South Korea data-wipe malware spread by patching system
South Korea’s data wiping malware that knocked out PCs at TV stations and banks earlier this week may have been introduced through compromised corporate patching systems.
Several South Korean financial institutions – Shinhan Bank, Nonghyup Bank and Jeju Bank – and TV broadcaster networks were impacted by a destructive virus (since identified as DarkSeoul by Sophos and Jokra Trojan by Symantec), which wiped the hard drives of infected PCs, preventing them from booting up upon restart.
Initially it was thought that the malware spread through local telco LG U+ and may have came from a single Chinese IP address. The Korea Communications Commission said it was mistaken when it identified an internet address in China as the source of the mega-hack, The New York Times reports. The IP address involved actually belonged to NongHyup Bank, one of the main victims of the assault.
Late on Friday afternoon security appliance firm Fortinet claimed hackers broke into the servers of an (unnamed) but local antivirus company and planted malware which was then distributed as an update patch. Local researchers at Fortinet’s Threat Response Team working with the Korea Information Security Association came up with the theory before notifying news media about the apparent find. However late on Friday evening Guillaume Lovet of Fortinet called El Reg and stated that the security appliance firm no longer stood by its earlier pronouncement.
By Monday morning things had moved on again with South Korean security software firm AhnLab putting out a release saying hacked corporate patching systems were to blame for the spread of the malware. It said its own security technology was not involved in the distribution of the malware, an apparent reference to the premature and since-discredited theory put up by Fortinet.
Attackers used stolen user IDs and passwords to launch some of the attacks. The credentials were used to gain access to individual patch management systems located on the affected networks. Once the attackers had access to the patch management system they used it to distribute the malware much like the system distributes new software and software updates. Contrary to early reports, no security hole in any AhnLab server or product was used by the attackers to deliver the malicious code.
The latest theory suggests hackers first obtained administrator login to a security vendors’ patch management server via a targeted attack. Armed with the login information, the hackers then created malware on the PMS server that masqueraded as a normal software update. This fake update file subsequently infected a large number of PCs all at once, deleting a Master Boot Record (MBR) on each Windows PC to prevent it from booting up normally. The malware was designed to activate on March 20 at 14:00 hrs Korea time on the infected PCs, like a time bomb.
The speed at which the attack spread had already led security tools firm AlienVault to suggest that the wiper malware might have been distributed to already compromised clients in a zombie network. AhnLabs suggests that this compromised network was actually the patching system of the data wiping malware’s victims.
The prevailing theory remains that North Korea may have instigated the attacks, which follows weeks of heightened tension on the peninsula. However there’s no hard evidence to support this conclusion. ®