'Destover' malware highlights incident response

News by Kate O'Flaherty

Fallout from Sony Pictures hack continues with incident reponse now under the spotlight.

Businesses are being urged to focus on incident response after a digital certificate signed by Sony Pictures was stolen and published online.

It comes after researchers at Kaspersky Labs discovered a new version of the 'Destover' malware, used in the recent Sony Pictures breaches, which was signed by a legitimate certificate stolen from the entertainment firm.

The development highlights the need for appropriate incident response, experts told SCMagazineUK.com. Stuart McKenzie, head of response at consultant Context Information Security, told SC: "This highlights the importance of including incident response in your business continuity and disaster recovery plans. Practicing how you would respond to recovering your IT estate, highlighting any issues or hurdles, is better done without the pressure of a real incident. This should all be aligned within your cyber-strategy and the risk clearly identified to the board."

Mark James, security specialist at ESET, commented to SC: "In this particular case, the certificates are being used in an attempt to validate malware to trick some systems into thinking it's safe because it has a valid certificate. This will trick automated systems to validate the malware and allow it to pass through the very systems designed to stop it."

He added: "When Sony was breached it should have pulled certificates and reissued valid clean ones; some systems will have already allowed this malware into their networks, thus causing more indirect fallout from the Sony hack."

According to Kaspersky, the new version of Destover was compiled in July and signed on 5 December. The company said the stolen Sony certificates can now be used to sign other malicious samples and assist in more attacks.

The Destover family of trojans was used in the 2013 DarkSeoul attacks as well as against Sony Pictures last month. 

Destover poses risks similar to that of CryptoLocker, according to McKenzie: "While other attacks operate on a slow and low modus operandi to maintain persistence over days, months or years to exfiltrate data from the network, Destover is more akin to CryptoLocker in that it is openly sabotaging data within the organisation and looking to either extort money or actions from a victim."

The malware could pose a significant risk by acting as a "backdoor" for criminals, but it also shows investigators where to look, adds Sagie Dulce, security research engineer, Imperva. Dolce told SC: "The malware does not simply allow attackers to wipe out hard drives, but it serves as a backdoor or RAT for attackers. Only after the attackers get what they want, they perform the wipe – making a 'grand exit'.

"Wiping out assets could do a lot of damage, but it also tells the forensic investigators where to look. I think that criminally motivated groups and governments prefer to remain under the radar as much as possible.”

Kaspersky said it has reported the digital certificate to COMODO and Digicert.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews