Attacks like WannaCry and NotPetya were highly destructive on a scale never seen before. The disruption has still left some organisations suffering from the financial repercussions.
The reach of the attacks shocked many within the cyber industry and just this month, Ciaran Martin, the head of the National Cyber Security Centre, warned UK organisations to fear ‘reckless’ cyber attacks – like the WannaCry ransomware virus – where the perpetrator seemed to lose control.
WannaCry is strongly linked to Lazarus who operate out of North Korea and so security researchers at AlienVault have outlined new details of ‘reckless’ North Korean cyberattacks that have flooded uncontrollably into the wild, posing an ongoing security risk.
Rivts Virus
The Rivts virus is a piece of malware that is thought to have been leaked online after initially being created within North Korea as a test project. Its origins can be traced back to 2009 and is a file infecting worm which spreads through USB drives and hard drives which latches itself onto other uninfected files to spread.
According to AlienVault, the first file infected with Rivts was in 2011 – but the file meta-data indicates1 it was compiled two years earlier in February 2009. It is thought Rivts was circulating around infecting systems within DPRK (North Korea) for two years before escaping onto the Voice of Korea (similar to BBC World) website in 2011, which was its first public reference.
After examining the malware, the word ‘test’ has been located in multiple places which gives further evidence that Rivts could have been part of a prototype project. Despite not being considered a strong cyber threat, the original strain of the worm lasted a considerable amount of time.
The Lazarus SMB worms
When people think of Lazarus Server Message Block (SMB) worms, WannaCry is often the name that comes to mind. However, there are others that have also gained prominence. In 2014, Sony became the unfortunate target of an SMB attack which resulted in the Sony network being crippled for a matter of days with sensitive information on Sony and its employees leaked online. Then there’s the Brambul worm.
Brambul and WannaCry are essentially two peas from the same malware pod. In fact, earlier versions of WannaCry were seen performing the same SMB brute-forcing as Brambul. Considered an ancient worm, Brambul samples that are ten years old are still being discovered today. It was also found in 2015 that if you were to leave an insecure computer connected to the internet, Brambul came in at no.13 as being the most likely malware family to infect the computer.
The Infected USB
IBM and Lenovo were victims of breached supply chains in April 2017 and after alerting customers, both the severe manufactures distributed USB sticks containing installation software to customers of their storage servers. Unfortunately for them, the USB sticks contained the Faedevour malware worm. First samples of Faedevour are thought to have first appeared in 2013 and this was the same file that appeared on the Korean Central News Agency (KCNA) website in 2015. The attack suffered by KCNA was intentional as it was found that a malicious Javascript was added to the KCNA website to disguise the Faedevour worm as a fake Adobe Flash update.
This again is another example of the durability within these strains of malware that originate in North Korea and spread further than originally intended.
Click here to read the full AlienVault blog