Last week, we discussed the SK Communications data breach where a large number of user accounts in South Korea were exposed. The scope appears to be bigger than initially reported, as ESTsoft, a South Korean company that develops software (including antivirus, compression utility, and other software), came forward with a public notice disclosing that one of their update servers was compromised.
According to the advisory, a vulnerability found in a common DLL update module allowed a hacker to drop a malicious file (BKDR_SOGU.A, the same file discussed in the entry, “Analysis of BKDR_SOGU.A, a Database-Accessing Malware,”) onto infected computers.
ESTsoft already released a patch on August 4 and pushed it as an update. They also stressed that they are cooperating and closely working with South Korean law enforcement agencies to understand the cause and extent of the said compromise.
As of today, the details of the attack are still incomplete but the above suggests that ESTsoft is one possible infection vector, among others, that may eventually have led to the SK Comms data breach. With this development, the involvement of not one but several companies indicates that this may not have started as a targeted attack specifically against one company. The attacker may have first triggered a wide range of initial attacks, a reconnaissance step to find vulnerable public-facing interfaces while assessing if those vulnerable interfaces will be useful. In this case, ESTsoft may have been a useful infection vector to host the malicious file while SK Comms served as a good target due to its rich repository of information that can be of further use to cybercriminals.
Higher Security Demand from Enterprises
We already know how important it is for high-profile and data-sensitive/data-dependent enterprises to change their security mindset. Conventional endpoint protection does not block unknown new malware.
On the other hand, even purchasing the highest-end security information and event management solutions and having several staff watching the logs every minute of every day will not guarantee a threat-free environment if those solutions do not display the real malware infection status.
This security incident showed us how things are done in South Korea. The South Korean government is now studying the need to change the method by which personal information is currently being verified online. To wit, the government requires users to give their real name and real social ID and phone number and cross-references these to verify their online identities.
Also, more and more South Korean local enterprises have started to increase their security budgets.
Read related blog entries here: