South Korean cyber attack targeted unpatched systems

How do you mark the anniversary of the start of the Korean War? Well, if you’re Anonymous and the DarkSeoul Gang, you apparently “celebrate” by re-enacting the hostilities in cyber space. 

Early in the morning on June 25, the Blue House (the South Korean equivalent of the White House in the United States) website, and key government agencies in South Korea were targeted by attacks from the DarkSeoul gang. Apparently, the attacks were a retaliatory move prompted by similar attacks by Anonymous against North Korean targets. The attacks included website defacement, distributed denial of service (DDoS) attacks, and in some cases led to personal data of South Korean government employees being compromised. 

According to a Symantec blog post, “The attacks conducted by the DarkSeoul gang have required intelligence and coordination, and in some cases have demonstrated technical sophistication. While nation-state attribution is difficult, South Korean media reports have pointed to an investigation which concluded the attackers were working on behalf of North Korea.”

The South Korean government raised their cyber alert threat level. It was a brief barrage, though, and most of the websites had been recovered and restored to normal operation by the end of the day.

So, two cyber gangs of suspect ethical fiber and questionable morals chose to have a playground fight via the Internet on the Korean peninsula–why should you care? It’s a fair question. The answer is, you should care because there are lessons to be learned that might help prevent your network and servers from being compromised. 

I spoke with Ken Westin, a security researcher with Tripwire. Working with the Red Alert (R3d4l3rt) team in South Korea, Westin has been conducting an in-depth analysis of the techniques and exploits used, and the vulnerabilities targeted by the attackers, as well as the malware used to target DNS servers and facilitate the DDoS attack. 

Westin’s research suggests that this was a coordinated and premeditated attack, but he also indicated that the attackers used relatively simple tools. He stressed that writing exploits is not that difficult, and there are tools available to make it easy even for less-skilled attackers. 

The primary lesson for other governments, companies, and even consumers, though, is to expedite the patch management process. The attacks in South Korea primarily targeted known flaws for which patches are already available. Companies are often slow, and governments–as a function of their bureaucracy and red tape–are even slower to test and deploy patches as they’re released.

Highly-skilled attackers can find their own unique vulnerabilities to target, but most attackers aren’t that skilled or dedicated. Once a patch is released, though, it can be reverse-engineered to discover the underlying vulnerability. That means that every minute that goes by after a patch is released, the associated risk increases. Essentially, it’s only a matter of time before a successful exploit is circulating in the wild, and you need to have the patch applied to affected systems before that point.

Westin also suggested that companies consider automated security configuration management tools like those offered by Tripwire. Westin said there are just too many new vulnerabilities discovered every day, and IT admins have too many servers and endpoints to protect to manage the process effectively any other way. No matter what tool or process you use, the bottom line is that you can defend your network and servers against most attacks by simply installing patches and updates faster than attackers can craft exploits.