Cyberattacks in South Korea Heightens Changes in Threat Landscape Trend Micro Urges Enterpises to Redefine their Security Strategy

[Kuala Lumpur, 21 March, 2013] – The leading global security company Trend Micro Incorporated (TYO:4704), detected multiple cyberattacks on South Korean banking corporations and media agencies. The incident began when corporate computer systems were shutdown and could not be rebooted, while others were showing images of a skull and a “warning”. As a result, business operations, ATMs, online banking, and TV broadcasts were disrupted.

Tactics used in these attacks resembles advanced target attacks, where spear-phishing emails were used to penetrate and compromise initial systems within these organizations.

Upon penetration, attackers targeted critical IT infrastructures such as patch management servers, and public facing web sites, in preparation for a “waterhole attack” where these legitimate websites and servers are modified to inject malicious code onto connecting PCs.

Like a lion waiting for speedy gazelles to slow down and have a drink, attackers hacked and loaded viruses onto sites they suspect attractive targets will visit. Compromised websites connected visiting clients to off-shore websites where malicious Trojan program, known as TROJ_KILLMBR.SM, was installed.

This program was responsible for taking down the infected systems by overwriting the Master Boot Record (MBR), thus paralyzing system and business operations. Wiping the MBR, a form of self-destruct, is typically the last step in a targeted attack that makes investigation and recovery of these systems more difficult.

Trend Micro has predicted a significant increase in cyber-attacks, and has been working with our customers and partners in this region to provide custom defense for the last several years. As a result of this investment, Trend Micro customers are protected in this series of attacks.

Customers using Trend Micro Deep Discovery were alerted on March 19th. The Deep Discovery Inspector and Deep Discovery Advisor heuristically detected malicious traffic and email (through the names of HEUR_NAMETRICK.B). As of March 20th, the malicious files and websites involved in these attacks are also detected and blocked by other Trend Micro solutions.

For further information on this threat, please check: http://blog.trendmicro.com/trendlabs-
security-intelligence/mbr-wiping-trojan-other-attacks-hit-south-korea/

To learn about Trend Micro, please check: http://www.trendmicro.com/us/index.html


南韓爆發史上最大駭客攻擊 企業及個人用戶電腦皆停擺

趨勢科技呼籲企業及消費者採取積極行動 以防遭受下一波毒駭

【2013 年 03 月 21 日吉隆坡讯】駭客針對南韓主要銀行、媒體，以及個人電腦發動大規模攻擊，截至目前為止，趨勢科技已經發現多重攻擊。駭客主要針對南韓主要銀行與媒體的補丁更新伺服器（patch management server）佈署惡意程式，造成受攻擊企業內部的電腦全面無法開機，作業被迫停擺；另一攻擊則針對南韓的企業網站，有的網站遭攻擊停擺，有的網站則是使用者造訪該網站都會被導向位於海外的假網站，並被要求提供許多個人資訊；此外，駭客並針對個人用戶發動電子郵件釣魚攻擊，假冒南韓銀行交易記錄名義，誘騙使用者下載內含木馬程式 TROJ_KILLMBR.SM 的執行檔，使用者電腦開機區遭到覆蓋，導致使用者無法開機。

趨勢科技內部偵測到的針對企業內部的目標性攻擊，目前已知受影響的企業主要為銀行以及媒體。這波攻擊以企業補丁更新伺服器（Patch Management Server）為標的，駭客成功入侵受害企業的補丁更新伺服器佈署惡意程式，該惡意程式會隨著企業員工電腦定期下載補丁(Patch) 而散佈至企業內部，造成企業內部電腦全面停擺，無法進行作業。

另一個攻擊則針對企業網站進行攻擊，目前已知南韓知名企業網站遭到入侵，並恐有被植入不明惡意程式之可能。除了企業之外，駭客並針對銀行使用者展開一波社交工程郵件攻擊。駭客透過一封假冒南韓銀行的信件，信件內容表示為使用者的交易記錄，要求使用者打開附件，附件內容其實為一個執行檔，一旦使用者下載執行後，將被下載一個名為 TROJ_KILLMBR.SM 的惡意程式，電腦開機區的所有資訊將被覆蓋，導致電腦無法開機。

趨勢科技表示，此惡意連結已遭趨勢科技封鎖。但值得注意的是，不排除駭客會展開另一波新的攻擊。

根據過往的案例分析，許多網路釣魚電子郵件看起來可能跟原公司的電子郵件一模一樣。使用者應該仔細閱讀電子郵件，而且去驗證電子郵件內容的正確性。除此之外，勿隨意開啟郵件中所附的連結或檔案，更勿輕易提供個人資料。

趨勢科技 Deep Discovery 在第一時間即已偵測到此社交工程郵件攻擊，並偵測其內含HEUR_NAMETRICK. B 惡意檔案。趨勢科技呼籲用戶使用最新病毒碼，以提供相對應的防護。更多Deep Discovery 相關訊息請參考：
http://tw.trendmicro.com/tw/products/enterprise/deep-discovery3/index.html

更多與此攻擊相關訊息請參考：http://blog.trendmicro.com/trendlabs-security-intelligence/mbr-wiping-
trojan-other-attacks-hit-south-korea/