The United States Computer Emergency Readiness Team (US-CERT) has issued a warning about a Server Message Block (SMB) Worm Tool.
Although the ongoing situation regarding the attack on Sony Pictures and attribution pointed at North Korea by the USA was not mentioned directly, it did say that SMB was used “to conduct cyber exploitation activities recently targeting a major entertainment company”.
The tool is equipped with a listening implant, lightweight backdoor, proxy tool, destructive hard drive tool and destructive target cleaning tool, and uses a brute force authentication attack to propagate via Windows SMB shares.
“It connects home every five minutes to send log data back to command and control (C&C) infrastructure if it has successfully spread to other Windows hosts via SMB port 445,” it said. “The tool also accepts new scan tasking when it connects to C&C. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.”
US-CERT warned “due to the highly destructive functionality of this malware, an organisation infected could experience operational impacts including loss of intellectual property and disruption of critical systems”.
Sources familiar with the investigation told KrebsOnSecurity that the investigators believe there may have been as many as several dozen individuals involved in the attack, the bulk of whom hail from North Korea. Nearly a dozen of them are believed to reside in Japan.
Speaking on an IT Security Guru webcast, Quorcirca analyst and director Bob Tarzey said that this is “pure hacktivism” regardless who is behind this, as they were only targeting one organisation. “This was a movie, but if you go back ten years ago terrorists affected the result of the Spanish national election and if you take hacktivism to the next step, we could start to see more serious consequences caving in to these sorts of attacks which could start to affect our democratic processes,” he said.
Brian Honan, CEO of BH Consulting and head of the Irish CERT, said that the concern was how the attackers took out 100TB of data undetected and what happened. He said: “What practices, what weaknesses did Sony have in their network that other organisations could learn from so they make sure they don’t have the same weaknesses there?”