Breaking anatomy: Sony
To protect your data throughout life, new UBA threat models have been created (User Behavior Analytics - Behavioral User Analysis) , which are based on the main stages of the infrastructure penetration chain.
What does this mean? Let's look at the anatomy of hacking.
How did the Sony hack happen?
')
Exactly, we know the following: a group called Guardians of Peace (GoP) claims to be able to get more than 100 Terabytes of company data. Malicious software Wiper was used to erase data from servers. A shocking amount of unstructured data was published: ranging from 47,000 social security numbers (SSNs) to 170,000 e-mails and chats between executives.
Let's go through the chain of penetration actions and find out how this happened step by step.
Intelligence service
The hackers used email messages for the purpose of phishing data - in this case, it was the substitution of the Apple ID site. Thus, the attackers gained access to personal information and passwords, which, in combination with public information from sources such as LinkedIn and Facebook, gave them enough information to access the company's corporate network.
Possibly, the infrastructure scanning software was used further. Ultimately, the attackers had a detailed diagram of the corporate network, compiled from the documents found.
Penetration
Wiper malware was placed on the servers (using employee credentials sufficient to run) - Wiper software destroys data on Windows servers simultaneously spreading across the network to attack other servers. According to the latest data, penetration occurred more than a year before its discovery.
Spread
The attackers scanned the server for files containing credentials for further distribution or increase their own privileges. Later, they discovered a huge number of files (most of them even called “password”), containing user names and passwords for everything from internal corporate systems to Twitter accounts: for example, one document from the HR \ Benefits directory contained 402 lines for each employee - social security, internal email address, password and employee name.
Privilege escalation
Thanks to the exploration and distribution of malware, attackers were able to detect whole arrays of passwords, which gave them enough access to take over the infrastructure. They were even able to obtain security certificates and RSA token information, which greatly strengthened their position. Later, Destover malware was discovered, which used stolen Sony certificates.
Data leakage
Hundreds of gigabytes of sensitive data were published, most of which are unstructured data (PDF files, Word documents, Excel spreadsheets, PowerPoint presentations, text files, video files, e-mail, etc.) containing personal information of celebrities and current / former employees, confidential documents containing budgets, development plans, future films and internal correspondence.
Now what?
Until now, Sony has to deal with the devastating effects of hacking. The business has been violated, its reputation has been spoiled, and millions of dollars have been allocated to settle claims to steal personal data.
The reason is that no one followed the unstructured data of the company when the hackers got into the corporate network.
What does this mean? Let's look at the anatomy of hacking.
How did the Sony hack happen?
')
Exactly, we know the following: a group called Guardians of Peace (GoP) claims to be able to get more than 100 Terabytes of company data. Malicious software Wiper was used to erase data from servers. A shocking amount of unstructured data was published: ranging from 47,000 social security numbers (SSNs) to 170,000 e-mails and chats between executives.
Let's go through the chain of penetration actions and find out how this happened step by step.
Intelligence service
The hackers used email messages for the purpose of phishing data - in this case, it was the substitution of the Apple ID site. Thus, the attackers gained access to personal information and passwords, which, in combination with public information from sources such as LinkedIn and Facebook, gave them enough information to access the company's corporate network.
Possibly, the infrastructure scanning software was used further. Ultimately, the attackers had a detailed diagram of the corporate network, compiled from the documents found.
Penetration
Wiper malware was placed on the servers (using employee credentials sufficient to run) - Wiper software destroys data on Windows servers simultaneously spreading across the network to attack other servers. According to the latest data, penetration occurred more than a year before its discovery.
Spread
The attackers scanned the server for files containing credentials for further distribution or increase their own privileges. Later, they discovered a huge number of files (most of them even called “password”), containing user names and passwords for everything from internal corporate systems to Twitter accounts: for example, one document from the HR \ Benefits directory contained 402 lines for each employee - social security, internal email address, password and employee name.
Privilege escalation
Thanks to the exploration and distribution of malware, attackers were able to detect whole arrays of passwords, which gave them enough access to take over the infrastructure. They were even able to obtain security certificates and RSA token information, which greatly strengthened their position. Later, Destover malware was discovered, which used stolen Sony certificates.
Data leakage
Hundreds of gigabytes of sensitive data were published, most of which are unstructured data (PDF files, Word documents, Excel spreadsheets, PowerPoint presentations, text files, video files, e-mail, etc.) containing personal information of celebrities and current / former employees, confidential documents containing budgets, development plans, future films and internal correspondence.
Now what?
Until now, Sony has to deal with the devastating effects of hacking. The business has been violated, its reputation has been spoiled, and millions of dollars have been allocated to settle claims to steal personal data.
The reason is that no one followed the unstructured data of the company when the hackers got into the corporate network.
Source: https://habr.com/ru/post/281126/
All Articles