CyberWisdom Safe Harbor Commentary on Olympic Destroyer
IOC spokesman Mark Adams said: “Maintaining safe operations is our goal,” he told Reuters. “We will not comment on this issue, which is one issue we are dealing with and we make sure our systems are safe and secure.”
According to a blog post, researchers at Cisco Talos have identified “moderate confidence” in malware and called it the Olympic Destroyer.
The researchers wrote: “As we continue our investigation, the vector of infection is not known at this moment.” However, the identified samples do not come from rivals seeking information about the game, but rather to undermine the game. The sample analyzed seems to perform only destructive functions. There seems to be no data leakage. ”
Their goal is to make the device unusable by “removing shadow copies, event logs, and trying to move around in the Window environment with PsExec and WMI,” similar to the Bad Rabbit and Nyeyta ransomware.
First, the Olympic Destroyer provides a binary file containing multiple files to the victim machine. Talos said the malicious files were obfuscated and given a randomly generated name. It is unclear how the binaries are delivered, but they add that there may be many ways.
The binary contains two “steal modules.” Steal credentials stored in Internet Explorer, Firefox and Chrome browser. According to Talos, the Local Security Licensing Subsystem service uses a second stealing system certificate similar to the one in the open source penetration testing tool Mimikatz.
Once the malware has infected the system hosting the site, it uses the vssadmin.exe command to delete all the shadow copies on the system. It also uses wbadmin.exe to destroy files, Talos states: “Performing this step to ensure file recovery is not trivial – WBAdmin can be used to recover individual files, folders, and entire drives so it will be a very handy tool for a system administrator To help recover. ”
Third, the malware exploits a command called BCDEdit, which is used to set and adjust the boot configuration on a Windows machine. Malware’s behavior “ensures that the Windows Recovery Console does not attempt to repair anything on the host,” Talos said.
“Clearing all the available recovery methods shows that the attacker did not intend to make the machine available,” Talos added. “The sole purpose of this malware is to destroy the host computer and take the computer system offline.”
Cyber attack by Olympic Destroyer
Cyber attacks successfully canceled the official Winter Olympics site for about 12 hours on February 9, leaving participants unable to print tickets. It also affects the game’s TV shows.
The competition took place in Pyeongchang, South Korea, about 50 miles from the North Korean border. North Korea is participating in the Olympic Games, South Korean officials hope to help thaw the frigidity of these countries, so speculation about the identity of cyber-attackers did not focus on North Korea.
In January, researchers from several companies reported that the Fancy Bear hacker group associated with Russia has sent speeches with malicious Word documents to Korean organizations and to the Olympic-related organizations.
The Russian Foreign Ministry issued a statement that defiantly accused the state of “a false investigation” of cyber attacks on the game, saying “there is no evidence to show the world.” Talos’s investigation did not state the origin of the attack.
The malware’s sole purpose was to take down systems, not steal data, Cisco Talos researchers say. Engaging post, Read More…
thumbnail courtesy of threatpost.com.
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »