The attacks against South Korean media and banking organizations last week severely disrupted a handful of organizations with a coordinated distribution of “wiper” malware designed to destroy data on hard drives and render them unbootable. At 14:00 KST on March 20, 2013, the wiper was triggered across three media organizations and four banks, setting off a firestorm of speculation and finger-pointing and that which continues as of this writing. In this post, I’ll share a perspective no one else seems to be talking about, but may be the real motivation behind these attacks.
The What and the Possible Why
Let’s start with what we know:
- The attack was highly targeted
- The malware was specifically designed to distribute the wiper payload throughout the impacted organizations
- The malware was timed to deploy its destructive payload simultaneously across all affected organizations
- The resulting loss of data and downtime has been severe
While the “what” of the attack is well established, the “why” and “how” are still a matter of debate. Theories postulated include an outright act of warfare from North Korea designed to economically disrupt South Korea, or an act of sabotage to cover the tracks of data exfiltration allegedly wrought by China. But what if there were an explanation that was less about countries and politics and more about that all-time motivator of crime: money? Consider, if you will, the following timeline.
- December 2011: The FBI releases an advisory warning of banking Trojans that launch a Distributed Denial of Service (DDoS) attack against banks presumably to cover the tracks of their wiring fraudulent funds from victims’ accounts.
- October 2012: RSA warns of a new breed of cybercriminals constructing a sophisticated Trojan campaign in which “the gang will set a pre-scheduled D-day to launch its spree, and attempt to cash out as many compromised accounts as possible before its operations are ground to a halt by security systems.”
- February 2013: Computer crime investigator Brian Krebs reports a DDoS attack on banks that hid $900,000 in fraudulently wired funds.
- March 20, 2013: At 1400 KST, the DarkSeoul malware payload is enacted against banks and media organizations in South Korea.
Coincidentally, one of the malware binaries identified in the DarkSeoul attacks is a banking Trojan that specifically targets customers of these same Korean banks. In the days leading up to the payload, antivirus vendor Avast observed a malicious injection attempting to deliver this same binary via a compromised website registered to the Korea Software Property Rights Council (spc.or.kr). Cisco Web Security traffic logs reveal that the website registered to Daewoong Pharmaceutical (daewoong.co.kr) was similarly compromised. Both sites were injected with iframes that attempted to deliver exploit code from the same attack site: rootadmina2012.com. The resulting scripts attempted to exploit a vulnerability in Microsoft XML core services, described in MS12-043.
Based on the initial reports, we found no indication that customers protected by Cisco security products were compromised by the suggested first-stage web and email attacks. In fact, we found only a handful of events in the SIO dataset that relate to the malicious domains or first stage exploitation. As well, we have evidence that no exploit was delivered in some instances: the attack attempts against Cisco customers stopped at the iframe. Given this supporting data in our traffic logs, the Cisco Threat Research & Communications (TRAC) team supports the premise that these attacks were highly targeted.
Efficacy of Layered Defenses
Additionally, details about the second stage malware, which delivered follow-on tools for further exploitation (colloquially known as a “dropper”), highlight the attacker’s awareness and specific reconnaissance against their targets. In McAfee’s blog about the incident, they show that the malware disabled two popular Korean host-based antivirus engines, AhnLab and Hauri. Attackers often leverage techniques to avoid or disable specific defenses, further underscoring the need for defenders to present a variety of overlapping solutions to increase pressure on attackers and make it more likely that they are prevented from fully realizing their intended attacks.
While no Cisco Security Customers were impacted in this particular attack, what Cisco knows of the first-stage exploits suggests that Cisco had a wide variety of protections in place to stop these attacks had they been targeted: web reputation, email outbreak filters, IPS signatures, and more. Any time an attacker is using reconnaissance, specifically to target an organization or set of organizations, every additional layer is a hurdle that must be jumped and could make the difference from being a target to being a victim.
Importance of Data Sharing
There is a renewed push for data sharing and transparency in the industry, and incidents like this one highlight how important this sharing is to the entire community of defenders. Cisco SIO pools the intelligence and capabilities of a wide suite of security solutions to deliver an unparalleled perspective to our customers, and customers who opt-in to providing us with telemetry further improve the efficacy of Cisco security products for each other.
Likewise, as a community of defenders we can share details in the appropriate settings to promote more effective responses to imminent, in progress, or executed attacks. Some details can be shared widely, like the indicators included in the anti-virus vendor postings mentioned previously; Cisco has been a member of FIRST for many years, because it provides a more focused forum to connect with other incident responders if more discretion is required. But as a community, we must understand that sharing is a critically important leverage that we can exert over attackers who direct their resources at specific targets, with the advantage of specific reconnaissance. Even if an attack is targeted at one organization today, it doesn’t mean that the same attacker won’t reuse the kinds of exploits or techniques against another set of targets in the future.
Customers protected by Cisco security products were well protected, or would have been had they been targeted in these attacks, due to the deep and varied protections that our solutions have in place. But there is a significant benefit for all defenders if data-sharing is combined with community efforts to improve these kinds of comprehensive defenses. Together, layered defenses and effective sharing are key capabilities that are essential to combating increasingly targeted attacks.