7

There is lots of media coverage like this one but I have not yet been able to find details on how the hackers got into the network, the servers and the users' systems.

So what vulnerabilities / zero-days did they use ? How did they apparently manage to take over virtually all of Sony Pictures systems, from the servers and computers to maybe even smart devices ?

How do we protect against being the next victim to the same attack vectors ?

Arc
  • 652
  • 5
  • 11
  • 3
    There's no way to answer this question without seeing the exploit code itself. – RoraΖ Dec 18 '14 at 17:24
  • 4
    There's a (very superficial) analysis of the exploit code on *Ars Technica* but no clue about how it may have been planted. "The people who know aren't talking and the people who are talking don't know." – Bob Brown Dec 18 '14 at 17:46
  • @raz Right, although IT security analysts and consultants might have spoken with the press, or some half-way tech-savvy Sony employee might have. It is hard for me to imagine nobody asking that one essential question before talking about it: *How ?* – Arc Dec 18 '14 at 18:40
  • @Archimedix - everyone is asking how, but no one outside the hackers and those investigating know the answer for sure, and until they talk, everyone else can only speculate. – alanc Dec 18 '14 at 18:58
  • 1
    I have responded to incidents where there were clear indicators pointing to multiple intrusions and "digging in" over several years by several different threat communities. Often, several variants of malware and several entry points are identified but none are conclusive as the "first" or "initial" entry point. Usually the first large exfiltration can provide a trail, but there could have been smaller or earlier exfiltrations -- sometimes no exfiltration during an entry point at all – atdre Dec 18 '14 at 19:40

2 Answers2

3

Thanks to Bob Brown's hint and an article on Ars Technica he is probably referring to, we get to know at least some details on the hack rather than just gossip.

From the article:

And it still remains unclear how the malware was implanted on Sony Pictures’ network in the first place—or how multiple terabytes of data from corporate systems could have been hauled out of the network within just a few days of the wiper attack.

According to the article, one malware used in the attack is Destover or a variant thereof, also known as (a) Wiper, which has also been subsequently code-signed with a Sony certificate and was used to remove/destroy data on the victim's computers, e.g. to cover up and remove traces of an intrusion.

UPDATE:
According to Security Week, attackers used a worm for Windows networks (referred to as SMB Worm Tool) to propagate their malware with brute-force authentication code and tools for file transfer, system survey, process manipulation, file time matching and proxy capability, an arbitrary code execution mechanism and aforementioned features to erase and destroy data.

A related Security Week article also refers to the US CERT alert detailing some Indicators of Compromise (IOC), i.e. hashes of the malware that can be added to security solutions / intrusion detection systems and malware detection engines.

Arc
  • 652
  • 5
  • 11
1

Unfortunately it is very common with such targeted attacks that you only get aware of the attack once the intruder is already deep in the system, which might even be years after the initial intrusion. In most cases it is no longer possible to reconstruct the whole infection chain up to the original delivery vector at this time, because there are no more traces. If you look at the reports they can not even say exactly how long the intruder was already in the network.

There are some infection vectors which might leave traces (like spear-phishing mails still in the mailbox) but others like waterholing attacks, malvertising or social attacks usually leave no traces in most networks. Only networks with heavy internal monitoring might be able to reconstruct the delivery chain in such cases. And the final wiping of the compromised systems makes forensics even harder.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424