New Twists In ‘Olympic Destroyer’ Malware – Found Credential Theft and Erase Files

Your Feed is from https://www.safeharboroncyber.com/Blog/
CyberWisdom Safe Harbor Commentary on more Olympic Destroyer
This story from threatpost.com talks about how researchers found new wrinkles in the “Olympic Destroyer” malware attack on the PyeongChang Winter Olympics in South Korea.
Cisco Talos researchers now believe the Olympic Destroyer malware will also erase files on shared network drives. Initially, researchers thought malware was only for a single endpoint. Researchers now also believe malware voucher components are more dynamic than originally thought.
The Olympic destroyers were deployed at the Olympic Games opening ceremony on February 9 and were accused of disrupting the television coverage of the event and canceling the official website of the Winter Olympics. The result of the attack was so profound that conference attendees were unable to print the bill and destroyed the WiFi network used by journalists covering the opening ceremony.
Researchers at Cisco Talos said the only purpose of the attack was to cancel the system rather than steal information.
Cisco Talos first wrote that the Olympic Destroyer’s goal was to make the system unusable by “deleting shadow copies, event logs, and attempting to use PsExec & WMI to move further around the environment,” similar to the Bad Rabbit and Nyeyta ransomware.
Olympic Destroyer includes a binary file whose target machine has a pair of “steal modules.” One to crawl any user credentials embedded in Internet Explorer, Firefox and Chrome, the other from the Windows Local Security Licensing Subsystem service, and the Windows process to handle security policies. “The malware parses the registry and it queries sqlite files to retrieve stored credentials,” Talos said.
Craig Williams
@security_craig
Our posts have been updated to include effects on network sharing – Shocker – They are effectively eliminated: Olympic Destroyer aiming at the Winter Olympics, and there are signs of compromise before – http://blog.talosintelligence.com/2018/02 / olympic-destroyer .html … #OlympicDestroyer @SecurityBeard @ r00tbsd @TalosSecurity
Tarox researcher Craig Williams pointed out in his tweet that an analysis of the attacks shows the “previous compromise” of the targeted Olympic system. “Our posts have been updated to include the impact on the share of the network – Shocker – they were effectively eliminated: the Olympic Destroyers aimed at the Winter Olympics and pointed to previous compromises,” he wrote.
Talos’s updated blog says, “Malware authors know many technical details of the Olympic Games infrastructure, such as usernames, domain names, server names, and obvious passwords.”
When researchers scrutinized the Olympic destroyer binaries associated with the attack, they found that every new certificate of infection was added to the code.
“The new version of the binary is generated from the newly discovered certificate,” Talos wrote in an update first mentioned by Bleeping Computer. “This new binary, which will be used for the new infection system by transmission, explains why we found several samples with different sets of certificates collected from previously infected systems.”
However, the delivery of malware is still unknown, Talos added: “If an attacker has access to the environment, the attack may have been remotely performed, allowing actors to pinpoint the timing of the opening ceremony and have them control their impact time ”
The report said: “Vandalism is the clear goal of such attacks and gives us the confidence that the actors behind them will embarrass the Olympic Committee during the opening ceremony.”
Read More…
Researchers now believe attackers may have had prior access to networks and that malware was more sophisticated than originally believed. Engaging post, Read More…
thumbnail courtesy of threatpost.com

(adsbygoogle = window.adsbygoogle || []).push({});

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post
The post New Twists In ‘Olympic Destroyer’ Malware – Found Credential Theft and Erase Files appeared first on Safe Harbor on Cyber.