Sony Sees Possible North Korea Link to Hack Attack: Report
Posted on November 30, 2014 by Kara Dunlap in Security
WASHINGTON – Sony Pictures Entertainment is looking into whether North Korea may have been behind a major cyberattack on the studio last week, a news website reported.
The website re/code noted that the attack came as the studio neared release of a comedy about a CIA plot to assassinate its leader Kim Jong-Un.
“The Interview,” which stars Seth Rogen and James Franco as two journalists recruited by the CIA to bump off Kim, has infuriated the North Koreans, with state media warning of “merciless retaliation.”
Citing sources familiar with the matter, re/code on Friday said Sony and outside consultants were exploring the theory hackers operating in China carried out the attack last Monday on behalf of North Korea.
A North Korean link has not been confirmed, however, according to the sources.
An image posted on the Reddit social network from an individual claiming to be a former Sony employee showed a page with the words “Hacked by #GOP.”
It was unclear what GOP stands for, but some reports said the hacker group is called Guardians of Peace.
The posted image said unspecified demands must be met by Sony or important files would be released.
© AFP 2013
Tags:
Tor-Enabled Bifrose Variant Used in Targeted Attack
Posted on September 1, 2014 by Kara Dunlap in Security
A new variant of the Bifrose backdoor has been used in a cyberattack aimed at an unnamed device manufacturer, Trend Micro reported.
The threat, detected by the security firm as BKDR_BIFROSE.ZTBG-A, is more evasive than previous variants because it uses the Tor anonymity network for command and control (C&C) communications.
After infecting a device, the backdoor allows its masters to perform various tasks, including downloading and uploading files, creating and deleting folders, executing files and commands, capturing keystrokes, capturing screenshots and webcam images, terminating processes, collecting system information and manipulating windows.
“BIFROSE is mostly known for its keylogging routines, but it is capable of stealing far more information than just keystrokes,” Trend Micro threat response engineer Christopher Daniel So explained in a blog post. “It can also send keystrokes and mouse events to windows, which means that the attacker may be able to conduct operations as the affected user without having to compromise their accounts. For example, the attacker can log into internal systems or even send messages to other users in the network.”
While C&C communications via Tor can make the threat more elusive, the same communications can also be used by IT administrators to detect an attack. More precisely, they can identify malicious activity by monitoring the network for Tor traffic. Many organizations don’t use Tor for regular operations so any traffic associated with the anonymity network could indicate a cyberattack.
Another method recommended by Trend Micro for detecting Bifrose, in addition to the use of security solutions, involves checking for a file named klog.dat, which is used for the threat’s keylogging routines. Verifying network and mail logs could also help IT admins in detecting the malware.
Bifrose has been around since at least September 2008. One interesting campaign leveraging this particular threat was launched in 2010, when cybercriminals distributed the backdoor with the aid of a mail worm. The operation, dubbed “Here You Have,” was initially aimed at the human resource departments of organizations like NATO and the African Union. This old campaign demonstrates Bifrose’s potential for targeted attacks.
The “Here You Have” campaign was so successful that it caused a global outbreak.
Tags:
OpenDNS Adds Targeted Attack Protection to Umbrella Security Service
Posted on July 9, 2014 by Kara Dunlap in Security
OpenDNS has enhanced its cloud-based network security service Umbrella with new capabilities designed to protect organizations against targeted attacks, the company announced on Tuesday.
The company says its monitoring systems are capable of detecting malicious traffic from the first stages of a potential targeted attack by comparing customers’ traffic to activity on OpenDNS’s global network. By providing predictive intelligence on the attackers’ network infrastructure, OpenDNS enables organizations to block attacks before any damage is caused.
Many organizations are capable of identifying single-stage, high-volume cyberattacks, but the “noise” generated by these types of attacks makes it more difficult to detect highly targeted operations, the company explained.
According to OpenDNS, its services address this issue by providing real-time reports on global activity and detailed information for each significant event. The reports can be used by enterprises to identify ongoing or emerging targeted attacks based on whether or not the threats have a large global traffic footprint, or if they’re detected for the first time.
In order to make it easier for security teams to investigate an incident, OpenDNS provides information on the users, devices and networks from which malicious requests are sent. Information on the attackers’ infrastructure can be useful for predicting future threats and for blocking components that are being prepared for new attacks.
“Enterprises today are challenged to keep up with the volume of attacks that are targeting their networks. Not only is the efficacy of today’s security tools declining, but when they do identify a threat they lack the context that is critical to blocking it,” said Dan Hubbard, CTO of OpenDNS. “The ability to determine the relevance and prevalence of an attack is key to prioritizing response, remediating infected hosts, and understanding the scope of the threat.”
The new capabilities are available as part of the Umbrella service based on a per user, per year subscription.
Tags:
