Stolen passwords behind South Korea data-wipe malware

A security firm, TheRegister says it now believes that the malware that wiped out files on computers at South Korean banks and media companies was planted on corporate patching systems and, disguised as a legitimate security update, was then pushed out to computers at the affected organizations.

Several South Korean financial institutions – Shinhan Bank, Nonghyup Bank and Jeju Bank – and TV broadcaster networks were impacted by a destructive virus which wiped the hard drives of infected PCs, preventing them from booting up upon restart.

Earlier, an IP address was erroneously identified as being the source of the attack; later it was learned that the IP address belongs to one of the victims of the attack. The Korea Communications Commission said it was mistaken when it identified an internet address in China as the source of the mega-hack, The New York Times reports. The malware was programed to activate at a certain time on March 20.

South Korean security software firm AhnLab putting out a release saying hacked corporate patching systems were to blame for the spread of the malware. It said its own security technology was not involved in the distribution of the malware, an apparent reference to the premature and since-discredited theory put up by Fortinet.

Attackers used stolen user IDs and passwords to launch some of the attacks. The credentials were used to gain access to individual patch management systems located on the affected networks. Once the attackers had access to the patch management system they used it to distribute the malware much like the system distributes new software and software updates. Contrary to early reports, no security hole in any AhnLab server or product was used by the attackers to deliver the malicious code.

The latest theory suggests hackers first obtained administrator login to a security vendors’ patch management server via a targeted attack. Armed with the login information, the hackers then created malware on the PMS server that masqueraded as a normal software update. This fake update file subsequently infected a large number of PCs all at once, deleting a Master Boot Record (MBR) on each Windows PC to prevent it from booting up normally. The malware was designed to activate on March 20 at 14:00 hrs Korea time on the infected PCs, like a time bomb.

The speed at which the attack spread had already led security tools firm AlienVault to suggest that the wiper malware might have been distributed to already compromised clients in a zombie network. AhnLabs suggests that this compromised network was actually the patching system of the data wiping malware’s victims.

US banks under cyber attack !!


Security researchers at McAfee labs believe Project Blitzkrieg, a plan to use malware to steal money from 30 banks in the U.S., is a real threat not to be taken lightly. The security company released a report about the project that was originally announced in September on a Russian forum. A cyber-criminal by the handle “vorVzakone” originally posted the intent to hack into 30 banks across the U.S. and steal information and money using a trojan. A trojan is a type of malware that secretly enters a computer system by pretending to be something innocuous.

McAfee says that the forum post originally called for developer help and said the trojan would be launched within a few weeks. Timing for the attacks have not been confirmed, though a number of banks were recently hit with denial of service attacks (DDOS) that took down their websites. DDOS attacks work by flooding a system’s servers with traffic, causing it to overload and shut down. This kind of attack does not actually reach the inside of the system, allowing hackers access, but is sometimes used a diversion tactic while hackers silently gain illegal access to the servers.

“McAfee Labs believes that Project Blitzkrieg is a credible threat to the financial industry and appears to be moving forward as planned. Not only did we find evidence validating the existence of an early pilot campaign operated by vorVzakone and his group using the Trojan Prinimalka that infected at a minimum 300 to 500 victims across the United States, but we were also able to track additional campaigns as a result of the forum posting,” said McAfee Labs threat researcher Ryan Sherstobitoff in the report.

McAfee believes the trojan in use here is called Prinimalka, a piece of malware originally built in 2008. VorVzakone’s forum post also said that the trojan had already stolen $5 million from unknown institutions.(Read more at http://venturebeat.com/2012/12/13/us-bank-threats/#miGWuyOSziGXZhGm.99)

On the other hand, Since September, U.S. banks have been battling with mixed success distributed denial of service (DDoS) attacks from a self-proclaimed hactivist group called Izz ad-Din al-Qassam Cyber Fighters. Despite its claims of being a grassroots operation, U.S. government officials and security experts say the group is a cover for Iran.

“There is no doubt within the U.S. government that Iran is behind these attacks,” James A. Lewis, a former official in the State and Commerce Departments and a computer security expert at the Center for Strategic and International Studies, told The New York Times.

Mr. Lewis said the amount of traffic flooding American banking sites was “multiple times” the amount that Russia directed at Estonia in a monthlong online assault in 2007 that nearly crippled the Baltic nation.

American officials have not offered any technical evidence to back up their claims, but computer security experts say the recent attacks showed a level of sophistication far beyond that of amateur hackers. Also, the hackers chose to pursue disruption, not money: another earmark of state-sponsored attacks, the experts said.

“The scale, the scope and the effectiveness of these attacks have been unprecedented,” said Carl Herberger, vice president of security solutions at Radware, a security firm that has been investigating the attacks on behalf of banks and cloud service providers. “There have never been this many financial institutions under this much duress.”

Since September, intruders have caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC.

They employed DDoS attacks, or distributed denial of service attacks, named because hackers deny customers service by directing large volumes of traffic to a site until it collapses. No bank accounts were breached and no customers’ money was taken.

By using data centers, the attackers are simply keeping up with the times. Companies and consumers are increasingly conducting their business over large-scale “clouds” of hundreds, even thousands, of networked computer servers.

These clouds are run by Amazon and Google, but also by many smaller players who commonly rent them to other companies. It appears the hackers remotely hijacked some of these clouds and used the computing power to take down American banking sites.

