Details of the hack North Korea used to break into Sony are now coming out. Late Monday the FBI issued a confidential five-page warning to U.S. businesses concerning malicious software, or malware, used to carry out destructive attacks. The warning did not name Sony as a victim of the malware, though it is said to be a direct response to the breach at that company.
The malware’s creator used the Korean language pack in Microsoft’s Windows. Perhaps another hint pointing in North Korea’s direction, but not definitive either. However, the software was written in such as way as to execute its functions without regard to the languages in use on the system being attacked.
The attackers apparently used compromised computers in Thailand, Italy and Poland to carry out the attacks. The FBI’s warning says these systems belonged to parties unrelated to the attackers or the victim.
The malware takes advantage of Windows Management Instrumentation, or WMI, a tool used for managing Windows machines in a large corporate environment. After the malware is introduced and spreads throughout a network, WMI is used to launch it across all the infected machines on a network at the same time. Once its intended functions have been carried out, the malware then wipes the hard drives of the attacked systems.
Attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks.
According to the advisory, the SMB Worm Tool is equipped with five components, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.
The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a command and control (C2) infrastructure with servers located in Thailand, Poland, Italy, Bolivia, Singapore and the United States, the advisory said.
SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.
A large breakdown of all the files hacked can be found here.
Table of Contents
If Sony had used Macs with OS X this hack would not have Worked!
All of the various parts of the hacks described above rely on Windows based computers. Had Sony used Macs, none of these hacks would have worked and there would be some very frustrated hackers in Pyongyang right about now. Imagine trying to explain to the dear leader that they were unable to hack into Sony because all their Windows trojans wouldn’t work on a Mac.
Sony spun off Vaio into it’s own company and exited the PC market. So they have no corporate loyalty to using PCs any longer. They could and should switch to Macs as should many other companies. Maybe other companies will look at Sony’s experience and realize Apple products are more secure than other platforms. Of course, even Macs can also be hacked but the likelihood is an order of magnitude less likely and usually requires a user to actively install the malware themselves with an administrator password.
Some people like to claim that Macs are only more secure because they are more obscure. In other words Windows is more popular and therefore more well known to hackers. I disagree with that premise and believe OS X which is a certified UNIX operating system is inherently more secure but does it really matter? If it is more secure then that is really all that matters regardless of the reason.
According to a Sony executive
“We’re mostly a fully-functioning office. We’re going about or daily business. We just got our voicemail back. Everyone is a little calmer now after the initial shock. A couple of people had their computers removed but people using Macs were fine,” she said. She said most work is done on iPads and iPhones. An emergency email system is in place but it does not allow attachments.
“There are certain departments that have printers and computers and some that only have one or two computers for the entire office,” she said. “In some ways we’re living in an office from ten years ago.”
She was quiet a moment. She had to go. After all, she was talking to me on her only office machine, her personal iPhone. And she had work to do.
I guess an Apple a day does keep the doctor away, or in this case a dictator at bay. 😆
Sony Says It Will Stream ‘The Interview’ Starting Today
‘The Interview’’ became available for rental on a variety of digital platforms Wednesday, including Google Play, YouTube Movies, Microsoft’s Xbox Video and a separate Sony website, Sony Pictures announced.
The movie, released at 1 p.m. EST, costs $5.99 to stream and $14.99 to purchase. It also will open in over 300 theaters on Thursday.
The studio announced the on-demand release just one day after reversing a previous decision not to show the film at all after hackers released thousands of internal Sony documents and threatened moviegoers with violence. The decision not to release the film was widely criticized, with President Barack Obama one of Sony’s harshest critics.
References: