Last week, researchers discovered data-wiping malware spreading across South Korea that was targeted at wiping out PCs, especially in major banks and TV stations. Reports initially suggested that North Korea or China had launched the cyberattack, however, speculation has now turned to the US and Europe. The latest theory is that administrator, or privileged, login credentials were stolen from South Korean security firm AnhLab as part of a wide-spread targeted attack.
Regarding this, Matt Middleton-Leal, UK & Ireland regional director, Cyber-Ark made the following comments:
“The data wiping malware that hit South Korean TV stations and banks is the latest example of the pervasiveness of privileged account vulnerabilities and showcases why these high value accounts are continually under-attack by cyber-criminals around the world. According to a recent report, the serious attacks carried out on South Korea were precipitated by hackers obtaining an 'administrator login to a security vendor’s patch management server via a targeted attack.' The attackers then apparently created malware that resembled a normal software update, tricking unsuspecting organisations into infected their systems with this fake update.
“Privileged accounts have typically only been thought of as the powerful IT administrator or super-user accounts. This old notion ignores the reality that the use of privileged accounts has expanded significantly throughout the enterprise. Privileged accounts include default and hardcoded passwords, application backdoors, and more. These accounts exist everywhere – in servers, network devices, applications and elsewhere. And in this case, in security patch management systems designed to help organisations stay secure and updated with the latest patches.
“Organisations need to expand their view of privileged accounts and start to proactively secure them by first identifying every one of these powerful accounts in their organisation. Cyber-attackers know these weak spots exist and will do anything to gain access to these accounts. We need to assume that the attackers are already on the inside and cut off the paths they travel so they can’t traverse our networks, steal information or plant logic bombs such as this.”