In both North Korea and South Korea, several websites were defaced and brought down via a DDoS attack on the anniversary of the start of the Korean War.

The Red Alert (R3d4l3rt) team in South Korea have provided an in depth analysis of the vulnerabilities and methods used to access and deface government websites and access personal information, as well as malware used to target DNS servers in a DDoS attack.

At around 9:10AM on June 25th, the Blue House ( equivalent to the U.S.’s White House) and key government agency websites were the target of attacks. These attacks included website defacement, distributed denial of service (DDoS) attacks and compromise of personal data for some government personnel, including the U.S. Army’s 3rd Marine, 25th Infantry, and 1st Cavalry Divisions. As a result the South Korean government raised their cyber-alert level to its third highest and most of the websites had recovered and were back up by the end of the day.

Vulnerability Exploit & Site Defacement

Shortly after the attack a video appeared on YouTube showing the hack of the Blue House website process, which has since removed by YouTube. The Blue House website hosted on a Solars 10 Sparc system appears to have been compromised by taking advantage of a Websphere Application Server (WAS) vulnerability, as well as a file upload/download vulnerability in a bulletin board.

The attack in the video utilized  the “w3b_avtix” toolkit to gain access to deface the website as well as escalate privileges to access data. The list of other defaced websites are assumed to have also been compromised through server vulnerabilities, many of which are known, but the systems targeted were unpatched. Here is a list of sites the Red Alert team have reported listed as compromised.

Org Website
The Blue House  www.president.go.kr
The Office for Government Policy Coordination pmo.go.kr/pmo_web/main
The Ministry of National Defense   www.mnd.go.kr
The NIS www.nis.go.kr
Chosun Ilbo  www.chosun.com
Daegu Ilbo www.idaegu.com
Maeil Shinmun   www.imaeil.com
Korea Press Foundation www.kpf.or.kr/index.jsp
eToday www.etoday.co.kr
Saenuri Party Seoul seoul.saenuriparty.kr
Saenuri Party Gyeonggi-do   www.visiongg.com
Saenuri Party Incheon www.hannaraincheon.or.kr
Saenuri Party Busan   busan.saenuriparty.kr
Saenuri Party Ulsan ulsan.saenuriparty.kr
Saenuri Party Gyeongnam   gyeongnam.saenuriparty.kr  
Saenuri Party Jeju jeju.saenuriparty.kr
Saenuri Party Gyeongsangbuk-do www.gbsaenuri.kr
Saenuri Party Gangwon www.hangangwon.org/

 

DDoS Attack Against DNS Server

In addition to the site defacement a distributed denial of service attack targeted two DNS servers:

  • ns.gcc.go.kr [152.99.1.10]
  • ns2.gcc.go.kr [152.99.200.6]

The connections came from domestic systems that were compromised by malware that was spread , scheduled to initiate DNS queries at a rapid rate with fairly large query size  (1,500 bytes) to increase the load on the server. Looking at the packets of the attack showing the DNS queries it shows randomized subdomain requests:

red_alert_dns
Image Credit: Red Alert Team

The malware that initiates the attack on unknowing users’ systems is:

Filename MD5
wuauieop.exe F60935E852D0C7BCFFAA54DDA15D009A

Screen Shot 2013-06-27 at 1.50.59 PM

The malcious file was dropped and executed on compromised systems on June 25 at 10AM. From samples the Red Alert team has determined that the malware was created on 6/24/2013.

Once the malware is unpacked it creates a UDP socket and sets the IP address and port of the target Domain Name Server (DNS). Two threads are created on the system to loop through the task. The malware generates a random string and prepends it as a subdomain to “gcc.go.kr”.


Domain Creation – Image Credit: Red Alert Team

The malware then creates a packet using the sendto function. The malware then reset the connection properties and starts the process all over ad infinitum.

Categories:

Tags: , , , , , , ,


Ken Westin

Ken Westin has contributed 109 posts to The State of Security.

View all posts by Ken Westin >