2015년 1분기주요정보보안소식

2015.05.12

안랩시큐리티대응센터(ASEC) 분석팀

차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) 책임연구원

공개판

© AhnLab, Inc. All rights reserved. 2

:~$whoami

Profile

− 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7)

− 1988년 1월 7일 : Apple ][+ 복제품으로컴퓨터시작

− 1989년 : Brain virus 변형감염

− 1997년 : AhnLab 입사

− AhnLab 책임연구원 (Senior Antivirus Researcher)

− 시큐리티대응센터(ASEC) 분석팀에서

악성코드분석및연구중

- 민간합동조사단, 사이버보안전문단

- AVED, AMTSO, vforum 멤버

- Wildlist Reporter

Contents

01

02

03

04

05

06

07

2015 년국내정보보안소식

1 분기국내정보보안소식

2015 년국외정보보안소식

1 분기국외정보보안소식

1 분기주요취약점과악성코드

Case study : Kimsuky변형

Case study : Upatre

01

2015 년국내정보보안소식

© AhnLab, Inc. All rights reserved. 5

2015 년국내정보보안소식

2015년국내정보보안소식

− 1월 7일 : 모바일상품권부정사용의혹

http://www.boannews.com/media/view.asp?idx=44991&kind=0

− 1월 15일 : 정부, 400개기관에대한사이버안전대진단발표

http://www.mt.co.kr/view/mtview.php?type=1&no=2015011510033489266

− 1월 15일 : 사법부, 파밍사건의은행책임일부인정

http://news.donga.com/3/01/20150115/69100947/1

− 1월 28일 : 전남친뒷조사하려고군홈페이지해킹시도한여대생검거

http://economy.hankooki.com/lpage/society/201501/e20150128142208117920.htm

− 1월 28일 : 안랩, 안랩 V3 모바일 3.0 일본출시

− 2월 1 일 : CDN 업체해킹으로일부정부웹사이트통해악성코드유포

− 2월 2일 : PG사 Active X 설치대신 EXE 파일다운로드방식으로변경시작

© AhnLab, Inc. All rights reserved. 6

2015 년국내정보보안소식

2015년국내정보보안소식

− 2월 13일 : 부산강서경찰서, 회사자금을관리하는직원컴퓨터에악성코드를심어 1억원빼돌린혐

의로신모(37) 씨구속

http://www.yonhapnews.co.kr/society/2015/02/13/0701000000AKR20150213168100051.HTML?template

=5567

− 3월 2일 : SBS, 돈받고 DDoS공격한보안업체대표양모씨보도

http://news.sbs.co.kr/news/endPage.do?news_id=N1002859801

− 3월 5일 : 미래부, 인터넷공유기보안강화발표

http://www.ddaily.co.kr/news/article.html?no=127945

− 3월 5일 : 공공아이핀 75 만건부정발급확인

http://www.nocutnews.co.kr/news/4377976

− 3월 12일 : John, 한수원유출자료추가공개주장

http://news.mt.co.kr/mtview.php?no=2015031220118210253

− 3월 15일 : AhnLab창립 20 주년

© AhnLab, Inc. All rights reserved. 7

2015 년국내정보보안소식

2015년국내정보보안소식

− 3월 17일 : 합수단, 한수원해킹수사결과발표

http://www.dailysecu.com/news_view.php?article_id=9004

− 3월 17일 : 인섹시큐리티, Metascan국내판매발표

http://www.itdaily.kr/news/articleView.html?idxno=61081

− 3월 19일 : 3.20 공격세력공격재개보도

http://www.boannews.com/media/view.asp?idx=45713&kind=0

− 3월 19일 : Pwn2Own에서이정훈 (lokihardt) 연구원상금독식

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2015-Day-Two-results/ba-

p/6722884#.VQ9clI6sXow

− 3월 23일 : 온라인문화상품권업체해킹해 7억원챙긴일당적발

http://news1.kr/articles/?2146019

− 3월 23일 : 카드업계, 26일부터 Active X 제거발표

© AhnLab, Inc. All rights reserved. 8

2015 년국내정보보안소식

2015년국내정보보안소식

− 3월 23일 : 서울중앙지법, 북한해커로부터온라인도박을조작할수있는프로그램구매하고배포한

혐의로기소된도박업자들에게징역형이선고

http://www.newsis.com/ar_detail/view.html?ar_id=NISX20150321_0013550963&cID=10201&pID=10200

− 3월 23일 : 디도스(DDoS) 공격의뢰를받고범행을공모한혐의로보안업체기소

http://www.newsis.com/ar_detail/view.html?ar_id=NISX20150326_0013560539&cID=10203&pID=10200

− 3월 31일 : 청와대안보실사이버안보비서관신설

http://www.yonhapnews.co.kr/bulletin/2015/03/30/0200000000AKR20150330190100001.HTML

−

02

1 분기국내정보보안소식

© AhnLab, Inc. All rights reserved. 10

한수원정보유출

•정보유출과정

-일부핵심자료는한수원협력사사장컴퓨터

-한수원관계자주소록과연락처등은한수원전·현직직원의이메일해킹

* Source : http://www.yonhapnews.co.kr/economy/2015/02/05/0303000000AKR20150205081600004.HTML?template=2087

© AhnLab, Inc. All rights reserved. 11

한수원정보유출

•한수원추가경고

-2015년3월12일경고및추가자료공개

* Source : http://twtkr.com/L1m4kD

© AhnLab, Inc. All rights reserved. 12

한수원정보유출

•수사결과발표

-북한소행으로판단

* Source : http://www.dailysecu.com/news_view.php?article_id=9004

© AhnLab, Inc. All rights reserved. 13

미래부, 인터넷공유기보안강화

•미래부인터넷공유기보안강화발표

- 6월중 : 인터넷공유기의실시간모니터링시스템구축

-7월 : 공유기보안업데이트체계구축·운영

* Source : http://www.ddaily.co.kr/news/article.html?no=127945

© AhnLab, Inc. All rights reserved. 14

공공아이핀부정발급

•공공아이핀75 만건부정발급

-

* Source : http://www.nocutnews.co.kr/news/4377976

© AhnLab, Inc. All rights reserved. 15

청와대사이버안보비서관신설

•사이버안보비서관신설

- 청와대국가안보실에추가

* Source : http://www.yonhapnews.co.kr/bulletin/2015/03/30/0200000000AKR20150330190100001.HTML

03

2015 년국외정보보안소식

© AhnLab, Inc. All rights reserved. 17

2015 년국외정보보안소식

2015년국외정보보안소식

− 2014년 12월 29일 : Trammell Hudson, Thunderbolt 취약점을이용한 Thunderstrike 발표

https://events.ccc.de/congress/2014/Fahrplan/events/6128.html

− 2014년 12월 31일 : LOL Taiwan 서버에서 Plugx변형배포

http://blog.trendmicro.com/trendlabs-security-intelligence/plugx-malware-found-in-official-releases-of-

league-of-legends-path-of-exile

− 1월 8일 : Moneyhorse사해킹으로 Glorious Leader! 게임제작중단발표

https://www.kickstarter.com/projects/884592321/glorious-leader/posts/1101568

− 1월 12일 : 미국 American, United 항공고객마일리지계좌해킹해무료탑승

http://www.inquisitr.com/1750232/american-united-airlines-hacked-thieves-hack-into-thousands-of-

customer-accounts-for-free-flights/

− 1월 13일 : 북한조선중앙통신사이트에서악성코드배포

http://arstechnica.com/security/2015/01/surprise-north-koreas-official-news-site-delivers-malware-too/

− 1월 15일 : Intel Security, Samsung Tizen 기반휴대폰에보안프로그램탑재발표

© AhnLab, Inc. All rights reserved. 18

2015 년국외정보보안소식

2015년국외정보보안소식

− 1월 16일 : 영국 SEROCU, Lizard Squard멤버검거발표

http://www.serocu.org.uk/31/section.aspx/21/man_arrested_swatting_and_denial_of_service_offences

− 1월 16일 : 미국언론사뉴욕포스트(NYP)와 UPI 통신의트위터계정도용

http://www.reuters.com/article/2015/01/16/us-usa-media-twitter-idUSKBN0KP24U20150116

