A Look At Sony Wiper In Action

Crowdstrike demonstrates how attackers could have destroyed Sony assets and how behavior analysis could combat it.

CrowdStrike, today, performed a public demo of the wiper malware that swept Sony Picture Entertainments IT infrastructure clean, showing how it could have been deployed and distributed, and how a behavior-based security tool like their Falcon product could disrupt the attack.
One of the malwares sophisticated features is that it had the exact names of Sonys file servers hard-coded into it. Therefore, to perform the demo, Crowdstrike researchers Dmitri Alperovitch and Elia Zaitsev built a test environment and gave the infrastructure components the same names that Sony used. They also made small modifications to the wiper -- for example, removing its sleep commands, so that it wouldnt go to sleep mid-demo. These minor modifications had the additional effect of making the malware undetectable by signature-based anti-malware tools.
It is still not known how the attackers initially broke in. For the purposes of this demonstration, the researchers exploited a web server via SQL injection then implanted a small 7-character webshell called ChinaChopper. Regardless of how the attackers got in (SQL injection, spear-phishing, etc.), the next step was to elevate privileges, by searching for admin credentials.
To do so, the attacker uploaded malware to a folder that the originally compromised user had access to -- malware that included the Mimikatz credential stealing program. Mimikatz then dumped all sorts of credentials, including admin accounts with very complex passwords -- again showing how password strength is rendered irrelevant when attackers are going through the backdoor instead of trying to brute force the front door.
The researchers recommend focusing your defensive efforts on this privilege escalation stage. If you can detect and stop the theft of administrator credentials, they say, you can stop attackers in their tracks -- containing them so that they can not move laterally through a network. Further, they said, admin credentials are only stored in a few places, usually, which makes this stage a manageable place to focus your efforts.
The first time they ran the demo they simply tracked the suspicious activity -- which the Falcon tool detected and reported in real-time. The second time they used the tool to also shut down the suspicous processes. This behavior-based approach -- looking for the privilege escalation practices however theyre conducted, instead of looking for specific tools -- they say is becoming more important as attackers move away from malware and start using legitimate applications/functions for nefarious purposes.
In the demo, once the attacker had obtained admin credentials, they mounted a fileshare to exfiltrate data. Then put the wiper malware to work -- multiplying itself and destroying everything in its path, including the master boot record.
It then launches a Web server that hosts the threat page (the red skeleton image, machine gun fire sounds, and warning message). Whenever a user tried to launch a browser, this page would load.
The wiper malware forced a reboot of any infected hardware after two hours. Upon reboot, all that would show is a plain black screen and an operating system not found message -- more terrifying than a red skeleton.
CrowdStrikes recommended countermeasures are to seek indicators of attack -- looking, in real-time, for effects of what malware does, instead of looking for the malware itself. To see an archived version of the demo, go to
crowdstrike.com/corporate-destruction
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
A Look At Sony Wiper In Action