BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Least Privilege and South Korea

Posted March 26, 2013    BeyondTrust Research Team

No, this isn’t some editorial piece about the interrelationships of varying social strata in South Korean society and Gangnam Style. Despite how interesting that may be, we are instead taking a quick look at the latest “wiper” malware to strike fear in the hearts of CTOs and IT admins alike – DarkSeoul (or Jokra or KillMBR, depending on who you ask). If you haven’t heard of DarkSeoul, here’s what you need to know:

– Trojan that wipes out harddrives
– Targeted banks and media organizations in South Korea
– No Command and Control functionality (fire and forget)
– Wiping set to commence on March 20th
– Cross-platform (Windows, UNIX, and Linux)

Well, that was short… what’s all the ruckus about then? Just as with Batchwiper, running in a Least Privilege environment would have significantly reduced the effectiveness of DarkSeoul, if not completely disabled it. In the case of this malware, the Trojan siphons credentials from mRemote and SecureCRT installations on Windows systems, looking for root credentials to UNIX and Linux boxes. In a Least Privilege environment, and in an environment managed by tools such as PowerBroker Servers for Linux & Unix (PBUL), IT can make smarter, granular decisions about what certain accounts can do. This is especially critical on infrastructural systems, which often run Linux and UNIX, responsible for production roles and other critical functionality in the enterprise environment. PBUL lets you restrict access to certain functions and system calls, which can be leveraged to potentially prevent any user from deleting critical directories, such as home and kernel. Not to mention, running in a Least Privilege environment within Windows, with the use of PowerBroker for Windows, would have hamstrung DarkSeoul even further. Running as a non-administrator within Windows severely limits malware’s capabilities, including deleting system-critical directories.

TL;DR? An ounce of prevention is worth a pound of cure… or in this case, an ounce of prevention prevents all your files from getting deleted and breaking your ATMs.

Tags:
, , , ,

Leave a Reply

Additional articles

Dark Reading

2014: The Year of Privilege Vulnerabilities

Posted December 18, 2014    Chris Burd

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.

Tags:
, , , , ,
dave-shackleford-headshot

Looking back on information security in 2014

Posted December 16, 2014    Dave Shackleford

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar. 2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced…

Tags:
, ,
patch-tuesday

December 2014 Patch Tuesday

Posted December 9, 2014    BeyondTrust Research Team

This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some…

Tags:
,