− 1월 19일 : 미국 The New York Times, NSA에서북한네트워크침투보도

http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-

attack-officials-say.html?referrer

− 1월 27일 : Linux GNU C Library 취약점 CVE-2015-0235 (일명 Ghost) 발표

https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

− 1월 27일 : Kaspersky, Reign과 Qwerty Keylogger간연관관계발표

http://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-

keylogger

© AhnLab, Inc. All rights reserved. 19

2015 년국외정보보안소식

2015년국외정보보안소식

− 1월 29일 : 중국정부, 강력한사이버보안법적용

http://www.nytimes.com/2015/01/29/technology/in-china-new-cybersecurity-rules-perturb-western-

tech-companies.html

− 2월 3일 : 미국정부, 사이버대책총괄기구 E-Gov Cyber 설립

http://thehill.com/policy/cybersecurity/231598-white-house-creates-e-gov-cyber-unit

− 2월 4일 : Anthem, 8 천만명개인정보유출

http://www.anthemfacts.com

− 2월 11일 : Facebook, ThreatExchange사이트공개

https://threatexchange.fb.com

− 2월 12일 : Trend Micro, 한국은행사용자를대상으로한모바일악성코드발표

http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-malware-gang-steals-millions-from-

south-korean-users

© AhnLab, Inc. All rights reserved. 20

2015 년국외정보보안소식

2015년국외정보보안소식

− 2월 14일 : Newyork times, 은행시스템에 Carbanak악성코드감염시켜돈빼낸사건보도

http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html

− 2월 16일 : Kaspersky, Equation 정보공개

https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy

− 2월 19일 NSA & GCHQ, SIM Card 제조업체해킹

https://firstlook.org/theintercept/2015/02/19/great-sim-heist

− 2월 20일 : Lenovo, Superfish취약점발표

http://support.lenovo.com/us/en/product_security/superfish

− 2월 25일 : Microsoft MMPC, Ramnit 300 만대차단발표

http://blogs.technet.com/b/mmpc/archive/2015/02/25/microsoft-malware-protection-center-assists-in-

disrupting-ramnit.aspx

− 2월 27일 : Uber, 5 만명기사정보유출발표

http://blog.uber.com/2-27-15

© AhnLab, Inc. All rights reserved. 21

2015 년국외정보보안소식

2015년국외정보보안소식

− 3월 3일 : Oracle, OS X Java에도 ask toolbar 탑재논란

http://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs

− 3월 5일 : Bluebox, Xiaomi 스마트폰에악성코드포함발표

https://bluebox.com/blog/technical/popular-xiaomi-phone-could-put-data-at-risk

− 3월 6일 : FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204)

https://www.us-cert.gov/ncas/current-activity/2015/03/06/FREAK-SSLTLS-Vulnerability

− 3월 9일 : Krebs on Security, POS 업체 NEXTEP 정보유출공개

http://krebsonsecurity.com/2015/03/point-of-sale-vendor-nextep-probes-breach

− 3월 11일 : PandaSecuriy, 자신을악성코드로오진

http://www.pandasecurity.com/uk/homeusers/support/card?id=100045

− 3월 11일 : Kaspersky, the Equation Group의 EquationDrug발표

http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform

© AhnLab, Inc. All rights reserved. 22

2015 년국외정보보안소식

2015년국외정보보안소식

− 3월 19일 : BloombergBusiness, Kaspersky Lab 러시아첩보부와연관의혹보도

http://www.bloomberg.com/news/articles/2015-03-19/cybersecurity-kaspersky-has-close-ties-to-

russian-spies

− 3월 19일 : 미국 Target, 2013년해킹으로 1천만달러(약 112억원)를배상

http://money.cnn.com/2015/03/19/technology/security/target-data-hack-settlement

− 3월 25일 : Trend Micro, 동아시아지역에서발견되고있는 Sextortion 악성코드분석자료발표

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-sextortion-in-

the-far-east.pdf

− 3월 25일 : AraLabs, Home Router DNS 설정변경해광고교체발표

http://aralabs.com/blog/2015/03/25/ad-fraud-malware-hijacks-router-dns-injects-ads-via-google-

analytics

− 3월 27일 : Slack 해킹당함

http://slackhq.com/post/114696167740/march-2015-security-incident-and-launch-of-2fa

© AhnLab, Inc. All rights reserved. 23

2015 년국외정보보안소식

2015년국외정보보안소식

− 3월 29일 : github.com 중국정부추정 DDoS공격당함

http://insight-labs.org/?p=1682

04

1 분기국외정보보안소식

© AhnLab, Inc. All rights reserved. 25

공격

•해킹으로게임제작취소

- 해킹으로Glorious Leader! 제작취소발표

* Source : https://www.kickstarter.com/projects/884592321/glorious-leader/posts/1101568

