Guardians of Peace (GOP) release Sony CEO Outlook data file with threat to movie goers

// December 16th, 2014 // Hacking and Security

Purported .ost file for Sony CEO Michael Lynton

A Pastebin dump attributed to Guardians of Peace (GOP) was released a few hours ago followed by the purported screenplay for the upcoming movie The Interview. In the dump, the GOP continued to harp on their Christmas Day threat while including an invite to the public for special “requests”. The dump included another little surprise too – a threat to anyone who attends The Interview movie.

Here’s the complete text of the message that appeared on Pastebin on 12/16/2014:

by GOP

Notice

We have already promised a Christmas gift to you.

This is the beginning of the gift.

Please send an email titled by “Merry Christmas” at the addresses below to tell us what you want in our Christmas gift.

emma.brooks-0oc6m7bl@yopmail.com

marc.parker-1ojn2dp2@yopmail.com

axel.turner-4oqbyjui@yopmail.com

rose.martin-boz2uaul@yopmail.com

rose.martin-0o7jacx4@yopmail.com

Warning

We will clearly show it to you at the very time and places “The Interview” be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to.  Soon all the world will see what an awful movie Sony Pictures Entertainment has made. The world will be full of fear. Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time. (If your house is nearby, you’d better leave.) Whatever comes in the coming days is called by the greed of Sony Pictures Entertainment. All the world will denounce the SONY.

Christmas gift: Michael Lynton

Password: diespe123

http://www.mediafire.com/download/ruybemwauscqcz2/mlynton.rar.torrent

http://filenuke.com/f/OXVgaa6

http://rmdown.com/link.php?hash=14305a5d7d2980e3f6e4a3627971bf21c0f5aaba703

http://www.uploadable.ch/file/FWa7V3fmCach/mlynton.rar.torrent

http://180upload.com/8nnfi3newqeq

Previous Torrents

http://www.mediafire.com/download/o86cvept53a806o/s0ny-old.zip

http://filenuke.com/f/3pqX4o6

http://www.uploadable.ch/file/5aTd2wN37Tgb/s0ny-old.zip

http://180upload.com/5xq113evi1fx

As you can see, the message contained links to a torrent which contained two Outlook data files (.ost files) purported to be the offline Outlook database for Sony CEO Michael Lynton. The files were distributed in a secured .rar file (the password was included in the message above) and appear to be legit Outlook data files containing legitimate email and calendar data.

Shortly after the Lynton files appeared online, another dump followed containing the purported screenplay to The Interview. Here’s a snippet of the screenplay script.

Snippet of purported screenplay for The Interview

The script runs 168 pages (22,633 words) and appears to be an actual screenplay for the movie.

I have reached out to the posters of the pastebin dump using the disposable YOPMail email addresses provided in the message.  I will certainly update this post if I receive a valid response from them.

In all honesty, I had not planned on seeing The Interview. But after all the publicity (including the newly leaked screenplay script), I think I will be there on opening night!

Update: 12/16/2014 8:30 PM

Within a couple of hours of posting this article, my server was hit with a massive attack from IP address (182.252.0.132) out of Korea which quickly shot to the top of my IDS report (see screenshot below).  Site was knocked briefly offline by the attack.

Screenshot of IDS listing Korea as the top hacker

 

Here’s a snippet from the logs.  Surprisingly, it looks like a script kiddy attack.

