Tag Archives: South

PyeongChang 2018 Winter Olympics Opening Ceremony Disrupted by Malware Attack

PyeongChang-2018-Winter-Olympics

The Pyeongchang Winter Olympics taking place in South Korea was disrupted over the weekend following a malware attack before and during the opening ceremony on Friday.

The cyber attack coincided with 12 hours of downtime on the official website for the Winter Games, the collapse of Wi-Fi in the Pyeongchang Olympic stadium and the failure of televisions and internet at the main press center, leaving attendees unable to print their tickets for events or get venue information.

The Pyeongchang Winter Olympics organizing committee confirmed Sunday that a cyber attack hit its network helping run the event during the opening ceremony, which was fully restored on 8 am local time on Saturday—that’s full 12 hours after the attack began.

Multiple cybersecurity firms published reports on Monday, suggesting that the cause of the disruption was “destructive” wiper malware that had been spread throughout the Winter Games’ official network using stolen credentials.

Dubbed “Olympic Destroyer” by the researchers at Cisco Talos, the wiper malware majorly focuses on taking down networks and systems and wiping data, rather than stealing information.

The Talos researchers would not comment on attribution, but various security experts have already started attributing the Olympic Destroyer malware to hackers linked to either North Korea, China or Russia.

According to the analysis by Cisco Talos, the attacker had intimate knowledge of the Pyeongchang 2018 network’s systems and knew a “lot of technical details of the Olympic Game infrastructure such as username, domain name, server name, and obviously password.”

“The other factor to consider here is that by using the hard-coded credentials within this malware it’s also possible the Olympic infrastructure was already compromised previously to allow the exfiltration of these credentials,” researchers said.

The Olympic Destroyer malware drops two credential stealers, a browser credential stealer and a system stealer, to obtain required credentials and then spreads to other systems as well using PsExec and Windows Management Instrumentation (WMI), two legitimate Windows administration tools used by network admins to access and carry out actions on other PCs on a network.

The researchers noted that both built-in tools were also abused by the Bad Rabbit ransomware and NotPetya wiper malware last year.

Once installed, the malware then first deletes all possible “shadow” copies of files and Windows backup catalogs, turn off recovery mode and then deletes system logs to cover its tracks and making file recovery difficult.

“Wiping all available methods of recovery shows this attacker had no intention of leaving the machine useable. The sole purpose of this malware is to perform destruction of the host and leave the computer system offline,” reads the Talos blog post.

It’s difficult to accurately attribute this cyber attack to a specific group or nation-state hackers due to sparse of technical evidence to support such a conclusion as well as hackers often employing techniques to obfuscate their operations.

Web Hosting Company Pays $1 Million to Ransomware Hackers to Get Files Back

web-hosting-ransomware

South Korean web hosting provider has agreed to pay $1 million in bitcoins to hackers after a Linux ransomware infected its 153 servers, encrypting 3,400 business websites and their data, hosted on them.

According to a blog post published by NAYANA, the web hosting company, this unfortunate event happened on 10th June when ransomware malware hit its hosting servers and attacker demanded 550 bitcoins (over $1.6 million) to unlock the encrypted files.

However, the company later negotiated with the cyber criminals and agreed to pay 397.6 bitcoins (around $1.01 million) in three installments to get their files decrypted.

The hosting company has already paid two installments at the time of writing and would pay the last installment of ransom after recovering data from two-third of its infected servers.

According to the security firm Trend Micro, the ransomware used in the attack was Erebus that was first spotted in September last year and was seen in February this year with Windows’ User Account Control bypass capabilities.

linux-ransomware

Since the hosting servers were running on Linux kernel 2.6.24.2, researchers believe that Erebus Linux ransomware might have used known vulnerabilities, like DIRTY COW; or a local Linux exploits to take over the root access of the system.

“The version of Apache NAYANA used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack,” researchers note.

“Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.”

Erebus, the ransomware primarily targeting users in South Korea, encrypts office documents, databases, archives, and multimedia files using the RSA-2048 algorithm and then appends them with a .ecrypt extension before displaying the ransom note.

“The file is first scrambled with RC4 encryption in 500kB blocks with randomly generated keys,” researchers say. “The RC4 key is then encoded with AES encryption algorithm, which is stored in the file. The AES key is again encrypted using RSA-2018 algorithm that is also stored in the file.”

The public key which is generated locally is shared, while the private key is encrypted using AES encryption and another randomly generated key.

According to analysis conducted by the Trend Micro researchers, decryption of infected files is not possible without getting hold of the RSA keys.

So, the only safe way of dealing with ransomware attacks is prevention. As we have previously recommended, the best defense against Ransomware is to create awareness within the organizations, as well as to maintain back-ups that are rotated regularly.

Most viruses are introduced by opening infected attachments or clicking on links to malware usually in spam emails. So, DO NOT CLICK on links provided in emails and attachments from unknown sources.

Moreover, ensure that your systems are running the latest version of installed applications.

Powered by WPeMatico

22 Apple Distributors Arrested for Selling Customers’ Data in $7.4 Million

Chinese Apple Store
Image Source: South China Morning Post

Chinese authorities have announced the arrest of around 22 distributors working as Apple distributors as part of a $7 million operation, who stole customers’ personal information from an internal Apple database and illegally sold it to Chinese black market vendors.

According to a report from Chinese media, this underground network reportedly consisted of employees working in direct Apple suppliers, and other outsource firms in the Zhejiang, a province in eastern China.

These employees had access to Apple databases along with other tools containing sensitive information about its customers.

They allegedly used their company’s internal computer system to gather data includes usernames, email addresses, phone numbers, and Apple IDs, and then sold it in the underground market for between 10 yuan ($1.47) and 80 yuan ($11.78) per data point.

So far, the network has made a total of 50 million yuan (around $7.36 million). However, it is unclear if the data sold by the suspects belonged to only Chinese Apple users or users elsewhere as well.

apple-store-data-sell

Much details about the arrest have not been revealed by the Chinese authorities at this moment, though the police statement suggests the Chinese authorities across four provinces, including Guangdong, Jiangsu, Zhejiang, and Fujian, arrested 22 suspects over the weekend, following a few months of investigation.

The authorities dismantled their online network and seized all “criminal tools,” and announced Thursday that the suspects have been “detained on suspicion of infringing individuals’ privacy and illegally obtaining their digital personal information.”

Wondering how this spamming operation can affect you?

As I mentioned above, your personal data is profitable both for marketing companies to deliver targeted advertisements to you, and for hackers to carry out malicious hacking campaigns, including phishing attacks and other email scams.

Police are trying to capture and destroy the scammers’ network, but users are advised to be vigilant while opening attachments in emails, clicking links in messages from unknown numbers and giving out any details on phone calls.

Powered by WPeMatico