RSA Firstwatch shines a spotlight in the darker corners of the Internet to better understand Internet Fraud and Criminal trends online. When possible, RSA Firstwatch members will use this space to share information about some of our findings.
Like many of you, I heard about the Korean cyber attacks via the news outlets. And I also had a hard time believing the description. In what seemed like a massive state-sponsored attack, many bank computers were "blacked" out for hours.
Then this morning I saw this tweet from Mikko Hyponnen of F-Secure describing what the attack actually was-
Then I thought, okay, wiping the master boot record of a disk is bad. It renders the machine unbootable, but only if it shuts down. It still didn't explain how a running system was remotely shut down. And its not a completely destructive attack- simply make the MBR bootable again and a user has access to his data. An hour later, an RSA field engineer sent me a pcap from Korea that showed the attack. I'll screenshot it with highlights below.
So this was a key exchange with a popular Korean Encryption module called Xgate. Specifically for this bank, the server banner showed it was XGate 3.0, an older, likely vulnerable version of this SSL module. The key exchange begins normally until the first highlighted area. See how the data changed from structured to garbled? This is the beginnings of the buffer overflow attack against the Xgate module. Since XGate likely runs with administrative privileges, anything this module does after the overflow will be executed as administrator.
The second highlight shows where Kernel32.dll is called. The next highlight shows another buffer overflow attack, this time against the Windows Kernel itself. The next highlighted area shows a call to the Physical Drive 0 which is the master boot record, followed by a windows command to reboot the system. And in case the currently logged in user didn't have permissions to reboot, the overflow commands set the privileges to do that too.
So there you have it- the Korean attack appears to be a targeted attack against the popular Xgate module, wiping the master boot record and rebooting the system. This victim was using XGate to handle payment processing. Other victims across the country were likely using it for open encryption of one sort or another.
But when I was researching the source IP address, I found a website that auto-publishes its own log files. This IP in my PCAP belonged to Korea Telecom. It had a user-agent string earlier this month of:
18.104.22.168 Mozilla/5.0 (Linux; U; Android 4.0.4; ko-kr; IM-A840S Build/IMM76I) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
That's an Android phone.
Other news sources have already tried to claim that this attack originated in China, but clearly this specific attack could have originated anywhere since it is a buffer overflow attack, and clearly my PCAP shows this attack came from within South Korea. Could both claims perhaps be true, that it came from BOTH China and Korea? If the attacks came from mobile Android phones, this would make a bit of sense. This would account for the coordinated attacks and the distribution of sources. And given that many mobile apps for the Android market have been known to be infected with malware, we might just be looking at the first mobile malware takedown of a National Critical Infrastructure.
Trend Micro and Symantec believe that this Korean MBR wiping attack was malware-driven, likely originating from a Phishing attack. We at RSA FirstWatch do not discount this point of view, but now view this attack overall as a part of a multi-vector attack against the Korean Critical Infrastructure. The Xgate Buffer Overflow seems to be just one small portion of this attack.
As quoted in the DarkReading article, RSAFirstWatch Senior Manager Will Gragido is quoted as saying:
Based on what we're seeing, this was a multivector attack," says Will Gragido, senior manager with RSA FirstWatch Advanced Research Intelligence.
It also demonstrates just how fragile networks really are today. "And the evidence is clear that as simple of an attack [as one] launched from a cell or tablet can have pretty significant ramifications" and it can happen anywhere, he says.
This post reflects analysis of a single PCAP that was shared with us by a trusted partner. But it clearly demonstrates that an IP address typically used for a Mobile Network in South Korea was used to participate in the massive takedown of the South Korean Critical Infrastructure.