Barkly vs Malware
Jonathan Crowe
Feb 2018

Destructive Malware Hits Winter Olympics

winter-olympics-malware

Photo by Kris Krüg

Researchers believe they've identified the malware used in an attack designed to take down Pyeonchang Winter Olympics computer systems during the opening ceremony on Friday.

Pyeonchang Winter Olympics organizers have confirmed that a cyber attack hit Olympic computer systems during the opening ceremony on Friday. While information regarding the attack is limited, officials did reveal non-critical systems including internet and television services were affected by the attack. Damage was fortunately contained and recovery established within roughly 12 hours, but there is indication the attacker was operating with considerable knowledge of the Olympic infrastructure, which remains a significant cause for concern. 

Olympics officials are keeping tight-lipped regarding potential sources of the attack, but researchers at Cisco's Talos group say they've been able to identify (with moderate confidence) the malware samples utilized in the attack. Supporting that claim is evidence that indicates the author behind these samples was able to utilize a variety of technical details specific to the Olympic systems, including usernames, domain name, server name, and passwords. 

If they're correct, these particular samples also offer clues as to the attackers' intentions. That's because the malware Talos points to wasn't designed to steal information or extort victims. It appears to be built for one purpose — to destroy as many systems as possible. 

Because its ultimate goal is to render infected systems unusable Talos has dubbed this malware "Olympic Destroyer."

UPDATE 2/14/18: "Olympic Destroyer" more sophisticated than originally reported 

Talos researchers have conducted additional research and updated their post with two new key pieces of information:

  1. Olympic Destroyer is also a wiper: In addition to trying to brick systems, the malware also attempts to wipe files on mapped network shares. 
  2. As Olympic Destroyer spreads it mutates: Each time the infection spreads to a new machine it drops a new copy of the malware that contains hard-coded credentials that it harvested from the previous machines it's infected. Therefore, as the malware propagates through the network, each new copy it creates of itself has a longer and longer list of credentials it can pull from. 

These two new discoveries further illustrate just how damaging this malware was designed to be.

"Olympic Destroyer" malware has similarities to NotPetya and BadRabbit

According to the Talos research team's analysis, this attack appears to have taken pages from previous destructive campaign playbooks — specifically utilizing tactics used in last year's NotPetya and BadRabbit attacks. 

In addition, the Windows Defender Security Intelligence team reports their analysis of the attack suggests it utilizes EternalRomance, one of the two leaked NSA exploits used to help drive the NotPetya and BadRabbit outbreaks.

Talos, however, says they haven't found any evidence to support that. 

How Olympic Destroyer works

Olympic-Destroyer-Malware-Attack-Diagram.png

Phase 1: Land and expand

While it's unclear as to how the malware is being initially delivered, once it lands on a target machine it immediately begins looking around the network for chances to propagate.

It has two techniques for mapping the network:

  1. Checking the Address Resolution Protocol (ARP) table
  2. Using Windows Management Intrumentation (WMI) to request a list of all the systems within the current environment/directory

Once it has the lay of the land, the malware's next goal is to spread throughout the network by abusing a legitimate, signed copy of PsExec and WMI to deploy copies of itself onto remote systems. To do that, however, it needs credentials. To get those, the attack deploys two different credential-stealing payloads, but if all else fails, it also has a hard-coded list of credentials it can try. 

The first credential-stealer is designed to grab credentials from browsers, including Chrome, Firefox, and Internet Exporer. 

The second credential-stealer attempts to dump credentials from the Local Security Authority Subsystem Service (LSASS) — a technique popularized by the pentesting tool Mimikatz. 

If the Windows Defender team is correct regarding the attack's use of EternalRomance, that suggests unpatched machines with SMB vulnerabilities present another possible infection vector.

 

Disable recovery options and shut down

Meanwhile, as the malware is attempting to spread, it's also busy setting the stage for the destructive portion of the program.

Rather than simply taking systems offline, the malware first attempts to take out several tools admins could use during recover. This is designed to make the attack as damaging and difficult to recover from as possible. 

Using cmd.exe, it issues the following commands:

C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet

To delete shadow copies.

C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet

Removing the ability of a sysadmin to use WBAdmin to recover individual files, folders, and entire drives.

C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

To ensure the Windows recovery console doesn't try to repair anything on the system.

C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security

To delete the System and Security Windows event log, making analysis more difficult.

These steps further emphasize the attacker's intention of leaving infected systems inoperable. With that stage now set, the malware disables all the services on the system, modifies the system configuration to ensure the systems don't get restarted on reboot, and shuts down the machine. 

3 key takeaways from the attack 

1) Motive appears to be embarrassment

As the Talos teams points out, the fact that the attack coincided with the opening ceremony suggests it was specifically timed to trigger downtime at the most visible and damaging moment — when the entire world was watching.

Whether that goal was driven by political motivations or simply for the lulz remains unknown. Whoever launched the attack appear to have done so in hopes of achieving maximum destructive impact, however. It's extremely fortunate the actual damage it caused was limited. 

2) NotPetya is providing attackers with a clear playbook for destructive malware

This attack indicates the success of NotPetya is continuing to influence additional attacks. After all, what set NotPetya apart wasn't just its destructive nature, but its ability to spread throughout entire organizations from one infected device — and that's certainly on display here. 

While much of the coverage around NotPetya (and later, BadRabbit) focused on its use of the leaked NSA exploits EternalBlue and EternalRomance, it also provided a roadmap for abusing otherwise legitimate system tools as another way of achieving lateral movement. That method may not be as quick to generate headlines, but it can be just as dangerous and effective at propagating an infection across an entire network.

 

3) Organizations need to protect themselves against malicious system behavior in real-time

Barkly-vs-Olympic-Destroyer-Malware.gif

Destructive malware is a powerful reminder of how important it is to have protections in place to prevent initial compromise and/or block attacks at the very outset — before they can do any damage. Otherwise, indicators of compromise come too late, only after crucial systems and data are shut down and/or wiped.

Barkly provides defense-in-depth against Olympic Destroyer and malware like it by blocking it at the earliest point in the infection chain possible, as well as providing additional protection designed to block additional downstream components if they ever were able to get through. 

Destroyer.gif

Barkly blocks the initial Olympic Destroyer .exe as well as each of the payloads it attempts to deploy.

In addition to using a solution like Barkly, admins can help protect their organizations from the latest attacks by taking additional steps found in our 2018 Cybersecurity Checklist

As malware becomes increasingly destructive and widespread, it pays to stay up to speed and invest in proactive prevention. Subscribe to the blog for the latest security alerts and practical tips for doing just that. 

Olympic Destroyer hashes:

  • edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9
  • D934CB8D0EADB93F8A57A9B8853C5DB218D5DB78C16A35F374E413884D915016
  • 3E27B6B287F0B9F7E85BFE18901D961110AE969D58B44AF15B1D75BE749022C2
  • 28858CC6E05225F7D156D1C6A21ED11188777FA0A752CB7B56038D79A88627CC

Browser Stealer hashes:

  • 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea
  • ab5bf79274b6583a00be203256a4eacfa30a37bc889b5493da9456e2d5885c7f 

System Stealer hashes (dumps from LSASS):

  • f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936
  • a7d6dcdf5ca2c426cc6c447cff76834d97bc1fdff2cd14bad0b7c2817408c334

Destroyer hashes:

  • ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

lock-white.png

Close the gaps in your security

Stop paying for AV. Get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.