Last week, we discussed the SK Communications data breach where a large number of user accounts in South Korea were exposed. The scope appears to be bigger than initially reported, as ESTsoft, a South Korean company that develops software (including antivirus, compression utility, and other software), came forward with a public notice disclosing that one of their update servers was compromised.
According to the advisory, a vulnerability found in a common DLL update module allowed a hacker to drop a malicious file (BKDR_SOGU.A, the same file discussed in the entry, “Analysis of BKDR_SOGU.A, a Database-Accessing Malware,”) onto infected computers.
ESTsoft already released a patch on August 4 and pushed it as an update. They also stressed that they are cooperating and closely working with South Korean law enforcement agencies to understand the cause and extent of the said compromise.
As of today, the details of the attack are still incomplete but the above suggests that ESTsoft is one possible infection vector, among others, that may eventually have led to the SK Comms data breach. With this development, the involvement of not one but several companies indicates that this may not have started as a targeted attack specifically against one company. The attacker may have first triggered a wide range of initial attacks, a reconnaissance step to find vulnerable public-facing interfaces while assessing if those vulnerable interfaces will be useful. In this case, ESTsoft may have been a useful infection vector to host the malicious file while SK Comms served as a good target due to its rich repository of information that can be of further use to cybercriminals.
Read the rest of this entry »