“There’s a sense now that attackers are crafting their own private clouds,” either by creating networks of individual machines or by stealing resources wholesale from poorly maintained corporate clouds, said John Kindervag, an analyst at Forrester Research. How, exactly, attackers are hijacking data centers is still a mystery. Making matters more complex, they have simultaneously introduced another weapon: encrypted DDoS attacks.

Banks encrypt customers’ online transactions for security, but the encryption process consumes system resources. By flooding banking sites with encryption requests, attackers can further slow or cripple sites with fewer requests.A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed in online posts that it was responsible for the attacks.

In News:Australia replaces outdated security manual

Australia introduces new Protective Security Policy Framework (PSPF)

Come August 1, 2013, Australia is all set to introduce the new Protective Security Policy Framework, known as the PSPF, replacing the old Commonwealth Government Protective Security Manual (PSM), reports Mike Rothery, First Assistant Secretary at the Attorney General’s Department’s National Security Resilience Policy Division. The policy provides guidance on securing information, physical assets and people.

Protective security is a key enabler for government business. Whether it is protecting the privacy of citizens, preventing the theft of assets, ensuring the safety of workers or making sure critical data is available when it is needed, the new PSPF aims to help agencies get their job done. A key driver for the change was a review of the old PSM by the Attorney-General’s Department, which found that the PSM was ‘compliance driven’ and lacked flexibility; impeding the ability of many agencies to effectively conduct daily business and deliver services.

Whilst effective in protecting national security information, the old PSM did not allow for sufficient flexibility in handling unclassified but sensitive material, such as commercial and personal information.

The new PSPF seeks to deal with these limitations, as well as new challenges posed by information technology. The new policy considers the additional risks from the aggregation of data, in addition to the classification of the individual pieces of information. An aggregation of information may require a higher level of protection than its component parts.
For example, where the harm caused by the unauthorised access of an individual piece of unclassified information might be minor, the harm caused by the unauthorised access to a complete library of information at that same classification level may be significantly higher. This consideration is particularly important given developments in technology enabling vast amounts of information to be stored in the one place. 

Consider the huge amounts of data that can be stored on small devices such as USB sticks, for example.
For this reason, the PSPF includes the Australian Government information security management guidelines of aggregated information guideline.In keeping with the move from hard copy to electronic storage, the guideline relates specifically to the security of electronic aggregations of Australian Government information.

One of the most noticeable changes to the policy is a new security classification system. The old systems of separate classifications for national security and non-national security information have been replaced; the new policy has a simplified single classification structure.

The classifications of Restricted and Highly Protected have been abolished to leave a single structure of Protected, Confidential, Secret and Top Secret. This protected change will assist agencies in conducting their day-to-day business by allowing greater interoperability across government and facilitating both information sharing and information protection.

In place of the term ‘in-confidence’, new dissemination limiting markers have been introduced for use by agencies to restrict the availability of official information where disclosure is limited or prohibited by legislation, or requires special handling. This is particularly useful for information covered by the privacy principles.

In addition to changes to information security, the PSPF initiates important broader changes to protective security, including reforms to personnel security, physical security and governance arrangements.
The biggest change in policy is the move from a compliance based approach to one that is risk-based. This marks a significant departure from the ‘one size fits all’ nature of the PSM, and allows agencies the latitude to find the most efficient controls that suit their business.

While the PSPF specifies controls for the handling of classified information, it recognises that the bulk of sensitive information held by government relates to the private sector and the personal information of citizens. With a growing demand for the online delivery of government services, the new policy allows agencies to determine their own controls for the unclassified information they hold, including when using the Internet for service delivery.

The PSPF is engineered to be flexible, so that individual agencies can use it to develop and implement policies and practices that suit their needs while maintaining minimum requirements to protect their most sensitive information.

By actively managing risk, agencies will be able to use the Internet to engage directly with clients, while at the same time ensuring protection of networks and unauthorised access to data libraries.
In addition to the intrinsic sensitivity of information, agencies are now required to consider the full range of negative consequences from a security breach.

These are described in new Business Impact Levels or BILs. These cover such issues as damage to reputation, risk of litigation and the loss of trust with customers or partners. The BILs have been established to guide agencies in the development of their own risk management policies and procedures.

As security vetting assessments of staff are a snapshot in time, the new policy for personnel security emphasises the importance of ‘aftercare’ or whole of career considerations. The policy also supports the centralisation of the security clearance process in the Australian Government Security Vetting Agency.
The physical security policy remains largely unchanged as a result of the PSPF, with the exception of new advice on protecting culturally significant and valuable assets, achieving security for diverse worksites and incorporating physical security into disaster management.

The PSPF includes core public sector governance principles to support a proactive security culture across agencies. Governance arrangements aim to ensure that agencies adhere to applicable protective security standards, have clear roles and responsibilities for protective security functions and decision making, and make the best use of limited protective security resources.

Executive level leadership is integral to achieving agency-wide commitment to good protective security performance. An important element is the new requirement for agency heads to make an annual statement of compliance against the core security requirements to the relevant portfolio Minister.

Some State and Territory governments have expressed interest in applying selected parts of the PSPF in their jurisdictions. Discussions between the Commonwealth and State and Territory governments on these opportunities are continuing.

To assist agencies in implementing the new policy, the PSPF and its supporting guidelines are now publicly available on a dedicated protective security policy website at ww.protectivesecurity.gov.au. Here you will find all the necessary guidance material required to implement the PSPF at agency level. The Protective Security Policy team at the Attorney- General’s Department are also available to assist with protective security policy advice and can be contacted at pspf@ag.gov.au.

Coming into force in August, agencies are now in the transition stage, leading to full implementation by 31 July 2013.