FBI warns of disk NUKE malware after Sony Pictures megahack

This thing could spread, say g-men


The FBI has alerted US businesses to data-wiping malware after hackers, possibly in North Korea, ransacked computers at Sony Pictures.

The malicious software described in the Feds' warning is pretty close to the malware believed to have infiltrated Sony's network. Miscreants have leaked gigabytes of passwords, personal records, unreleased movies and other sensitive data swiped from Sony Pictures' computer.

Reuters reports that a five-page confidential "flash" warning was issued to US corporations by the FBI on Monday.

That alert describes an unnamed malware that ultimately overwrites all information stored on computer hard drives, including the master boot record. Infected Windows machines are incapable of booting up after infection.

"The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods," the warning – which did not directly identify Sony as a victim – said.

The attack on Sony Pictures Entertainment floored corporate systems, with staff warned not to log into their work accounts until further notice.

Unreleased Sony movies, including The Interview, a spy caper about journalists roped into a plot to assassinate North Korean leader Kim Jong-un, were leaked onto file-sharing networks following the network breach. The Pyongyang government denounced the movie as an "undisguised sponsoring of terrorism, as well as an act of war" in a letter to UN Secretary-General Ban Ki-moon back in June.

This, together with evidence that portions of the data-nuking software were compiled in Korean, has led to suspicions that the Norks might be behind the attack. There are precedents for this sort of malfeasance.

Thousands of PCs in banks, insurance companies and TV stations were nobbled in March 2013 in an assault dubbed the Dark Seoul Incident. North Korea, which maintains a well known offensive cyber capability, was suspected. The outbreak was similar to a data-wiping malware attack against oil producer Saudi Aramco that knocked out some 30,000 computers in August 2012. Iran emerged as the main suspect in the Shamoon worm outbreak at Saudi Aramco but there was little hard evidence linking the state with the worm.

Evidence pointing towards North Korea in the latest case is likewise far from convincing, especially in the lack of a clear motive. Some security firms speculatively suggested extortion as a motive in the immediate wake of the Sony attack. Individual security experts have come to suspect a nation-state might well be behind the attack even though there's far from anything approaching consensus on this point. Others, such as Graham Cluley, argue there's simply too few facts to reach any conclusion.

“It is well known that nation states operate or sponsor attacks on businesses," said Piers Wilson, head of product management at Tier-3 Huntsman. “It appears that the attack on Sony is just the latest painful lesson for all enterprises. Government-level attacks do not focus purely on opposing governments, or even on related targets such as critical infrastructure. Instead, any organisation whose suffering or loss can benefit the attacker is now a target – from banks to film studios."

Sony has hired FireEye's Mandiant incident response team to help it to respond to the attack. The FBI is also investigating the case. ®

Broader topics


Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Sony responds to inflation with $3,700 gold-plated 'Walkman'
    In truth, a non-tape media player for Gen Xers with more money than sense

    What's old is new again with reboots of classic devices for gaming and music coming out all the time. But that kitsch value comes at a cost, even if the tech is from the current era.

    Audiophiles want digital music players that leave out cellular components in favor of sound-quality-maximizing gadgets – or at least that's what Sony appears to be betting on with the introduction of a $3,700 so-called Walkman this week.

    Before you ask, no it can't play actual tapes, which means it's not really a Walkman at all but rather an Android 11 media player that can stream and play downloaded music via apps, much like your smartphone can probably do. But we won't talk about that because gold plating.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Super-spreader FluBot squashed by Europol
    Your package is delayed. Click this innocent-looking link to reschedule

    FluBot, the super-spreader Android malware that infected tens of thousands of phones globally, has been reportedly squashed by an international law enforcement operation.

    In May, Dutch police disrupted the mobile malware's infrastructure, disconnecting thousands of victims' devices from the FluBot network and preventing more than 6.5 million spam text messages propagating the bot from reaching potential victims, according to Finland's National Bureau of Investigation on Wednesday.

    The takedown followed a Europol-led investigation that involved law enforcement agencies from Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands and the US. 

    Continue reading

Biting the hand that feeds IT © 1998–2022