Korean banks and media agencies under cyber-attack: Trend Micro
By Digital News Asia March 21, 2013
- Legitimate websites and servers modified to inject malicious code onto connecting PCs
- Business operations, ATMs, online banking and TV broadcasts disrupted
TREND Micro Incorporated said it has detected multiple cyber-attacks on South Korean banking corporations and media agencies.
The incident began when corporate computer systems were shut down and could not be rebooted, while others were showing images of a skull and a “warning.” As a result, business operations, ATMs, online banking and TV broadcasts were disrupted, the company said in a statement.
Tactics used in these attacks resembles advanced target attacks, where spear-phishing emails were used to penetrate and compromise initial systems within these organizations.
Upon penetration, attackers targeted critical IT infrastructures such as patch management servers, and public-facing websites, in preparation for a “waterhole attack” where these legitimate websites and servers are modified to inject malicious code onto connecting PCs.
“Like a lion waiting for speedy gazelles to slow down and have a drink, attackers hacked and loaded viruses onto sites they suspect attractive targets will visit,” Trend Micro said.
Compromised websites connected visiting clients to off-shore websites where the malicious trojan program, known as TROJ_KILLMBR.SM, was installed.
This program was responsible for taking down the infected systems by overwriting the Master Boot Record (MBR), thus paralyzing system and business operations. Wiping the MBR, a form of self-destruct, is typically the last step in a targeted attack that makes investigation and recovery of these systems more difficult.
Trend Micro said it has predicted a significant increase in cyber-attacks, and has been working with its customers and partners in this region to provide custom defenses for the last several years.
Customers using Trend Micro Deep Discovery were alerted on March 19.
For further information on this threat, click here.