© AhnLab, Inc. All rights reserved. 26

NSA 북한네트워크침입

• NSA 북한해킹

- 2010년미국NSA (National Security Agency) 북한네트워크침투보도

* Source : http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html?referrer

© AhnLab, Inc. All rights reserved. 27

유출

•Anthem

- 8 천만명개인정보

-이름, 생년월일, 이메일, 주소, 사회보장번호등정보유출

* Source : http://www.anthemfacts.com

© AhnLab, Inc. All rights reserved. 28

유출

• Uber

- 드라이버5 만명정보유출

-5개월동안미공개

* Source : http://blog.uber.com/2-27-15

© AhnLab, Inc. All rights reserved. 29

정보공유

• ThreatExchange

-

* Source : https://threatexchange.fb.com/

© AhnLab, Inc. All rights reserved. 30

MMPC, Ramnit차단발표

• Ramnit차단발표

-MMPC (Microsoft Malware Protection Center) 300 만대차단발표

* Source : http://blogs.technet.com/b/mmpc/archive/2015/02/25/microsoft-malware-protection-center-assists-in-disrupting-ramnit.aspx

© AhnLab, Inc. All rights reserved. 31

Bluebox, Xiaomi Phone 위험발표

• Bluebox, Xiaomi Phone 위험발표

- Xiaomi 측 : 비공식유통경로로입수된단말기

* Source : https://bluebox.com/blog/technical/popular-xiaomi-phone-could-put-data-at-risk/

© AhnLab, Inc. All rights reserved. 32

장애

• PandaSecurity장애

- 2015년3월11일signature 파일오진문제

* Source : http://www.pandasecurity.com/uk/homeusers/support/card?id=100045

05

1 분기주요취약점과악성코드

© AhnLab, Inc. All rights reserved. 34

Superfish vulnerability

• Superfish

- 2014년9월–2015년2월판매Lenovo 노트북에포함

-

* Source : http://support.lenovo.com/us/en/product_security/superfish

© AhnLab, Inc. All rights reserved. 35

Equation Group

• Equation

-1995년부터19 년동안활동. Stuxnet과연관되어NSA 배후가능성존재

-HDD firmware에도악성코드주입

* Source : https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/

© AhnLab, Inc. All rights reserved. 36

Vulnerability

• Seagate NAS Remote Code Execution Vulnerability

-

* Source : https://beyondbinary.io/advisory/seagate-nas-rce/

© AhnLab, Inc. All rights reserved. 37

Home Router

• Home Router DNS 설정변경

-광고출력

* Source : http://aralabs.com/2015/03/25/ad-fraud-malware-hijacks-router-dns-injects-ads-via-google-analytics/

© AhnLab, Inc. All rights reserved. 38

EFI bootkit

• EFI Bootkit

- firmware modifications

* Source : https://events.ccc.de/congress/2014/Fahrplan/events/6128.html

© AhnLab, Inc. All rights reserved. 39

Ransomware

• Nabucur

- File Infection + Ransomware

* Source : http://asec.ahnlab.com/1025& http://blog.trendmicro.com/trendlabs-security-intelligence/virlock-combines-file-infection-and-ransomware/

06

Case study : Kimsuky변형

07

Case study : Upatre

© AhnLab, Inc. All rights reserved. 42

Upatre

• Upatre

- 2013년11 년부터배포

-주로메일을통해감염

* Source :

© AhnLab, Inc. All rights reserved. 43

Upatre

• Icon

- 2015년2월–3월배포변형

© AhnLab, Inc. All rights reserved. 44

Upatre

•관계도

-

* Source : 분석팀

© AhnLab, Inc. All rights reserved. 45

현재의보안문제

• Not really a fair fight

* source : http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png

© AhnLab, Inc. All rights reserved. 46

현재의보안문제

•모두가함께해야하는보안

* source : http://www.security-marathon.be/?p=1786

© AhnLab, Inc. All rights reserved. 47

Q&A

email : minseok.cha@ahnlab.com / mstoned7@gmail.com

http://xcoolcat7.tistory.com

https://twitter.com/xcoolcat7, https://twitter.com/mstoned7

D E S I G N Y O U R S E C U R I T Y