PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
The New Wave of Cyber Terror in the Korea Financial Sector
Kyoung-Ju Kwak (郭炅周) CEAT (Computer Emergency Analysis Team) @ Korea Financial Security Institute
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
About Me Kyoung-Ju Kwak @ CEAT-FSI Member of National Police Agency Cyber-crime Advisory Committee Education Bachelor’s Degree in Computer Science, SungKyunKwan University Master’s Degree in Computer Science, SungKyunKwan University Highlighted Talks The Vulnerability of Portal Sites and Online Music Service @ National Security Research Institute The Case study of Incidents in Korea Financial Sector @ International Symposium on Cyber Crime Response Overview of Data Breach from Korea Well-known Online Mall @ CONCERT
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
Agenda 1. History of Cyber Terror in South Korea 2. Recent Cases 3. Association Analysis 4. Conclusion
1. History of Cyber Terror in South Korea
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
CYBER TERROR TIMELINE
2009.7.7 DDoS against Government (CheongWaDae(Bluehouse), etc)
2011.3.4 DDoS against Government, Financial Companies and Internet Companies
2011.4.12 APT, NHBank
2013.3.20 APT, Broadcasting Companies, Major Banks
2013.6.25 DDoS, Government and Media
2014.12.9 APT, (KHNP) Korea Hydro and Nuclear Power
2014.12.24 APT, Sony Pictures
2015.10 APT, Seoul Metro
2. Recent Cases
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
All of malwares and vulns are Connected to the same Cyber Terror
Operation
All of vulnerable Solutions are installed on a lot of Companies (Government, Financial, Media, etc) in South Korea
15. Feb 16. Feb 4. Mar 9. Mar 23. Mar
Malware compromising well-
known DRM Solution
Malware using Valid Codesigning certificate of well-known Security
Solution Provider #1
Vulnerability of well-known DLP Solution
Vulnerability of well-known IT Asset
Management System
Malware using Valid Codesigning certificate of well-known Security
Solution Provider #2
Recent Malwares & Vulnerabilities Detection (in 2016)
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
(15. Feb) Malware compromising well-known DRM Solution
Disclosure at Conference
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
(23. Mar) Well-known IT Asset Management System Vulnerability
Disclosure at Conference
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
(16. Feb) Malware using valid Code-signing certificate of well-known Security Solution Provider #1
Disclosure at Conference
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
(4. Mar) Well-known DLP Solution Vulnerability
Disclosure at Conference
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
(9. Mar) Malware using valid Code-signing certificate of well-known Security Solution Provider #2
Disclosure at Conference
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
Recent Investigation
• GHOSTRAT Operation
• Unnamed Operation Connected Malwares & Vuln 1. Malware using valid Code-signing certificate of well-known Security Solution Provider #1
2. Well-known DLP Solution Vulnerability 3. Malware using valid Code-signing certificate of well-known Security Solution Provider #2
Connected Malwares & Vuln 1. Malware compromising well-known DRM Solution
2. Well-known IT Asset Management System Vulnerability
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
GHOSTRAT Operation
Disclosure at Conference
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
Unnamed Operation
Disclosure at Conference
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
Online Mall Personal Data Breach (Jul 2016)
Disclosure at Conference
3. Association Analysis
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
Disclosure at Conference
How to Connect between GHOSTRAT & Unnamed Operation
PACSEC TOKYO 2016 - Applied Security Conferences and Training in Pacific Asia
Disclosure at Conference
How to Connect between Sony Pictures & Online Mall Case
4. Conclusion
Characteristics of their attack • They don’t care about the Size of Company
• They research 0-day, especially, 3rd party
security solution
• They silently scan vulnerable ports to search
targets
What we have to do • Share Threat Intelligence (most important)
• Develop Profiling Technique
Q & A [email protected]
Thanks
