S. Korea Says Cyber Attack From North Wiped 48,700 Machines

wiredmikey writes "An official investigation into a major cyber attack on South Korean banks and broadcasters last month has determined that North Korea's military intelligence agency was responsible. An investigation into access records and the malware used in the attack pointed to the North's military Reconnaissance General Bureau as the source, the Korea Internet and Security Agency (KISA) said on Wednesday. To spread the malware, the attackers went through 49 different places in 10 countries including South Korea, the investigation found. The attacks used malware that can wipe the contents of a computer's hard disk (including Linux machines) and damaged 48,700 machines including PCs, ATMs, and servers."

Civillian cyber-casualties

[Toe, The]

Just makes me wonder what war is turning into. Instead of bombing cities, I can see nations targeting unprotected civilian computers in enemy nations. Massive destruction ensues, even though it's imprecise. In other words: bombing, but without all the mess.

Re:Civillian cyber-casualties

[Anonymous Coward]

Speaking as a civilian, I'd much rather prefer to both be alive and not have my livelyhood threatened, thanks. That's the worst false dichotomy I've heard all week and you should feel bad.

Re:Civillian cyber-casualties

[KGIII]

What I find amazing is that NK is technologically capable of causing that amount of damage both in terms of technology and infrastructure. I didn't believe they'd get enough bandwidth by using the soldiers to manually hand off the packets. I figured they'd be too busy eating grass and tree bark really.

Okay, okay. So I'm only a little kidding. I'm still surprised they had the tech chops to pull that off OR that they were so poorly defended. It could go either way I suppose.

Re:Civillian cyber-casualties

[Anonymous Coward]

If this is the evolution of war, then war has evolved to something that is distinctly more friendly to humanity.

Your point is that war is bad. Sure it is. But the actual point is this type of war is less bad.

Re:Civillian cyber-casualties

[tqk]

But I'm sure most civilians prefer an empty computer rather than being dead.

Most civillians are ignorant morons wrt computers. If that empty computer was used to locate (see story yesterday) the poorly secured, net connected SCADA box that controls the spillways of the hydroelectric dam upstream of your place, an empty computer is the least of your worries.

Suicide by Cop?

[Anonymous Coward]

It occurs to me that the North Korean regime is probably secretly very unpopular in North Korea, even among top military and government officials but the officials are too distrustful of each other to scheme together against the regime. So perhaps their current belligerence is actually their way of trying to end their own regime - they advocate seemingly patriotic actions such as attacking/threatening the rest of the world - while their true intention is to provoke the world into destroying their regime. Once an international force attacks, the officials go into hiding and decline to fight, allowing an international peacekeeping force to take over, like what happened in Iraq during the first gulf war.

"PermitRootLogin yes" fixes it .. or not

[Sloppy]

If I understand correctly (do I?) the way it attacked Linux systems was that some people use a ssh client, where they literally have a preference or setting stored, for logging into the Linux machine as root. User clicks something (which does the equivalent of "ssh root@whatever" and the software automatically supplies a key or passphrase) and the next thing they see is a root bash prompt. Wow.

If that's right, then assuming your Linux machines still have

PermitRootLogin no

in /etc/ssh/sshd_config, then your setup isn't compatible with this malware. You'll need an updated version of this malware.

All machines should have "PermitRootLogin no" and if yours doesn't, you're doing something very very strange. Maybe you should go check that, right now. It'll take .. seconds.

That said, things still aren't very rosy. Presumably the user of this ssh client would also have non-root passwords or keys stored too, to get non-root access. But how many of us usually login as a user with some sudoers powers? And how many of us have a very lazy sudoers configuration, where you're literally allowed to just do "sudo -s" and get a root shell, by only having to type in your password again?

So my earlier "joke" about you needing an updated version of malware, might not really be all that much of a joke.

Tighten up your sudoers file if you can. And whether you can or not, have ssh use key authentication instead of password authentication, so that no remote clients can, or need to, have your password stored in them.

Problem fixes itself

[gnasher719]

All the vulnerable machines were wiped. So now there are no vulnerable machines anymore. Second attack will be much harder. And the percentage of Korean users doing proper backups will probably be growing :-) (Not that I'm saying people in Korea are more negligent with backups than others).

Re:Civillian cyber-casualties

[NeverVotedBush]

Consider a live CD for the system connected to the net, and another PC (if necessary) that is isolated.

Re:Civillian cyber-casualties

[jabuzz]

Yeah just look at what happened at Royal Bank of Scotland last year. Some people at Ulster Bank (a subsidiary of RBS) where unable to access their account for the best part of a month.

http://en.wikipedia.org/wiki/2012_RBS_computer_system_problems [wikipedia.org]

Now imagine that every bank is in the same situation as RBS along with VISA and Mastercard.