API tools faq
paste
Advertisement
Guest User

Mandiant Chat logs on Sony hack

a guest
Aug 13th, 2018
77
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 34.87 KB | None | 0 0
raw download clone embed print report
  1. 118.163.116.196[11/25/2014 7:40:48 AM] ernie_liu: hi
  2. [11/25/2014 7:42:05 AM] ernie_liu: I asked Albano to check w bureau buddies to see what other info we can get
  3. [11/25/2014 7:42:33 AM] Mike Opp: it might help him know that its the local Bu guys that were here working it.
  4. [11/25/2014 7:43:11 AM] *** Marshall Heilman added kevinalbano ***
  5. [11/25/2014 7:43:15 AM] Marshall Heilman: Get in here Albano :)
  6. [11/25/2014 7:44:16 AM] Mike Opp: (wave)
  7. [11/25/2014 7:44:52 AM] kevinalbano: got to get tough
  8. [11/25/2014 7:45:32 AM] kevinalbano: emails SA Boeing Shih and ASAC Gina Osborn to get the FBI channel started up
  9. [11/25/2014 7:45:50 AM] kevinalbano: srsly they don't know any of their names
  10. [11/25/2014 7:46:04 AM] Mike Opp: they sent 12 of them here yesterday
  11. [11/25/2014 7:46:20 AM] kevinalbano: yah & no one remembers a name
  12. [11/25/2014 7:46:23 AM] Marshall Heilman: @Opp - just to be clear, you mentioned GSIRT having issues w/ Nitro, but that is different than the syslog data.
  13. [11/25/2014 7:46:29 AM] Marshall Heilman: so you are working with them on both issues, right?
  14. [11/25/2014 7:46:40 AM] Mike Opp: correct but they were saying the sys log data somehow fed into NITRO
  15. [11/25/2014 7:46:45 AM] Mike Opp: but i need to clarify that with them
  16. [11/25/2014 7:46:51 AM] Marshall Heilman: ok
  17. [11/25/2014 7:46:58 AM | Edited 7:47:02 AM] Marshall Heilman: I'd like the raw syslog data if possible - would be easier for us
  18. [11/25/2014 7:47:02 AM] Mike Opp: Kevin who is on the phone will/should be able to answer
  19. [11/25/2014 7:47:03 AM] Mike Opp: yep agree
  20. [11/25/2014 7:47:19 AM] Mike Opp: waiting for this conversation to end
  21. [11/25/2014 7:47:31 AM] Marshall Heilman: k
  22. [11/25/2014 7:51:52 AM | Edited 7:52:01 AM] kevinalbano: I got the entire FBI team. What time do you want to have a conference?
  23. [11/25/2014 7:52:05 AM] Marshall Heilman: lol
  24. [11/25/2014 7:52:13 AM] Marshall Heilman: asap
  25. [11/25/2014 7:52:18 AM] Marshall Heilman: if possible
  26. [11/25/2014 7:52:32 AM] kevinalbano: Sony legal had concerns about privilege as it relates to allowing Mandiant and the FBI to collaborate on what could be considered attorney-client work product. Did Sony legal make a decision on this yet?
  27. [11/25/2014 7:52:47 AM] kevinalbano: Need to work Sony legal. who's got point on this?
  28. [11/25/2014 7:53:04 AM] Marshall Heilman: I can take point on that. I told the SVP here that we would back channel until that got figured out.
  29. [11/25/2014 7:53:26 AM] Marshall Heilman: so if the FBI was willing to just pass us data for now, that would be really helpful. We can make it right with them later on
  30. [11/25/2014 7:53:55 AM] ernie_liu: Denise from FE hit me up. This is on DeWalt's radar so just be aware. I told her once we get a better idea of what we are dealing with then we will let her know if there are places where FE tech can help
  31. [11/25/2014 7:55:09 AM] kevinalbano: rog; will let you know the time of the meeting.
  32. [11/25/2014 7:55:38 AM] Marshall Heilman: I had an email exchange with him and asked him to make sure FE calms down
  33. [11/25/2014 8:02:59 AM] Marshall Heilman: Ernie - when will Will have the dongles? We need to know asap how many we have available
  34. [11/25/2014 8:16:46 AM] Marshall Heilman: fuck. Manny has to deal w/ a potential compromise on a POS system at TGT right now. Hopefully just a FP, but it's still going to delay him.
  35. [11/25/2014 8:17:03 AM] ernie_liu: we can get Huy maybe
  36. [11/25/2014 8:17:22 AM] Marshall Heilman: possibly, but he has another client work he has to work on.
  37. [11/25/2014 8:17:23 AM] Mike Opp: working on getting alternate comms (Skype) with the GCIRT folks....
  38. [11/25/2014 8:17:28 AM] Marshall Heilman: so he would have to cram that in after hours
  39. [11/25/2014 8:21:21 AM] ernie_liu: Matson is headed to the office so we'll know soon
  40. [11/25/2014 8:21:41 AM] Marshall Heilman: ok great. I'm waiting to hear back from S. Davis to see if we can get malware support as soon as we have something to look at
  41. [11/25/2014 8:21:49 AM] Marshall Heilman: Siko is offline, so I want to start w. the special ops team
  42. [11/25/2014 8:22:32 AM | Edited 8:22:37 AM] Marshall Heilman: we can always use Bailer if we come across the linux variant
  43. [11/25/2014 8:23:34 AM] ernie_liu: JSmith maybe too
  44. [11/25/2014 8:25:13 AM] Marshall Heilman: good call. talking to davis now.
  45. [11/25/2014 8:42:00 AM] ernie_liu: Matson is on his way to lab, then Bestbuy, then here at client
  46. [11/25/2014 8:42:10 AM] ernie_liu: he is getting bunch of USB drives
  47. [11/25/2014 8:42:15 AM] ernie_liu: let him know if we need anything else
  48. [11/25/2014 9:02:55 AM] Marshall Heilman: @Albano - SPE legal just gave us the go ahead to work w/ the FBI. SPE is going to call the FBI now, let them know, and get the FBI back on-site
  49. [11/25/2014 9:03:15 AM] Marshall Heilman: however, I think it would still be good for you to interface with them to see what you can get from your backchanneling that they might not share with the client
  50. [11/25/2014 9:05:28 AM] *** Marshall Heilman added cglyer ***
  51. [11/25/2014 9:19:41 AM] kevinalbano: (y)
  52. [11/25/2014 9:22:45 AM] cglyer: [Tuesday, November 25, 2014 9:22 AM] cglyer:
  53.  
  54. <<< another idea - you can use one of willi's script to point at a disk image and export all of the event log entries
  55. you could potentially do that across as many systems as you had images/drives
  56. [11/25/2014 9:36:26 AM] *** Marshall Heilman has changed the conversation topic to ""MFR14-240 - Pics and splash screens don't mix"" ***
  57. [11/25/2014 9:36:43 AM] Marshall Heilman: [Tuesday, November 25, 2014 9:33 AM] steved:
  58.  
  59. <<< -i: install and start service (WinsSchMgmt) Windows Schedule Management Service
  60. will be running with -k indicating the exe is running as a service
  61. looks like -s can run in standalone mode
  62. [11/25/2014 9:37:04 AM] Marshall Heilman: this is for the d1c27ee7ce18675974edf42d4eea25c6 file
  63. [11/25/2014 9:37:58 AM] Mike Opp: it seems the file scans the 43.130.141/24 net for tcp/445 and writing results to c:\windows\system32\net_ver.dat
  64.  
  65.  
  66. SPE\Dayals-1
  67. London13!
  68. SPE\JHKim4-1
  69. !Tomorrow33
  70. SPE\KManku-1
  71. M@nday77
  72. SPE\MMcLean3-1
  73. @Smiley91
  74. found the above in memory copy of the file....
  75. seems to try those creds with this command
  76. cmd.exe /c wmic.exe /node:"%s" /user:"%s" /password:"%s" PROCESS CALL CREATE "%s" > %s
  77. [11/25/2014 9:39:19 AM] Mike Opp: If you xor 0x67 that file you get the below information:
  78.  
  79. _SPE\Dayals-1|London13!
  80. SPE\JHKim4-1|!Tomorrow33
  81. SPE\KManku-1|M@nday77
  82. SPE\MMcLean3-1|@Smiley91
  83. 43.130.141.10
  84. USSDIRIM18|43.130.141.11
  85. USSDIXCAS23|43.130.141.13
  86. 43.130.141.14
  87. USSDIBKP04|43.130.141.15
  88. [11/25/2014 9:39:22 AM] cglyer: [Tuesday, November 25, 2014 9:37 AM] Mike Opp:
  89.  
  90. <<< cmd.exe /c wmic.exe /node:"%s" /user:"%s" /password:"%s" PROCESS CALL CREATE "%s" > %sremote command execution
  91. [11/25/2014 9:39:27 AM] cglyer: it's like running psexec - but using WMI
  92. [11/25/2014 9:39:41 AM | Edited 9:39:44 AM] cglyer: there will be very few logs of what they ran through that - if that is what they used
  93. [11/25/2014 9:40:31 AM] Mike Opp: one odd ball one oddball: UKLONEXT-XMSGV|172.21.40.161
  94. [11/25/2014 10:39:50 AM] ernie_liu: so we have them in one place, current malware:
  95. [11/25/2014 10:39:52 AM] ernie_liu: diskpartmg16.exe
  96. https://mta.mplex.mandiant.com/samples/d1c27ee7ce18675974edf42d4eea25c6
  97.  
  98. igfxtrayex.exe
  99. https://mta.mplex.mandiant.com/samples/760c35a80d758f032d02cf4db12d3e55
  100.  
  101. net_ver.dat
  102. https://mta.mplex.mandiant.com/samples/3efd1c9a28241ea5182c5a0b2d979eb7
  103. [11/25/2014 10:41:16 AM] Mike Opp: the malware has resources written in Korean
  104. [11/25/2014 10:41:36 AM] ernie_liu: i blame Seth Rogen
  105. [11/25/2014 10:41:48 AM] kevinalbano: nah Franco
  106. [11/25/2014 10:42:17 AM] Mike Opp: they owe this place a ton of money
  107. [11/25/2014 10:42:28 AM] Mike Opp: and they owe all of us Tesla's and a strand house
  108. [11/25/2014 11:16:34 AM] kevinalbano: FBI was thinking this was attributed to DarkSeoul
  109. [11/25/2014 11:17:25 AM] kevinalbano: https://mic.mandiant.com/-/south-korean-organizations-suffer-computer-network-attack-amid-heightened-tensions-on-korean-peninsula
  110. [11/25/2014 11:32:26 AM] Mike Opp: ok that is tracking with our current theory
  111. [11/25/2014 11:35:35 AM] Marshall Heilman: malware is 32 and 64bit aware
  112. [11/25/2014 11:38:06 AM] Marshall Heilman: igfxtrayex.exe (760c35a80d758f032d02cf4db12d3e55) and diskpartmg16.exe (d1c27ee7ce18675974edf42d4eea25c6) both have the same "C2" ips
  113. [11/25/2014 11:39:17 AM] kevinalbano: FBI is tyring to be on site around 12:30 or 1pm
  114. [11/25/2014 11:39:46 AM] Marshall Heilman: good
  115. [11/25/2014 11:39:57 AM] Marshall Heilman: shit. I have to run out around 1 PM for a bit
  116. [11/25/2014 11:40:06 AM] Marshall Heilman: don't let them get too crazy :)
  117. [11/25/2014 11:41:20 AM] kevinalbano: i'll be down there if that's okay; need to break bread w/ those guys
  118. [11/25/2014 11:42:19 AM] Marshall Heilman: of course
  119. [11/25/2014 11:44:13 AM] Marshall Heilman: [Tuesday, November 25, 2014 11:43 AM] Willi Ballenthin:
  120.  
  121. <<< it looks like it recurses through all drives, and for exe or dll files not in windir or program files, it overwrites the data
  122. [11/25/2014 11:45:31 AM | Edited 11:45:37 AM] Marshall Heilman: malicious service: (WinsSchMgmt) Windows Schedule Management Service
  123. [11/25/2014 11:45:52 AM] Marshall Heilman: from diskpartmgr16.exe:
  124. [11/25/2014 11:45:52 AM] Marshall Heilman: Arguments:
  125. -k: exe is running as a service
  126. -i: install and start service (WinsSchMgmt) Windows Schedule Management Service
  127. -s: standalone mode with no service
  128. [11/25/2014 12:13:59 PM] Marshall Heilman: issvr.exe: https://mta.mplex.mandiant.com/samples/e1864a55d5ccb76af4bf7a0ae16279ba/analysis
  129. [11/25/2014 12:27:14 PM] ernie_liu: Albano - FBI is on their way
  130. [11/25/2014 12:42:07 PM] *** Mike Opp added Barry V ***
  131. [11/25/2014 12:42:12 PM] Mike Opp: Barry will be our additional Intel support
  132. [11/25/2014 12:42:31 PM] Mike Opp: please add him to the SVN
  133. [11/25/2014 12:46:24 PM] ernie_liu: sent request for Barry
  134. [11/25/2014 12:52:29 PM] Mike Opp: thanks Ernie
  135. [11/25/2014 2:13:12 PM] Mike Opp: ok so malware names for the backdoor ideas
  136. [11/25/2014 2:13:14 PM | Edited 2:13:18 PM] Mike Opp: TINYFUSE
  137. [11/25/2014 2:13:19 PM] Mike Opp: ?
  138. [11/25/2014 2:13:22 PM] Mike Opp: people ok with that
  139. [11/25/2014 2:13:39 PM] Mike Opp: ANKLEBREAK
  140. [11/25/2014 2:13:39 PM] Mike Opp: ?
  141. [11/25/2014 2:13:47 PM] cglyer: ANKLEBITER?
  142. [11/25/2014 2:13:52 PM] cglyer: j/k
  143. [11/25/2014 2:14:05 PM] Mike Opp: SKYLARK is too close to home since thats a character in the movie....
  144. [11/25/2014 2:14:16 PM] Mike Opp: it doesn't pass the if this gets out in the news test to me
  145. [11/25/2014 2:18:28 PM] Jake Garner: ChickenNugget
  146. [11/25/2014 2:18:52 PM] Marshall Heilman: KimJong?
  147. [11/25/2014 2:18:59 PM] Jake Garner: RanchPickles
  148. [11/25/2014 2:19:02 PM] Mike Opp: TINYFUSE is what I'm think I'm going with for the backdoor
  149. [11/25/2014 2:19:07 PM] Mike Opp: people cool with that?
  150. [11/25/2014 2:20:29 PM] Mike Opp: so far the first system that reached out to any of the external IPs for the malware was internal IP 172.21.40.163
  151. [11/25/2014 2:20:48 PM] Mike Opp: probably need to see if thats a workstation or proxy...but its two octets away from the UK box hardcoded in the malware
  152. [11/25/2014 2:40:58 PM] Mike Opp: Barry made unc502 to track this under for now
  153. [11/25/2014 2:51:51 PM] ernie_liu: Looking at the Nitro logs, top 6 talkers to those bad IPs:
  154. IP -- Sum of Bytes_Sent -- Sum of Bytes_Received
  155. 172.26.126.10 223062 138630
  156. 172.21.216.2 130790 81412
  157. 172.23.144.106 86336 53628
  158. 172.21.40.163 17488 10738
  159. 172.27.60.67 7822 4988
  160. 208.84.227.215 7406 4770
  161. [11/25/2014 3:01:31 PM] Barry V: we have any pcap?
  162. [11/25/2014 3:01:34 PM] Barry V: guessing no
  163. [11/25/2014 3:02:45 PM] Mike Opp: no
  164. [11/25/2014 3:03:00 PM] Mike Opp: no pcaps only some log data based on request we are sending to the team in VA
  165. [11/25/2014 3:03:11 PM] Mike Opp: they are heading here tmw so we should get logs quicker at that point
  166. [11/25/2014 3:18:10 PM | Edited 3:18:31 PM] Barry V: L1s inbound
  167. [11/25/2014 3:18:21 PM] *** Barry V sent D1C27EE7CE18675974EDF42D4EEA25C6.txt 760C35A80D758F032D02CF4DB12D3E55.txt E1864A55D5CCB76AF4BF7A0AE16279BA.txt ***
  168. [11/25/2014 3:21:47 PM] Manny: guys on site. whats the address?
  169. [11/25/2014 3:22:54 PM] Will Matson: 10000 W Washington Blvd
  170. Los Angeles, CA
  171. [11/25/2014 3:23:24 PM] Will Matson: Underground parking is on Madison. Valet car, take elevator up to street level. Call me when you get here. Ill come get you
  172. [11/25/2014 3:23:57 PM] Manny: thx
  173. [11/25/2014 3:24:09 PM] Barry V: for iisvr.exe - uploading the decoded resources right now. Heres a taste -
  174.  
  175. <html>
  176. <head>
  177. <title> Hacked By #GOP </title>
  178. <meta name="Author" content="#GOP">
  179. <meta name="Keywords" content="#GOP">
  180. <meta name="Description" content="Hacked By #GOP">
  181. </head>
  182. <body bgcolor="#000000">
  183. <bgsound src="index.wav" loop=infinite>
  184. [11/25/2014 3:27:33 PM] Barry V: nm they are already in MTA
  185. [11/25/2014 3:40:51 PM] ernie_liu: also Barry
  186. [11/25/2014 3:41:14 PM] ernie_liu: any registrant info on the domains in the splash screen that were hosting the zips?
  187. [11/25/2014 3:41:21 PM] Barry V: looking now
  188. [11/25/2014 3:41:31 PM] Barry V: but I bet they are all hijacked/decoys
  189. [11/25/2014 3:41:42 PM] ernie_liu: ya
  190. [11/25/2014 3:41:57 PM] ernie_liu: there was a susupicious email from dfrank1973.david@gmail.com
  191. [11/25/2014 3:42:00 PM] ernie_liu: dunno if related
  192. [11/25/2014 3:42:06 PM] ernie_liu: but could also be lead on registrant info
  193. [11/25/2014 3:42:13 PM] Barry V: yeah ill dig around
  194. [11/25/2014 3:45:01 PM | Edited 3:45:11 PM] Mike Opp: just talked to GCIRT they are going to work on the additional NITRO queries now
  195. [11/25/2014 3:59:44 PM] Barry V: yeah two of the domains are owned by Sony
  196. [11/25/2014 3:59:50 PM] Barry V: rest look like they got popped
  197. [11/25/2014 4:00:04 PM] Barry V: that Brazilian one is named like a Moodle instance
  198. [11/25/2014 4:00:08 PM] Barry V: so almost definitely popped
  199. [11/25/2014 4:07:12 PM] ernie_liu: so iissvr.exe pulls the splash page and wav file from its own ersources, ya?
  200. [11/25/2014 4:07:20 PM] Barry V: yep
  201. [11/25/2014 4:07:36 PM] ernie_liu: the PE time stamp of iisvr.exe is 2014-11-13T02:05:35Z
  202. [11/25/2014 4:08:12 PM] ernie_liu: so either the timestamp was altered/not changed or those Sony owned sites hosting the data were popped as early as 2014-11-13T02:05:35Z
  203. [11/25/2014 4:08:38 PM] Barry V: well the PE on the dropper is 2014 11 22 00:06:54 : pe:compiled
  204. [11/25/2014 4:08:48 PM] ernie_liu: right
  205. [11/25/2014 4:08:54 PM] Barry V: so its possible the packaged up the defacement piece ahead of time?
  206. [11/25/2014 4:09:33 PM] ernie_liu: ya - that is why i was confirming the html/wav was pulled from iissver
  207. [11/25/2014 4:10:48 PM] Barry V: agh I see what you are saying - duh yeah they had to have had control of those servers since the 13th if they added those links to the resources
  208. [11/25/2014 4:10:58 PM] ernie_liu: ^ yup
  209. [11/25/2014 4:10:59 PM] Mike Opp: (nod)
  210. [11/25/2014 4:11:44 PM] ernie_liu: so those pwned sony domains could have more evidence
  211. [11/25/2014 4:11:53 PM] ernie_liu: did we ask for those already?
  212. [11/25/2014 4:12:22 PM] Mike Opp: those were two that Marshall asked for i believe
  213. [11/25/2014 4:38:21 PM] Barry V: TINYFUSE for the wiper, COUNTRYCROCK for the spreader/dropper
  214. [11/25/2014 4:38:25 PM] Barry V: any objections?
  215. [11/25/2014 4:39:30 PM] Mike Opp: just want to know why countrycrock?
  216. [11/25/2014 4:39:45 PM] Barry V: it spreads like butter
  217. [11/25/2014 4:39:55 PM] Barry V: the Darkseoul ones were called spread.exe
  218. [11/25/2014 4:40:21 PM | Edited 4:40:27 PM] Barry V: but obv can call it whatever
  219. [11/25/2014 4:40:29 PM] Mike Opp: i mean i can't believe its not butter
  220. [11/25/2014 4:45:49 PM] Will Matson: I passed these to Opp. Doesnt seem that we have any intel on them. But Im running searches against one of the images right now.
  221.  
  222. \\%s%s\%s%s %scmd.exe /q /c net share shared$ /delete\\%s\admin$\syswow64\\%s\admin$\system32cmd.exe /q /c net share shared$=%SystemRoot%cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone,FULL\\%s\shared$\syswow64\\%s\shared$\system32\\%s\admin$RasSecruity%s%dRasMgrpcalc.exe212.31.102.10058.185.154.99200.87.126.116|igfxtrayex.exe%s|%s|%d %d.%d.%d.%dcmd.exe
  223.  
  224. 212.31.102.100
  225. 58.185.154.99
  226. 200.87.126.116
  227. [11/25/2014 5:01:25 PM] Barry V: memory strings?
  228. [11/25/2014 5:01:50 PM] Will Matson: probably. This image was hit by the mawlare, so there is no file system structure
  229. [11/25/2014 5:23:05 PM] ernie_liu: @Marshall: http://www.sonyrumors.net/2014/11/24/sony-mobiles-backup-restore-app-hacked-despite-reports/
  230. [11/25/2014 5:24:41 PM] Barry V: [11/25/14, 5:24:23 PM] Barry V: misleading headline
  231. [11/25/14, 5:24:26 PM] Barry V: fake app
  232. [11/25/14, 5:24:27 PM] Barry V: boo
  233. [11/25/14, 5:24:29 PM] Barry V: -100
  234. [11/25/2014 5:25:16 PM] Barry V: It seems some Indian developer (Nirav Patel, though I’m sure that’s not their real name) has spoofed Sony’s design and created a fake app to make it look like Sony’s official app has been hacked. From there, the developer used Sony’s signature (com.sonymobile.synchub) and placed it within their app to make it appear as if it’s a preinstalled app. Unfortunately due to Google’s lax policies, the app was able to make it to the Google Play store front and be downloaded. For those who mistook the app to be real and downloaded it, there appears to be little repercussion as the app shows a package error.
  235. [11/25/2014 5:25:34 PM | Edited 5:25:43 PM] Barry V: TLDR - spoofed app was available on the Google Play store
  236. [11/25/2014 5:25:56 PM] ernie_liu: ya - we had one of the senior guys in the room asking about phone stuff
  237. [11/25/2014 5:26:13 PM] Barry V: according to the article its been taken down already
  238. [11/25/2014 5:27:07 PM | Edited 5:27:18 PM] Barry V: Hows it going over there?
  239. [11/25/2014 5:27:11 PM] Barry V: spirits low?
  240. [11/25/2014 5:29:04 PM] Mike Opp: we are the only ones in the room here....
  241. [11/25/2014 5:29:08 PM] Mike Opp: if that tells you anything
  242. [11/25/2014 5:29:11 PM] Barry V: ouch
  243. [11/25/2014 5:29:15 PM] Barry V: they all go home?
  244. [11/25/2014 5:29:22 PM] Barry V: or did they all quit
  245. [11/25/2014 5:29:51 PM] Marshall Heilman: fired
  246. [11/25/2014 5:30:35 PM] Mike Opp: @MATSON - DARK SEOUL MALWARE
  247. Dropper1 9263e40d9823aecf9388b64de34eae54
  248.  
  249. Dropper2 b80153b66fdaafedfc0a65bcb940687d
  250.  
  251. Each dropper spawned 2 wipers, leaving us with 4 different wipers:
  252. Wiper1: 5fcd6e1dace6b0599429d913850f0364
  253.  
  254. Wiper2: 530c95eccdbd1416bf2655412e3dddbe
  255.  
  256. Wiper3: db4bbdc36a78a8807ad9b15a562515c4
  257.  
  258. Wiper4: 0a8032cd6b4a710b1771a080fa09fb87
  259. [11/25/2014 5:31:10 PM] Mike Opp: report on the linux malware
  260. [11/25/2014 5:31:12 PM] Mike Opp: http://www.symantec.com/connect/blogs/remote-linux-wiper-found-south-korean-cyber-attack
  261. [11/25/2014 6:42:02 PM] Mike Opp: older malware from June 2013 that has the RasSecruity & RasMgrp string + service name
  262. [11/25/2014 6:42:04 PM] Mike Opp: 555668efc483813d2aca11ae3fa1a451
  263. a6e06dbd6c877e6973419927626942b1
  264. [11/25/2014 7:01:59 PM] ernie_liu: @Matson - DMIPLAEWH36
  265. [11/25/2014 7:02:43 PM] ernie_liu: from the splash screen "http://dmiplaewh36.spe.sony[.]com/SPEData.zip"
  266. [11/25/2014 7:09:55 PM] Marshall Heilman: shutdown -r -t 0
  267. [11/25/2014 9:59:18 PM] Mike Opp: https://www.youtube.com/watch?v=V7ltuDNEJuc
  268. [11/25/2014 9:59:26 PM] Mike Opp: might be relevant if you have 40 min to listen.....
  269. [11/25/2014 10:00:44 PM] Mike Opp: Z:\MAKE TROY\, NOT WAR: CASE STUDY OF THE WIPER APT IN KOREA, AND BEYOND
  270. On March 20th, 2013, shortly after 2PM, several South Korean financial institutions and TV networks were impacted by unknown malware, which wiped all the data off their computer hard drives before force-rebooting them, thereby sending them into the limbs.
  271.  
  272. That coordinated melt down was due to several dormant viruses, later deemed "Wiper", pre-set by their makers to wake up at 2pm. Much was speculated regarding how those were planted in the targeted networks in the first place. In this paper, we lift the lid on the initial infection vector: The targeted infrastructures were running a security management server, to coordinate patching policies across the corporate network from a central point. We demonstrate how the attackers compromised this server, and made it dispatch malicious updates to the computers under its rule.
  273.  
  274. We then examine several samples of Wiper used in the attack, and go through the relationships between them; at this point, we show that based on some distinctive characteristics, and the coding style of their author(s), they have ties to other APT cases, some of which we could trace back to 2009.
  275. [11/25/2014 10:01:14 PM] ernie_liu: http://www.theverge.com/2014/11/25/7281097/sony-pictures-hackers-say-they-want-equality-worked-with-staff-to-break-in
  276. [11/25/2014 10:02:06 PM] ernie_liu: "The hackers claim to have taken sensitive internal data from Sony. In the email, a hacker who identified as "lena" was vague about how the attack was carried out. "Sony doesn't lock their doors, physically, so we worked with other staff with similar interests to get in," lena writes. "Im sorry I can't say more, safety for our team is important [sic]." The phrasing is ambiguous, but it suggests that the hackers, if not colleagues of the hackers, claim to be employed by Sony in some fashion."
  277. [11/25/2014 10:03:21 PM] Mike Opp: or are being help captive in a basement in Kim Jong Uns basement
  278. [11/25/2014 10:05:06 PM] ernie_liu: Franco!!
  279. [11/25/2014 10:05:37 PM] ernie_liu: Best publicity/marketing job ever
  280. [11/25/2014 10:06:21 PM] Will Matson: if this turns out to be a marketing scam for The Interview..
  281. [11/25/2014 10:07:46 PM] Mike Opp: I actually this this is a false flag campaign.... its actually the Canadians. They are tired of America taking all their stars....Jim Carey, Seth Rogen, Justin Bieber, Jenny McCarthy, and the list goes on
  282. [7:12:41 AM] Marshall Heilman: gents, bad news. the VSYS-1 (sp?) system we've been seeing is a virtual instance of a Palo Alto. If there was a second virtual instance, it would be called VSYS-2, etc.
  283. [7:48:37 AM] Marshall Heilman: gents, ignore the email request to sync data. That was premature. We're trying to fix the process of sharing information so that one person from Mandiant (likely me) shares data with a single POC at SPE, that then distributes as ncessary.
  284. [7:56:22 AM] Marshall Heilman: @Will, Manny - please drop in here which systems you are starting to analyze
  285. [7:56:36 AM] Marshall Heilman: also, if we can, lets get Jake working on the linux image we have
  286. [7:59:03 AM] Marshall Heilman: we're now having calls twice daily - 7 AM and 2 PM, fyi
  287. [7:59:21 AM] Marshall Heilman: I'm going to try and get the dial-in info so we can dial-in remotely if necessary
  288. [8:05:46 AM] Mike Opp: @Marshall - How you want to handle the email from Leon?
  289. [8:05:56 AM | Edited 8:06:01 AM] Mike Opp: will we just share the SOD with them?
  290. [8:06:40 AM] Mike Opp: Also the NITRO runs aren't exactly what we needed and its hard to tell if thats due to the logs available or because of the way they queried for them......I am going to follow up on that this morning
  291. [8:17:11 AM] Marshall Heilman: side note - you saw my posting about VSYS, right?
  292. [8:17:22 AM] Marshall Heilman: there is definitely something scrwy about their logs which we're going to need to solve today
  293. [8:28:03 AM] Marshall Heilman: @Manny, Will, Jake - when performing forensic analysis lets look at scheduled task logs specifically.
  294. [8:28:42 AM] Marshall Heilman: The way the malware operates is that it runs once, combs through the list of configured systems for it to hit, then exits. So what we're hearing about users logging on and immediately becoming infected doesn't jive with the malware functionality.
  295. [8:29:34 AM] Marshall Heilman: so either 1) GPOs were used to push some malware 2) scheduled tasks were created to frequently run the malware 3) the attacker ran the malware manually multiple times, or 4) the timing was just coincidental and did not happen as we're being led to believe.
  296. [8:30:00 AM] Marshall Heilman: also, no one on the phone this morning seemed to know anything about the "kernel-level module loading of index.wav files on Solaris systems"
  297. [8:30:13 AM] Marshall Heilman: so I think that is going to be a dead end until we look at the Solaris system we've been promised
  298. [8:30:45 AM] Marshall Heilman: Please make sure we drop all new indicators into the chat with the gsirt team so they are kept up to date. They are supposed to do the same with us
  299. [8:31:28 AM] Marshall Heilman: and on a whiny note. For whatever reason they didn't bring breakfast in today.... And I decided to skip breakfast relying on them having something :(
  300. [8:31:42 AM] kevinalbano: they're keeping you on your diet
  301. [8:32:37 AM] Marshall Heilman: I didn't ask them to do that for me
  302. [8:48:10 AM] Will Matson: @Marshall, idk if this was one of your items you were trying to remember last night, but we definitely wanted to speak with the guy who was a victim of the wire transfer fraud - to get a timeline of his password change and wire transfers. He never came by yesterday
  303. [8:49:03 AM] Marshall Heilman: SPE decided to image his Mac and will analyze it themselves for now
  304. [8:49:43 AM] Marshall Heilman: btw - we did not talk about NTAP or Redline. The timing wasn't right. Apparently they are going to be implementing something called "Paradigm" as network sensors. They are working on it right now. I want to find out more about this device before we push our own agenda.
  305. [8:55:55 AM] Mike Opp: @Marshall -
  306. Just another note of NTAP vs. BRO - if we deploy our own NTAP sensors it would have been able to see the internal SMB traffic related to this which would have led to a faster investigation. That could potentially be good for once they connect back incase there are additional systems trying to spread
  307. [8:57:03 AM] Mike Opp: another benefit would be the net flow plus our own HTTP logs that are trustworthy
  308. [9:13:00 AM] Mike Opp: Going through the NITRO results for the externals that Will obtained from forensics....that traffic all starts at 1500 GMT on the 24th lining up with the other activity.
  309. [9:14:06 AM] Mike Opp: but the traffic continued past the point of when they took down the network which is a bit confusing from these results
  310. [9:14:29 AM] Mike Opp: 11/25/14 5:05 < last allowed connection time stamp to 200.87.126.116
  311. [9:21:37 AM] Mike Opp: it is like that for all the 3 IPs Matson found yesterday
  312. [9:21:46 AM] Mike Opp: ill combine into one sheet to analyze
  313. [9:37:39 AM] Mike Opp: @Marshall - was there an update if they obtained the hostname UKLONEXT-XMSGV ?
  314. [9:38:22 AM] ernie_liu: hold on Opp
  315. [9:38:33 AM] Mike Opp: thx Ernie
  316. [9:44:45 AM] ernie_liu: UKLONEXT-MSGV has been imaged by UK team
  317. [9:44:58 AM] ernie_liu: they are loading to the GSIRT(?) lab in UK
  318. [9:45:12 AM] ernie_liu: once it is loaded, I have asked them to fedex the image copy
  319. [9:45:25 AM] ernie_liu: they will be running the keywords we provided on the image
  320. [9:46:03 AM] ernie_liu: the labs dont talk to each other so we cant drive from this SPE lab
  321. [9:46:26 AM] ernie_liu: so we may need to send the UK team carving scripts or anything that can run while we wait for the shipment
  322. [9:47:01 AM] ernie_liu: they are running the keywords and will provide us the csv of hits. I told them that may be too huge anyway so we'll see
  323. [9:48:33 AM] ernie_liu: @Opp - did you ever get a reply from 'vikspe@gmail.com' on the IP lookup email I sent?
  324. [9:48:40 AM] ernie_liu: he says he replied but I dont see it
  325. [9:48:47 AM] Mike Opp: i never got that...
  326. [9:48:52 AM] ernie_liu: that could help us with the vsys1 problem
  327. [9:57:52 AM] ernie_liu: [8:28 AM] Marshall Heilman:
  328.  
  329. <<< The way the malware operates is that it runs once, combs through the list of configured systems for it to hit, then exits. So what we're hearing about users logging on and immediately becoming infected doesn't jive with the malware functionality.So maybe it is a timing thing because the malware keeps copying itself when it succesfully connects, right. And the list of targets is hardcoded so every infected machine would be trying every other infected machine (in its list). So once a user logson/powers-on, now that system is avaialble to be pwned
  330. [10:04:51 AM] Marshall Heilman: that is certainly a possibility
  331. [10:05:10 AM] Marshall Heilman: another thing we can do is write an good keyword to search for data contained within net_ver.dat
  332. [10:05:42 AM] Marshall Heilman: I couldn't find anything that stated the net_ver.dat files were overwritten, so it's possible that one of those files exists on every compromised system, along with the status (success or failed)
  333. [10:05:45 AM] Marshall Heilman: thoughts on this approach?
  334. [10:10:57 AM] ernie_liu: ya - could be good
  335. [10:12:12 AM] ernie_liu: good idea - the net_ver format should be consistent across (be hostname | IP | [1,2] | newline or whatever)
  336. [10:18:07 AM] ernie_liu: Just FYI so we can keep on radar: I am having them (David) check to see if they can access the McAffee management console in case McAfee got the malware thru an automatic detection/upload
  337. [10:18:38 AM] Marshall Heilman: good call
  338. [10:19:20 AM] Barry V: do we know specifically which MD5s Mcafee flagged on?
  339. [10:20:09 AM] ernie_liu: i dont think so. Unless it is contained in the extra.dat
  340. [10:22:57 AM] Mike Opp: i didn't see it in the extra.dat file
  341. [10:23:23 AM] Mike Opp: just know it hit on sig "Trojan-FFIP"
  342. [10:28:16 AM] ernie_liu: you gotta use a McAffee instance to load the extra.dat
  343. [10:28:35 AM] ernie_liu: (or a tool to do the same)
  344. [10:29:00 AM] ernie_liu: dunno if they normally have the hash/sig info anyway or if it goes back out to Mcafee to get it if it is a corp instance
  345. [10:33:58 AM] Will Matson: working thru DMIPLAEWH36
  346.  
  347. "At1.job" (wininit.exe)
  348. Started 11/24/2014 6:11:00 AM
  349. "At1.job" (wininit.exe)
  350. Finished 11/24/2014 6:18:55 AM
  351. Result: The task completed with an exit code of (o).
  352. [10:34:48 AM] ernie_liu: nice
  353. [10:34:49 AM | Removed 10:36:21 AM] Will Matson: This message has been removed.
  354. [10:35:15 AM | Edited 10:35:35 AM] ernie_liu: when is that AT job when converted to UTC?
