Last week we discussed the SK Communications data breach where a large number of user accounts in South Korea were exposed. The scope appears to be bigger than initially reported, as ESTsoft, a South Korean company that develops software (including antivirus, compression utility software, etc.), came forward with a public notice disclosing that one of their update servers was compromised.
According to the above advisory, a vulnerability found in a common DLL update module allowed a hacker to drop a malicious file (BKDR_SOGU.A, the same file discussed in the entry Analysis of BKDR_SOGU.A, a Database-Accessing Malware) onto the affected computers.
ESTsoft already released a patch on August 4th and pushed it as an update. They also stressed that they are cooperating and working closely with South Korean law enforcement to understand the cause and extent of the said compromise.
As of today, the details of the attack are still incomplete, but the above suggests that ESTsoft is one possible infection vector, among others, that may eventually have led to the SK Comms data breach. With this development, the involvement of not one but several companies being compromised indicates that this might not have started as a targeted attack specifically against one company. The attacker may have first triggered a wide range of initial attacks, a reconnaissance step to find vulnerable public facing interface, at the same time, assessing if those vulnerable interface will be useful. In this case, the ESTsoft has been useful as a possible infection vector to host the malicious file, while SK Comms data breach contains rich information that can be of further use for cybercrime activities.
Higher Security Demands for Enterprises
We already know how high-profile and data-sensitive/data-dependent enterprises need to change their security mindset. Conventional endpoint protection does not block unknown new malware.
On the other hand, even purchasing the most high-end security information and event management solutions and having several staff watching the logs every minute of every day will not guarantee a threat-free environment if those solutions do not display the real malware infection status.
This security incident has shown us how things are done in South Korea. The South Korean government is now studying the need to change the method in which personal information is currently being verified online. To wit, the government requires users to give their real name and real social ID and phone number and cross-references these to verify the online entity.
Also, more and more South Korean local enterprises have started to increase their security budgets.
Leave a reply