Line 42896: Dec 16 19:01:15 T73937720 sshd[19352]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.252.0.132 user=root
Line 42897: Dec 16 19:01:18 T73937720 sshd[19352]: Failed password for root from 182.252.0.132 port 23850 ssh2
Line 42898: Dec 16 19:01:18 T73937720 sshd[19400]: Received disconnect from 182.252.0.132: 11: Bye Bye
Line 42899: Dec 16 19:01:19 T73937720 sshd[20208]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.252.0.132 user=root
Line 42900: Dec 16 19:01:21 T73937720 sshd[20208]: Failed password for root from 182.252.0.132 port 25591 ssh2
Line 42901: Dec 16 19:01:21 T73937720 sshd[20258]: Received disconnect from 182.252.0.132: 11: Bye Bye
Line 42902: Dec 16 19:01:22 T73937720 sshd[20933]: Invalid user testuser from 182.252.0.132
Line 42905: Dec 16 19:01:22 T73937720 sshd[20933]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.252.0.132
Line 42907: Dec 16 19:01:24 T73937720 sshd[20933]: Failed password for invalid user testuser from 182.252.0.132 port 27019 ssh2
Line 42908: Dec 16 19:01:25 T73937720 sshd[20951]: Received disconnect from 182.252.0.132: 11: Bye Bye
Line 42909: Dec 16 19:01:26 T73937720 sshd[21746]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.252.0.132 user=root
Line 42910: Dec 16 19:01:28 T73937720 sshd[21746]: Failed password for root from 182.252.0.132 port 28582 ssh2
Line 42911: Dec 16 19:01:28 T73937720 sshd[21788]: Received disconnect from 182.252.0.132: 11: Bye Bye
Line 42912: Dec 16 19:01:30 T73937720 sshd[22667]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.252.0.132 user=root
Line 42913: Dec 16 19:01:32 T73937720 sshd[22667]: Failed password for root from 182.252.0.132 port 30316 ssh2
Line 42914: Dec 16 19:01:33 T73937720 sshd[22724]: Received disconnect from 182.252.0.132: 11: Bye Bye
Line 42915: Dec 16 19:01:34 T73937720 sshd[23531]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.252.0.132 user=root
Line 42916: Dec 16 19:01:36 T73937720 sshd[23531]: Failed password for root from 182.252.0.132 port 32086 ssh2
Line 42917: Dec 16 19:01:36 T73937720 sshd[23556]: Received disconnect from 182.252.0.132: 11: Bye Bye

[SNIP]

Line 1628: [Tue Dec 16 20:49:27 2014] [error] [client 182.252.177.178] File does not exist: /var/www/html/category

Update: 12/16/2014 10:05 PM

After blocking the single attack from Korea, the traffic switched over to a three-way attack from Hong Kong and China.  Hopefully they’ll run across the honeypot overnight and we’ll have more info from the logs tomorrow.

Update: 12/17/2014 11:15 AM

IPS stopped the attacks.  I bounced probes through Hong Kong – looks like the Korean machine that hit me yesterday could be a rogue box – seeing evidence that it’s been exploited already.

Update: 12/17/2014 4:15 PM

Definitely used an infected box to bounce their traffic.  Windows OS behind a Cisco WAP, traffic is filtered, sharing files off the box too (gnutella – how interesting…).

Update: 12/18/2014 8:22 AM

Attacks from China IPs persists.  Server IPS blocking on my end is effective thus far with keeping it in check.  Some ports on the Korean box went offline yesterday (admittedly, I was a bit noisy in my probes).  Other services are behind a firewall and attempts at port redirection have not been successful.

Interestingly, I believe there was an uptick in malicious email after the “probe” sent to GOP YOPMail addresses in their original message.  Normally malicious content is filtered on the server but this got through to the client.  I’ve pulled it offline and am setting up an environment to examine it in more detail.

Update: 12/18/2014 9:45 AM

Cannot verify that the malicious email is related to the attack but the attack itself looks to be new.  They attempted both malware in a Word .doc and bait and click in the email.  Command and Control nodes look to be all over the place – Russia, China, Hong Kong – and of course, are all on exploited servers.  I did find this one interesting however: http://1vteck.vpn.by/.  Still, despite how the media has played this up – call me unimpressed.

Update: 12/18/2014 10:00 PM

Box behind the IP address changed.  Bad guys won this round.

 





« « Previous Article: Interesting list of Chinese filtered words, banned domains, and potential username/passwords     » » Next Article: Sony’s decision to halt release of The Interview may be the only smart move they’ve made so far


Leave a Reply

You must be logged in to post a comment.

%d bloggers like this: