Three Lessons from the South Korea MBR Wiper Attacks
Last week, we posted some detailed information about the actions that the March 20, 2013 MBR wiper attacks took against systems in South Korea.
Today, I’d like to take that and some additional information that has come out about the incident and draw some conclusions about what lessons this attack teaches us.
When we look at the South Korean attacks three specific lessons come out of what we’ve seen:
- Post-PC attacks aren’t just about devices
- Auto-updating infrastructure is a viable target
- Security and infrastructure products are targets too
There is an overarching theme to these lessons: when we say targeted attacks it means not just targeted in terms of who a spear phishing email is sent to start the attack. Targeted attacks are also targeted in terms of understanding a carefully selected potential victim’s infrastructure, with an eye to circumventing and compromising that specific infrastructure as much as possible. Most importantly, this applies to the security protections and controls in place.
Post-PC attacks aren’t just about devices
One thing that stands out in these attacks is the presence of attack code targeting Unix and Linux operating systems. We’ve seen attackers starting to turn their attention to Mac OS X over the past year, so malware attacks against non-Windows operating systems aren’t inherently new. However, Unix and Linux have more often been targets of active hacking attacks than malware, so this does represent a new trend bringing these operating systems into the post-PC attack crosshairs.
Most organizations tend to use versions of Unix for high-value systems, so including them in this attack code would seem to indicate an active targeting of those sorts of systems. Linux tends to be used for infrastructure and as a commodity operating system, so here too we can see thought being given in selecting the operating system targets.
The key lesson here is that when looking at targeted attacks, we have to view all platforms and devices as viable targets now. It makes sense to extend endpoint security practices to all platforms and devices as much as possible, and to implement other layers of protection to protect those platforms and devices that can’t be protected by endpoint security (like iOS).
Auto-updating infrastructure is a viable target
One important piece of information we’ve learned about these attacks is that the attackers may have compromised credentials for the victims’ patch management system and used it to distribute their malware. This is the second major targeted attack that has compromised auto-update/patch management infrastructure and turned it into a malware delivery system: the Flame attacks last May represented a major escalation in attack methodologies by compromising the Windows Update client to deliver malware.
In light of Flame and now this, it’s clear that attackers not only want to compromise auto-update mechanisms, they can accomplish it. This isn’t to say that auto-update is inherently untrustworthy, but is to say that it can no longer be viewed as foolproof. While Flame was the result of very sophisticated work, the South Korean attacks relied on old-fashioned compromised credentials. While there’s little you can do to protect against the sort of attack Flame used, you can take steps to ensure better security on your patch management and updating infrastructure under your control. From a risk management point of view, you should be assessing these assets as critical, high-value targets and addressing the risks appropriately.
Security and infrastructure products are targets too
This point grows out of the previous one and is a broader lesson. The MBR wiper malware specifically targeted the processes of two or three Korean security suite products. Targeting security products itself isn’t new: Conficker/DOWNAD and others have done that in the past. But what is most interesting here is that the actions are limited to targeting only two or three products rather than a large number (like DOWNAD did).
This shows awareness of the security protections in place at the intended targets. When coupled with the fact that the compromise of the patch management system was also focused on a single vendor, we can conclude that the attackers did their homework and gathered information about their intended victims’ security and infrastructure.
Much like we said about adjusting your risk assessment for your patch management infrastructure, the lesson here is that in a targeted attack your security and infrastructure products may be viable targets. As such, you will want to mitigate that risk accordingly with additional layers of protection, especially layers that support heuristic detection capabilities.
Two things stood out about the MBR wiper attacks: how destructive they were, and how they clearly went after high value targets. Large-scale attacks like these are rare: the most recent example I can recall on par with this is the Witty worm of 2004 which targeted systems running Black Ice and rendered systems unbootable. These attacks definitely highlight some new emerging and worrisome trends in attacks. The best we can do is understand what these trends mean and take active steps now to better protect against them. If there’s one thing we now know, it’s that successful tactics get put into the collective attacker toolbox and reused in other attacks.