Destructive Malware Used to Attack Winter Olympics Infrastructure

The Olympic Winter Games in Pyeongchang, South Korea, started off with a cyberattack that disrupted the games’ official website and caused technical problems in the press center at the Olympic Stadium shortly before the opening ceremony Feb. 9.

Winter Olympics officials confirmed that the games were hit by a cyberattack, but didn’t provide any other details or confirmation that Russian hackers might have been responsible, the Guardian reported.

Researchers from Cisco Systems’ Talos group have identified malware samples that they believe “with moderate confidence” were used in the attack. The malicious payload only has destructive functionality, which suggests the attackers did not intend to exfiltrate data.

However, there is evidence the hackers had prior knowledge of the games’ computer infrastructure. The malware, dubbed Olympic Destroyer, contains internal server names and 44 Windows domain accounts.

Another interesting aspect is that the attack relies heavily on Windows utilities, including cmd.exe, VBScript, Windows Management Instrumentation (WMI) and PsExec. The use of legitimate system tools is a growing trend in targeted attacks that makes detection more difficult for defenders.

The destruction routine uses vssadmin.exe and wbadmin.exe to delete shadow copies and other backups to prevent system recovery attempts. The malware also wipes data from mapped network shares, disables the Windows recovery console and deletes system log files. Finally, it disables all services on infected systems and shuts them down.

“Wiping all available methods of recovery shows this attacker had no intention of leaving the machine usable,” the Talos researchers said in their report. “The sole purpose of this malware is to perform destruction of the host and leave the computer system offline.”

There’s been speculation that the attack was in retaliation to Russian athletes being banned from these Olympics due to state-sponsored doping at Sochi in 2014. However, the Talos researchers didn’t provide any attribution information for the malware.

“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after the embarrassment of the Olympic committee during the opening ceremony,” the researchers said.

Government Sites Mine Cryptocurrency Through Visitors’ Browsers

A number of government-run websites, primarily from the UK, recently served malicious code to visitors that hijacked their browsers to mine Monero cryptocurrency. The attack was not the result of a vulnerability shared by the websites, but the compromise of a third-party service the sites used to provide screen reader support.

While this is not the first time when cryptocurrency-mining code is injected into websites—the technique is called cryptojacking—the incident highlights the dangers of supply chain attacks through trusted third-party service providers.

Security researcher Scott Helme was first to observe that the rogue code had been added to BrowseAloud, an accessibility tool made by a company called Texthelp that adds speech, reading and translation to websites. BrowseAloud is integrated into sites as a JavaScript file loaded from Texthelp’s servers.

By compromising and modifying BrowseAloud, the attackers managed to inject CoinHive cryptojacking code into a large number of websites, including those of the UK Information Commissioner’s Office (ICO), the UK National Health Service (NHS) and several UK local councils. Websites from Ireland and the United States also have been affected.

Researchers from Lastline noticed that the BrowseAloud script was hosted in an Amazon S3 bucket, so they speculate that hackers might have been able to modify it due to weak S3 permissions. This has not been confirmed by Texthelp and cannot be demonstrated externally.

“There is an easy way to protect yourself against Javascript supply chain attacks using a security feature called Subresource Integrity, or SRI,” researchers from web security firm Defiant said in a blog post. “If you are including javascript code from an external source using the <SCRIPT> tag, simply include an ‘integrity’ attribute which will cause browsers to not load the script if it is modified from the original version.”

Chrome Will Soon Flag HTTP Websites as ‘Not Secure’

Chrome 68, which is due for release in July, will start branding all websites that don’t encrypt traffic as “Not Secure.” The indicator will be displayed in the address bar before the URL.

The move is part of Google’s larger push to increase the adoption of HTTPS across the web. The company already gives HTTPS websites a slight boost in search engine rankings and last year flagged plain HTTP pages with login and credit card forms as insecure.

According to statistics, the majority of web traffic in Chrome and Firefox browsers is currently encrypted, but that’s because most of the world’s web traffic goes to a few large HTTPS-enabled websites and services. There’s still a very large number of websites on the internet that don’t use HTTPS, but thanks to non-profit efforts such as Let’s Encrypt, website owners can now obtain and deploy TLS certificates for free.

Sponsored Content
Upcoming Webinar
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!

Embrace DevSecOps and Enjoy a Significant Competitive Advantage!

As security and privacy permeate companies’ business practices, DevOps is leading a transformation in the way software is built and delivered. And despite its substantial organizational, cultural and technological requirements, DevOps continues to grow in popularity. Companies that are adopting continuous delivery disciplines demonstrate better IT and organizational performance. To ... Read More
June 26, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 169 posts and counting.See all posts by lucian-constantin