The Olympics are over, and watching this year’s performance was far from disappointing, all the athletes were incredible, and the ceremonies looked stellar. The events all kicked off at the beginning of February starting with the opening ceremonies, but with a hitch, a large system outage.
Before the opening ceremonies, most all the computer systems went down and were unrecoverable, wireless internet access was disrupted, and attendees were unable to print tickets to attend the opening ceremonies. The Olympics were being hit with a large malware attack named the ‘Olympic Destroyer’.
The Olympic Destroyer was a worm targeting Olympic Windows systems; single endpoints being used by the Olympics (the method of delivery to the network is still unknown). According to Cisco Talos researchers, the malware leveraged legitimate software, such as PsExec, WMI, and WQL to exfiltrate browser data and user accounts for authenticated lateral movement of the worm on the network. The exfiltrated data only included user accounts that the malware could find in system memory. No personal information was compromised as this attack was only intended to be a disruption of service attack.
As a worm, it could self-replicate itself over several systems on the network. It gathered internal network information, such as other active hosts on the network, and then exploited the services running. After the information was gathered, the worm proceeded to steal credentials, and finally destroy the usability of the system.
The process for the worm worked as follows:
- The initial stage
- The worm performs network discovery for other systems on the network
- Checks the Windows ARP table
- WMI for getting requested systems within the current environment/directory
- The worm performs network discovery for other systems on the network
- Credential-stealing
- The worm uses credentials stealers to make authenticated lateral movements on the network; the stolen credentials are dynamically updated to the worm as it propagates to a new system.
- The malware drops a payload to steal credentials from web browsers
- Lastly, the malware attempts to steal credentials from Local Security Authority Subsystem Service (LSASS)
- The worm uses credentials stealers to make authenticated lateral movements on the network; the stolen credentials are dynamically updated to the worm as it propagates to a new system.
- Destructive actions
- The malware starts deleting multiple Windows recovery tools and backup files
- Deletes all backup data and shadow copies on the system
- Deletes all System and Security windows event logs
- Disables Windows recovery console
- Disables all services on the system
- Deletes boot files
- The malware starts deleting multiple Windows recovery tools and backup files
Upon reboot, the system would be impossible to boot into or recover. The Cisco security researchers team wrote a detailed article for the investigation of the Olympic Destroyer and how it operated. It includes a breakdown of how the malware interacted the specific components of the Windows systems.
How you can protect yourself:
WatchGuard APT: APT Blocker is a subscription service that uses full-system sandbox analysis by Lastline to identify the characteristics and behavior of APT malware in files and email attachments that enter your network.
WatchGuard TDR: Threat Detection and Response is a cloud-based subscription service that integrates with your Firebox to minimize the consequences of data breaches and penetrations through early detection and automated remediation of security threats. TDR collects and analyzes forensic data from the Firebox, and from endpoints on your network, to proactively detect and respond to security threats.
WatchGuard IPS: Intrusion Prevention Service provides real-time protection from threats, including spyware, SQL injections, cross-site scripting, and buffer overflows.
WatchGuard Gateway AntiVirus: Gateway AntiVirus operates with the SMTP, IMAP, POP3, HTTP, FTP, Explicit, and TCP-UDP proxies. Nearly all malware have telltale features called signatures that make them identifiable. Gateway AV uses signatures and heuristic analysis from Bitdefender to find viruses when content is scanned by the proxy. Gateway AV uses signatures from Bitdefender to find viruses when content is scanned by the proxy.
– Tanner Harrison