![]() ![]() They are now considered so important that governments with cyber-war operations guard information about them as if they were secret weapons. Zero-Days have figured in several high-profile attacks attributed to governments, including the U.S., Israel and China. Messages purporting to be from the attackers claimed they had taken nearly 100 terabytes of data from Sony, but the files disclosed so far amount to a few hundred gigabytes. Carefully, and over the course of several weeks, they assembled a detailed map of Sony’s corporate networks and the information to access each one.Įventually, they pilfered hundreds of gigabytes of Sony’s most sensitive business information, including the email archives of some of its most senior executives, and released them to the public. Once the attackers penetrated Sony’s network, they were able to move about in what was described as a “low and slow” manner. One source described the software used to exploit the weakness on Sony’s systems as “well-constructed and multi-faceted,” but not exceptionally sophisticated. Sources familiar with the technical information declined to name the product or system exploited citing the sensitivity over the ongoing investigation. For example, a vulnerability that applies to several variants of Microsoft’s Windows operating system is worth more than a vulnerability that applies to only one. The going prices can vary from as low as $5,000 to more than $250,000, and vary depending on sophistication, age and other factors. Information about Zero-Days is often bought and sold in underground marketplaces specializing in computer crime. When exploited by a skilled hacker, Zero-Day vulnerabilities can be useful in gaining initial access to large systems, essentially creating a beachhead that can be used to mount larger-scale intrusions, theft and the destruction of data. Often vulnerabilities remain unknown to the company that created it. Last year, Google launched its own effort, Project Zero, hiring a team devoted to rooting out and fixing holes in software that touch the Internet. ![]() Examples include the Zero-Day initiative backed by Tipping Point, a unit of Hewlett-Packard. The tech industry has sought to control the spread of Zero-Days by paying freelance researchers to report vulnerabilities in software to the companies that create it, or to third parties. Mandiant, the corporate parent of the security firm FireEye, declined to comment, as did Sony and the Federal Bureau of Investigation. Sony suffered the worst corporate hack attack in history last fall when a group of attackers going by the name Guardians of Peace first crippled its network and then released sensitive corporate data on public file-sharing sites, including four unreleased feature films, business plans, contracts and the personal emails of top executives. ![]() It would also add weight to a claim by Kevin Mandia - founder and head of Mandiant, the security firm hired to investigate the breach - that the attack was one for which neither Sony “nor other companies could have been fully prepared.” That attack technique has been used in the past to exploit Zero-Day vulnerabilities. The New York Times recently reported that “spear phishing” attacks involving malicious code were inserted into email attachments in September. The presence of a Zero-Day vulnerability in the investigation is a key technical detail that sheds light on how the hackers were able to get inside Sony’s network as early as September and thoroughly exploit it, undetected, until unleashing the destructive attack in late November.ĭetails about the vulnerability are being closely held, and it’s unclear which software was compromised. government that North Korea was responsible for the attack. Zero-Day vulnerabilities are also often sold on the black market to the highest bidder, suggesting the attackers were either well-funded or working with an entity who is, such as a nation-state. ![]() More often, they remain undetected until an attack has occurred. Sometimes the errors are spotted by security researchers who collect bounty fees offered by software firms. These flaws are usually the result of errors made during the writing of the software, giving an attacker wider access to the rest of the software. These types of vulnerabilities are known as Zero-Day because the original programmer has zero days after learning about it to patch the code before it can be exploited in an attack. Sources familiar with the Sony investigation told Re/code the attackers took advantage of what’s known as a “Zero-Day” vulnerability as part of a campaign to destroy the studio’s corporate network. The hackers behind the devastating attack against Sony Pictures Entertainment late last year exploited a previously undisclosed vulnerability in its computer systems that gave them unfettered access and enabled them to reach and attack other parts of the studio’s network. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |