The Olympic Destroyer malware that interfered with the opening ceremony of the 2018 Winter Olympics is more complicated...
than originally believed.
The malware, which was first reported by U.K. newspaper The Guardian last Friday, was responsible for failing Wi-Fi and television systems for on-site journalists covering the opening ceremony in Pyeongchang, South Korea. On Sunday, officials from the Olympics confirmed the system failures weren't random or an accident, but instead were the result of a targeted cyberattack.
Following the confirmation, researchers from Cisco Talos published an analysis of the Olympic Destroyer malware and said it was capable of interfering with a Windows computer's data recovery processes and deleting critical Windows services, thus making systems unable to boot.
"The samples identified, however, are not from adversaries looking for information from the games, but instead they are aimed to disrupt the games," the researchers said. "The samples analyzed appear to perform only destructive functionality."
The Cisco Talos research was updated later in the week with newly uncovered details. The first major discovery was the malware also wipes files on network shares. Originally, the researchers believed Olympic Destroyer malware only targeted individual endpoints.
Our post has been update to include the impact on network shares - Shocker - they are effectively wiped: Olympic Destroyer Takes Aim At Winter Olympics with indications of prior compromise - https://t.co/NoD5la9m7r #OlympicDestroyer @SecurityBeard @r00tbsd @TalosSecurity— Craig Williams (@security_craig) February 12, 2018
The next new discovery was Olympic Destroyer malware mutates on each system. The malware uses a self-patching feature to change itself after moving from one host system to another. The original research said Olympic Destroyer dropped a credential stealer for browser and system passwords on each targeted system, and then used a list of stolen credentials to move laterally through the network. The updated findings said this is wrong.
I updated our #OlympicDestroyer post. The malware has the capability to generate new binaries with the stolen credentials (by patching the PE). The list in the screenshot comes from previous executions and was not created by the devevelopers themself https://t.co/VwkNNSI06Q— Paul Rascagnères (@r00tbsd) February 13, 2018
The final update about the Olympic Destroyer malware is it spread using the EternalRomance exploit, which is a National Security Agency (NSA) exploit leaked by the Shadow Brokers in 2017. EternalRomance was also used to spread NotPetya and Bad Rabbit ransomware last year, along with another NSA exploit known as EternalBlue.
Update: While several security vendors, including Microsoft, initially reported a link between Olympic Destroyer and EternalRomance, those reports were amended as later analysis showed no presence of the NSA exploit in the malware.
"Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony," the Cisco Talos researchers wrote.
The 2018 Winter Olympics have already been the target of other cyberattacks because of the controversial decision to ban some Russian athletes from the games. The Russian hacking group known as Fancy Bears claimed responsibility for attacks on the International Olympic Committee, the U.S. Olympic Committee and other groups because of the doping scandal that caused Russian athletes to be banned for the current games.
In other news:
- The PCI Security Standards Council (PCI SSC) and the financial services standards organization the Accredited Standards Committee X9 decided to merge their separate standards for personal identification numbers. Currently, the organizations have two separate standards, which enterprises that deal with PINs have to meet -- the PCI PIN Security Standard and the X9 TR39 PIN Standard. Going forward, there will only be one standard that combines the two, though PCI SSC will take the lead. It's not yet clear when the standard will go into effect, but it is designed to make PIN security easier for financial organizations.
- Anonymous developers have a created a search engine for vulnerable Amazon Simple Storage Service (S3) buckets. The tool is called BuckHacker and lets anyone search for information that has been leaked to the public internet due to misconfigured S3 buckets. In the past year, numerous major companies, government organizations and contractors have accidentally exposed their data to the public, including U.S. government contractor Booz Allen Hamilton Inc., Dow Jones & Co., the Republican National Committee, the Department of Defense and Verizon. The information exposed varies from company data to customer data. The exposures were not Amazon's fault; organizations set up their S3 buckets incorrectly or misconfigured the settings. BuckHacker now gives people the ability to search by bucket name or file name to see if data has been exposed.
- Microsoft has been working on a way to use blockchain technology to manage identities. Alex Simons, director of program management for Microsoft's Identity Division, wrote a blog post announcing the initiative this week. "Over the last 12 months we've invested in incubating a set of ideas for using Blockchain (and other distributed ledger technologies) to create new types of digital identities, identities designed from the ground up to enhance personal privacy, security and control," Simons wrote. He refers to the project as Decentralized Digital Identities. "We believe it is essential for individuals to own and control all elements of their digital identity," Ankur Patel, principal program manager for the Microsoft Identity Division, wrote in the same blog post. "Rather than grant broad consent to countless apps and services, and have their identity data spread across numerous providers, individuals need a secure encrypted digital hub where they can store their identity data and easily control access to it." Microsoft will experiment with Decentralized Digital Identities in the Microsoft Authenticator app before rolling out the technology on a wide scale.