Now That We Know About It
If they've gotten anywhere before this discovery, that will be news. If they get anywhere after this bit of news, then somebody's going to really have to answer for it.
Hackers are targetting critical infrastructure providers, including nuclear power and defense agencies, in what may be a state-sponsored attack that's hiding behind North Korean code. Discovered by McAfee and dubbed "Sharpshooter", the operation has been running since November, largely focusing on US-based or English-speaking …
Be fair, it's a clue, not a clear answer.
Once you know the control server you infiltrate and monitor that. If a VPN connects see if you can poison the VPN client to detect/trace where the connection is from. That may give another clue. And so on. Who knows, if you're lucky, you may be able to send a little present down the VPN!
facepalm. see icon.
It's time for corporate firewall appliances to aggressively strip off any MS Office document attachments, particularly those that contain scripts, and for company policies to dictate and enforce "never open or preview them". If it can't be sent as plain text or something WITHOUT script in it, don't allow it to be received.
it's been what, TWO DECADES since the first word macro virus?
The Wikipedia page on Macro viruses states that the Melissa virus was from 1999.
This is NOT news - I've been seeing these hack attempts for years. Our mail-server holds all emails that have a suspect attachment - *.ace, *.ade, *.adp, *.bat, *.chm, *.cmd, *.com, *.cpl, *.crt, *.doc, *.docx, *.exe, *.gz, *.hlp, *.hta, *.htm, *.html, *.inf, *.ins, *.isp, *.js, *.lnk, *.mdb, *.mde, *.msc, *.msi, *.msp, *.mst, *.pcd, *.pi, *.pif, *.reg, *.scr, *.sct, *.shs, *.uue, *.vbe, *.vbs, *.wsc, *.wsf, *.wsh, *.xls, *.xlsx, *.rtf, *.rar, *.dot, *.jar, *.arj, *.lzh, *.iso, *.xz, *.xlxs, *.r0*, *.r1*. *.r2*, *.z
Problem partially solved ... I'm thinking of adding *.pdf to the list but for the moment I've remove Adobe Reader from every computer and installed a third-party reader.
What about the macro enabled *.xlam, *.xlsm, *.xltm
Or the old "encrypted zip archive with the password in the message body" dodge, well-loved by people bypassing email filtering for less-malicious (if still often foolish) purposes.
The whole point of spearphishing is to run a con on a specific target. Anyone who's studied that sort of confidence game knows that various counter-intuitive factors actually tend to improve the success rate. One is asking the victim to help initially, rather than offering a reward - victims who do so tend to fall prey to a version of the sunk costs fallacy, or a related one of acquired responsibility. Another is making it slightly more difficult for the victim to participate in the con (e.g. by having to open a password-protected zip file) - another version of the sunk-costs trap.
That's not to say that there's no value in filtering many of the file patterns associated with unsafe formats. Defense in depth.
The whole point of spearphishing is to run a con on a specific target.
Exactly. Carefully crafted for the target(s). Ideally, for a specific person, but a small group can be effective too.
<war story mode on>
Some years ago one of our clients who we had developed a website for (to do with uses for timber) had an email from a customer saying there was a virus on the website. Instant panic mode, check everything, absolutely clean. Scratch head. Then look at email in more detail - wrong domain name. Someone had registered a .com version of our .co.uk site, grabbed our entire site (not exactly difficult), and cloned it onto the .com, with added sprinkles.
We suspect they then had a nicely crafted email referring to some recent interesting pieces of news in the burning trees industry, and sent it to a smallish number of people in organisations and businesses interested in burning trees. A fair proportion would probably follow the links, see a plausible site, and leave none the wiser, while something nasty started to nose around their network.
And that's even without Office attachments. No matter what we do, highly intelligent scumbags will craft new ways of conning people. Even if we provide people with non-network connected tablets using a 4G data connection for all web access, they will still get conned and reveal a password to a 'Windows Security Team member' via email.
Docx and xlsx don't have the same exploit risk as doc and xls.
Hence doc being the transmission vector of choice for miscreants.
I'd consider allowing docx and xlsx and analyse my logs to see if they supported that hypothsis...while still blocking encrypted ones.
Are you for real?
If you suggested to any client-facing business that it should block or hold any email including a .doc or .docx attachment you would, at best, be laughed out of the room.
Communication with your clients is essential, and they primarily use .pdfs for uneditable content, and Word for editable content.
You may hate it, but that's the truth.
We're doing pretty much that. 250 employees, more than 10.000 customers and we don't let anything but the few allowed attachments through.
For every email blocked, the user gets a message and if they decide they need that email or attachment we check it and if legit and virus-free the email will be delivered.
It's about 15 minutes a day for 2 techs to do this. Most emails don't get unblocked because the user doesn't need them. And most customers or other businesses have started to either send pdf files or just not send files.
For businesses we regularly exchange files with there's a 'cloud' storage solution in place.
The problem is that you can't fix stupid. Most people believe they already know far more than most people about damn near everything. The glaring lack of any supporting evidence for this belief is irrelevant in their minds, such that they have.
Most simply won't accept the idea that someone from IT might know a tad more about hw, sw, and security than they do.
All you can do is keep them from accessing anything that might cause damage.
Whilst the large bank I work for is generally useless with IT, the two things they do to mitigate this are mark all external emails very clearly at the top and secondly send test emails with a payload randomly to employees to see who reports it as phishing and who opens it blindly. Those who open it get immediately sent on a “re-education” course.
Oh, and external email is only given on a needs basis, not by default.
Whilst not perfect it’s certainly a blummin good way to catch out the stupid and try and do something about it.
Good idea, sending training phish emails, in fact why not check and see if these Korean infrastructural attack phish emails could have been sent by someone under false attribution. There are nation state ‘fake-other nation state” malware tools around.
From my reading of the actual South Korean news about their steadily improving relations with North Korea, that’s the sort of counter-narrative news that might definitely result in some sort of ‘anti’ news from your local centralised intelligence agents.
Bigging up the foreign threat bigly = continue big budget times $$$
Obfuscation only gets you so far, and malware is often assembled out of verbatim chunks of other malware, so you can apply automated sequence matching or more code-specific algorithms such as entry-point fingerprinting.
Also, if the Word document in question used macros, those are delivered in source form to the victim.
1. Set up a desktop on AWS or similar.
2. Require all users to access said desktop via VNC (special version, file transfer disabled)
3. Require all users to only access e-mail using webmail of some sort via a browser on the remote desktop, with attachments being viewed via browser plugins.
4. Wipe and re-install remote desktop every hour.
There's probably still some holes in this, but it's more useable than 'ban the interwebs'.
I wonder if this has anything to do with the massive uptick we've seen in infected Word docs and PDFs trying to come in over the last month. So massive, in fact, that we started quarantining all Word docs and PDFs coming in from outside our domain as dealing with the ones that needed to be released was taking less effort than dealing with the ones that somehow slipped past all our filters. I've been working under the assumption that we were being targeted (though I couldn't figure out why anyone would make that sort of effort to break into a school district's systems), but if there's been a major campaign going on maybe not.
Biting the hand that feeds IT © 1998–2020