Feds Shed Light On Sony Attack, Counsel On Destructive Malware

The nation’s top cybersecurity experts are warning about the potential for additional attacks using malware and techniques that were similar to the breach that paralyzed Sony Pictures Entertainment last month.

The alert came from the U.S. Computer Emergency Readiness Team (US-CERT) and sheds light on the destructive nature of the malware and the components that enabled it to communicate with the remote attackers and seek out other systems to exploit on Sony’s corporate network. The custom malware can spread quickly, conduct brute-force password attacks against systems, and discover and map nearly every device on the network.

The malware was originally detailed Dec. 2 in a confidential, five-page advisory issued by the FBI. The server message block malware is similar to destructive threats that struck organizations in South Korea, including an electric utility in recent months, and the Shamoon attack that crippled Aramco, Saudi Arabia’s national oil and natural gas company in 2012.

[Related: Sony Pictures Breach: Saga Yields Insight On Basic Security Lapses]

Sponsored post

The US-CERT said the mechanism associated with the malware was designed to destroy data past the point of recovery and to complicate the victim machine's recovery. The malware likely wreaked havoc on Sony’s network as it spread, according to the US-CERT description of its functionality. If a system had administrator privileges, "the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted," the US-CERT alert stated.

"Due to the highly destructive functionality of this malware, an organization infected could experience operational impacts including loss of intellectual property and disruption of critical systems," the US-CERT said.

The advisory about destructive malware recommends organizations review their processes and ensure that systems are backed up daily. It notes that a top priority for organizations is to maintain an offline backup of critical files on removable media. In addition to monitoring and other best practices, the US-CERT recommends organizations consider prohibiting user privileges, adding two-factor authentication for privileged accounts, and using secure multitenant virtualization technology to isolate email and web application servers.

The original file name associated with the initial malware dropper used in the Sony attack is still unknown, according to the advisory. Researchers that conducted binary analysis said a portion of the malware was encrypted. Researchers decrypted it with the key "National Football League." The US-CERT included the binary MD5 Hashes, Snort signatures and YARA host-based signatures, which organizations can use to detect the files associated with the malware.

Solution providers told CRN that the Sony breach capped off a year in which information security sales are growing rapidly. A continued barrage of news about high-profile breaches, and reports detailing attacks and potential threats have made it easier for IT professionals to justify financial support for security initiatives, said Jim Matteo, a channel industry veteran and CEO of San Diego-based solution provider Bird Rock Systems.

"We're now seeing executives reaching out to IT, asking for the status of the company's security program,’ Matteo said. "It's a big shift raising security to the highest priority I've seen since I've been in the business."

NEXT: FBI Links North Korea To Breach

The FBI announced last week that it has enough evidence to link North Korea to the Nov. 24 attack infiltrating Sony's network, and President Obama said the U.S. would "respond proportionately."

The Sony breach compromised the personal information of 47,000 current and former employees. The attackers, calling themselves Guardians of Peace, also released embarrassing emails it obtained from senior Sony Pictures executives. Other stolen Sony documents included an Excel file containing a list of Sony passwords, business plans and compensation for employees. The video files of five Sony movies also appeared on file-sharing sites. Four of the movies have not yet been released.

Rep. Elijah E. Cummings, Ranking Democrat on the House Committee on Oversight and Government Reform, sent a letter to the chairman and CEO of Sony Pictures Entertainment on Tuesday, requesting information about the attack. Cummings requested details about all data breaches Sony suffered over the last year, as well as the forensics investigation findings associated with them. The letter also seeks Sony's security policies that govern third-party service providers and contractors.

Sony's knowledge, information, and experience will be helpful as Congress examines federal cybersecurity laws and any necessary improvements to protect sensitive consumer and government financial information," Cummings wrote.

North Korea denies playing a role in the attack. Senior government officials have condemned the movie studio's film, "The Interview," a comedy starring Seth Rogen and James Franco, for depicting the assassination of North Korean leader Kim Jong-Un. Meanwhile, Sony initially appeared to capitulate to attacker demands to withdraw the Dec. 25 release of the movie. Sony said on Tuesday that the film was being released, and will appear in a limited number of theaters across the country.