This weekend, the “Guardians of Peace”—the cyber-attackers who brought Sony Pictures Entertainment’s network down in November and have since shared over a terabyte of the company’s internal data—made two more dumps of SPE data to file sharing sites and torrents. The second of the two, on Sunday, was the e-mail box of Sony Pictures Releasing International president Steven O’Dell. And the hackers promised a “Christmas present” soon of even more data if the company does not relent and meet their unspecified demands.

"We are preparing for you a Christmas gift," the GoP said in a post to Pastebin and Friendpaste. "The gift will be larger quantities of data. And it will be more interesting.The gift will surely give you much more pleasure and put Sony Pictures into the worst state. Please send an email titled by 'Merry Christmas' at the addresses below to tell us what you want in our Christmas gift."

As the breach spills into another week, details have emerged that suggest the attack may have begun much earlier this year, or even earlier, and that the attackers were able to collect significant intelligence on the network from Sony Pictures’ own IT department. It's clear that those behind the attack were deep inside Sony's network for a long time before they set off the malware that erased Sony hard drives—and some of the data they collected could have been used in other attacks.

Read 12 remaining paragraphs | Comments

[ MDVSA-2014:249 ] qemu
[ MDVSA-2014:248 ] graphviz
[ MDVSA-2014:247 ] jasper
[ MDVSA-2014:246 ] openvpn
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Shellshock is far from over, with many devices still not patched andout there ready for exploitation. One set of thedevices receiving a lot of attention recently are QNAP disk storage systems. QNAP released a patch in early October, but applying the patch is not automatic and far from trivial for many users[1]. Our reader Erichsubmitted a link to an interesting Pastebin post with code commonly used in these scans [2]

The attack targets a QNAP CGI script, /cgi-bin/authLogin.cgi, a well known vector for Shellshock on QNAP devices [3]. This script is called during login, and reachable without authentication. The exploit is then used to launch a simple shell script that will download and execute a number of additional pieces of malware:

emme [sha1611bd8bea11d6edb68ed96583969f85469f87e0f]:

This appears to implement a click fraud script against advertisement network JuiceADV. The userid that is being used is4287 and as referrer,http://www.123linux.it is used. The user agent is altered based on a remote feed.

cl [sha1b61fa82063975ba0dcbbdae2d4d9e8d648ca1605]

A one liner shell script uploading part of /var/etc/CCcam.cfg to ppoolloo.altervista.com . My test QNAP system does not have this file, so I am not sure what they are after.

The script also created a hidden directory, /share/MD0_DATA/optware/.xpl, which is then used to stash some of the downloaded scripts and files.

Couple other changes made by the script:

  • Sets the DNS server to
  • creates an SSH server on port 26
  • adds an admin user called request
  • downloads and copies ascriptto cgi-bin: armgH.cgi and exo.cgi
  • modify autorun.sh to run the backdoors on reboot

Finally, the script will also download and install the Shellshock patch from QNAP and reboot the device.

Infected devices have been observed scanning for other vulnerable devices. I was not able to recover all of the scripts the code on pastebin downloads. The scanner may be contained in one of the additional scripts.

[1] http://www.qnap.com/i/en/news/con_show.php?op=showonecid=342
[3] https://www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status