to fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files.

Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted.

Destructive Target Cleaning Tool:
This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool drops and ends up installed by another executable and consists of three parts: An executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to execute.

Network Propagation Wiper: The malware has the ability to propagate throughout the target network via built-in Windows shares. Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems.

Security Challenge
The movie may be incredibly funny or a piece of junk, only the ticket-buying public should be the judge of that. But should a group of hacktivists and would-be terrorists be the cause of forcing the cancelation of a movie or severely altering its distribution? I think we know the answer to that. But this just goes to show the high stakes we are talking about when it comes to security.

Through the Stuxnet attack, the U.S. and Israel were able to infiltrate a secure control system and cripple a nuclear facility and slow the growth of Iran’s nuclear program. Similarly, the Sony attack did compromise a “secure” system and publish company details. But the telling part of the attack was the prevailing threat hanging over the showing of the movie. A threat is only as good as the perceived result. Call the bluff of the threat and see what happens, or understand the potential of the threat and take action. In this case, executives played the risk management card and decided to pull the movie. From their perspective it only made sense. Backlash from an incident could potentially end up a disaster for the entertainment giant.

What happens next time, or the time after that, or the time after that, when Sony or any other motion picture company gets a similar threat? Or, how about a chemical plant, oil refinery, brewery, auto plant or even a sugar factory in the middle of nowhere?

“The Sony hack is probably the first one that’s been so globally high-profile,” said Eugene Kaspersky, chairman and chief executive at Kaspersky Lab. “The most worrying aspect for me is that this hacker group is threatening to stage terror attacks. I don’t know if there really is a link between this group and terrorists, but the threat does show that politically-motivated hackers may be embracing terrorists’ methods. Of course, such an attack on the entertainment industry is very damaging and costly, but it’s probably not as dangerous as an attack on critical infrastructure. In any case it’s a very strong signal that even the most advanced high tech companies are not immune to hacker attacks, and we have to prepare ourselves for very serious and painful attacks in the future.”

Once again, a dangerous precedent has been set. The importance of having a solid and vigilant security program is more important today than it has ever been. As the industry heads into a new year, it remains paramount to update or even create a security plan that will involve a keen understanding of risk management and what to do in the event of a hostage situation.

Is that being overly dramatic? Just ask Sony.

Talk to me.
Gregory Hale is the Editor and Founder of

Leave a Reply

You must be logged in to post a comment.