  355. [10:35:54 AM] Will Matson: 11/24/2014 14:11:00
  356. [10:36:16 AM] Will Matson: err. wait. Sorry let me correct what I just said
  357. [10:37:04 AM] Will Matson: The job starts roughly 7 minutes before the last written time to SPEData.zip. And runs for approx. 8 min
  358. [10:37:29 AM] Will Matson: SPEData.zip was created 6 hours prior (which I think is our earliest definitive time right now)
  359. [10:37:41 AM] Will Matson: 11/24/2014 08:38:57 Created E:/Apache24/htdocs/SPEData.zip
  360. [10:37:58 AM] Will Matson: 11/24/2014 14:11:00 Started "At1.job" (wininit.exe)
  361. [10:38:16 AM] Will Matson: 11/24/2014 14:18:08 Entry Modified E:/Apache24/htdocs/SPEData.zip
  362. [10:38:27 AM] Will Matson: 11/24/2014 14:18:55 Finished "At1.job" (wininit.exe)
  363. [10:41:43 AM] ernie_liu: so they had what they wanted then released the wiper malware - makes sense
  364. [10:42:17 AM] ernie_liu: and kind a goes back to what i was saying about the PE date time of iisvr.exe: 11/13/2014 2:05:35 AM
  365. [10:43:24 AM] ernie_liu: if that date is accurate, and iisvr.exe lists your server in its html resrource for the splash screen then they owned that system at least as early as 11/13
  366. [10:50:31 AM] Will Matson: It looks like they may have tampered with the Security event logs (conjecture), but 0 entries load in Event Log Explorer and Native Windows says its corrupt. Backup log only covers up til Nov 22
  367. [10:53:08 AM] Will Matson: 11/13/2014 01:58:06
  368. Type 3 logon from 208.84.227.224
  369. [10:53:17 AM] Will Matson: @intel ^^
  370. [10:53:24 AM] Barry V: yerp
  371. [10:53:35 AM] Marshall Heilman: that is an SPE IP
  372. [10:53:37 AM] Marshall Heilman: :(
  373. [10:53:45 AM] Will Matson: boo
  374. [10:53:52 AM] Barry V: yeah - Ventura CA
  375. [10:53:57 AM] Marshall Heilman: and we can't guarantee that it is an external IP either, the way things are here
  376. [10:54:09 AM] Marshall Heilman: but we should definitely ask them to chase that down
  377. [10:54:40 AM] Barry V: do you guys have their whole IP space? - they have a whole AS so I can try to get all the net blocks assigned to it if you need it
  378. [10:55:00 AM] Will Matson: ehh, looks like that IP logs in a lot
  379. [10:58:03 AM] Mike Opp: we don't have their whole IP space
  380. [10:58:16 AM] Mike Opp: we have some ranges figured out but their NAT'ing is weird on certain ranges
  381. [10:58:42 AM] *** Marshall Heilman added Chris DiGiamo ***
  382. [10:58:54 AM] Marshall Heilman: Deeg is going to help w/ the forensic analysis as well
  383. [10:59:00 AM] Marshall Heilman: @Matson - please hook him up
  384. [10:59:07 AM] Marshall Heilman: @Ernie - can you bring Deeg up to speed?
  385. [10:59:08 AM] Chris DiGiamo: :)
  386. [11:01:42 AM] Mike Opp: (wave)
  387. [11:12:00 AM] ernie_liu: @Marshall - cant talk to Deeg just yet. talking w these guys and we may be gettting more malware. hopefully not the same one we keep getting. And prob not the mcaffee one
  388. [11:12:15 AM] ernie_liu: @Barry - is it too late to get joycebot in here?
  389. [11:12:16 AM] Marshall Heilman: ok
  390. [11:12:19 AM] Marshall Heilman: moar malware is always good
  391. [11:12:31 AM] Mike Opp: it is because the chat rooms with the bot are pre set up
  392. [11:12:38 AM] Mike Opp: we would have to move the entire chat into a new room to do that
  393. [11:12:47 AM] Mike Opp: if you want to do that we can... its up to you guys
  394. [11:12:54 AM] Chris DiGiamo: we'll have to do with albanobot
  395. [11:13:08 AM] Mike Opp: @Albanobot drink (beer)
  396. [11:13:32 AM] Barry V: yeah - I can set up a new room with the bot - now might be the best time since Deeg just got added
  397. [11:14:01 AM] Chris DiGiamo: (heidy)
  398. [11:16:56 AM] Will Matson: so long as we can blame Deeg for moving the chat and not use him as a good excuse, Im okay with it
  399. [11:17:07 AM] Mike Opp: setting it up now
  400. [11:20:33 AM | Edited 11:20:59 AM] Barry V: following net blocks are assigned to AS19419 (Sony Pictures Entertainment)
  401.  
  402. 173.251.240.0/21 Sony Pictures Entertainment Inc 2,048
  403. 173.251.240.0/24 Sony Pictures Entertainment Inc 256
  404. 173.251.248.0/22 Sony Pictures Entertainment Inc 1,024
  405. 185.64.36.0/22 Columbia Pictures Corporation 1,024
  406. 208.84.224.0/22 Sony Pictures Entertainment Inc 1,024
  407. 208.84.224.0/23 Sony Pictures Entertainment Inc 512
  408. 208.84.227.0/24 Sony Pictures Entertainment Inc 256
  409. [11:21:19 AM] Mike Opp: also that weird 43.130.141.0/24 range
  410. [11:21:55 AM] Barry V: Japanese network
  411. [11:22:01 AM] Barry V: let me see what I can get there
  412. [11:22:28 AM] Mike Opp: its weird bc the hosts for this are in SD
  413. [11:22:35 AM] Mike Opp: and the NAT is weird for it
  414. [11:22:45 AM] Barry V: sounds like their NAT is all public IPs
  415. [11:22:48 AM] Mike Opp: yep....
  416. [11:22:56 AM] Barry V: we saw that in the Japanese network for 17 stuff too
  417. [11:23:06 AM] Mike Opp: yep but not SPE
  418. [11:23:11 AM | Edited 11:23:19 AM] Mike Opp: it was electronics i believe
  419. [11:24:30 AM] Barry V: do we know how inter-connected the networks are?
  420. [11:24:44 AM] Mike Opp: not atm
  421. [11:26:50 AM] Marshall Heilman: @Ernie - I'm expecting Courtney to drop off the contract sometime soon
  422. [11:26:55 AM] Marshall Heilman: please let me know once you have it
  423. [11:38:06 AM] Mike Opp: chat set up with Bot
  424. [11:38:11 AM] Mike Opp: i think i got everyone in it
  425. [11:50:39 AM] ernie_liu: @Marshall - some lady came by looking for you. She wouldnt tell me what it was nor would she give me the papers. I must look shady. But was probably the contract
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!