What Is It?
Following the opening ceremony of the PyeongChang Winter Olympics there were reports of a cyberattack targeting systems associated with the games, including the official website. A spokesperson for PyeongChang 2018 later confirmed this, stating that along with the International Olympic Committee, they had decided not to name the source, though there two obvious candidates.
Researchers at Cisco TALOS believe with “moderate confidence” that they have identified and analyzed the malware samples responsible for this attack. The malware is destructive in nature and includes components to steal credentials to allow it to spread laterally through a network. TALOS found similarities in the lateral movement and destructive parts of the code with BadRabbit and NotPetya malware.
Though the initial infection vector is currently unknown, the first piece of malware drops several other malicious files and handles propagation. Other components include a browser credential stealer, a system credential stealer (similar to Mimikatz) and a destructive component.
The destructive component deletes the shadow copies and the WBAdmin backups, clears the system and security event logs, disables all the services on the system and overwrites all writable files on all shared drives attached to the infected system.
How Does It Propagate?
The initial infection vector in this attack is currently not publically known.
The malware uses the legitimate PSExec utility and Windows Management Instrumentation (WMI) to move laterally. This is the same mechanism employed by both BadRabbit and NotPetya malware.
The malware also includes 44 sets of hard coded credentials for systems within the Pyeongchang2018.com domain, these are also used for lateral movement. The passwords, though redacted in the TALOS article, are very poor and would have been easily guessed or brute-forced, presumably during prior reconnaissance by the attackers.
When/How Did BluVector Detect It?
BluVector’s patented Machine Learning Engine (MLE) detects the malware utilized by this attack. Regression testing on samples has shown the malware would have been detected by BluVector 14 months prior to its release.