Cyberattack Aimed to Disrupt Opening of Winter Olympics

A cyberattack targeting the 2018 Winter Olympics in Pyeongchang, South Korea aimed to cause disruption at the start of the Games and required deep knowledge of the infrastructure - a sign the attackers had previously compromised it, according to researchers.

The attack took place prior to the Opening Ceremonies held on Friday, Feb. 9 and interfered with TV and Internet systems. Olympics officials confirmed technical issues affecting non-critical systems and completed recovery within 12 hours. On Sunday, Feb. 11, they confirmed that a cyberattack had taken place but didn't offer additional details.

Researchers at Cisco Talos identified malware samples used in the attack "with moderate confidence" and report the infection vector is currently unknown. Evidence indicates the actors responsible were not seeking information or monetary gain: Their primary goal was likely to cause destruction.

'Olympic Destroyer'

The so-called "Olympic Destroyer" malware studied by Cisco renders machines unusable by deleting shadow copies and event logs, and tries to use PsExec and WMI to move across the environment. Talos analysts point out they had previously seen this behavior in both the BadRabbit and Nyetya (NotPetya) attacks.

The initial malware sample is a binary that drops multiple files onto the target machine. From there, the malware moves laterally throughout the network, using two information stealers and hardcoded credentials within the binary. Talos found 44 individual accounts in the library and says the malware author knew several technical details about the Olympics infrastructure including username, domain name, server name, and password data.

"This is a targeted attack and this involves some reconnaissance," says Craig Williams, director of Cisco Talos outreach. "The attacker came into the campaign knowing a large number of accounts. That involves, obviously, a phishing campaign or an intelligence-gathering campaign."

A key takeaway is this malware doesn't use an exploit to spread, Williams continues. It spreads through normal tools using valid credentials, a tactic that will help attackers evade most security tools.

The destructive part of the attack starts during execution. After files are written to disk, the malware deletes all possible shadow copies on the system. It then takes steps to complicate file recovery and ensure the Windows recovery console doesn't try to repair anything on the host.

"Wiping all available methods of recovery shows this attacker had no intention of leaving the machine usable," Talos researchers report. The purpose of the malware is to perform destruction of the host, leave the system offline, and wipe remote data. It also disables all services on the system.

Earlier Attacks on the Olympics

This isn't the first instance of an attack targeting the 2018 Winter Games.

McAfee Advanced Threat Research previously detected a fileless attack targeting organizations involved with the Pyeongchang Olympics. The threat used a PowerShell implant to connect target machines with the attacker's server and transfer system-level data. At the time, researchers were unsure what happened after the attacker gained access.

Now they say this attack had a second-stage payload in the form of Gold Dragon, a Korean-language implant detected in December 2017. Gold Dragon has stronger persistence than the original PowerShell payload and expanded capabilities for profiling target systems. It lets an attacker gather information on system processes, files, registry content, and data.

In early February, prior to the Opening Ceremonies, researchers updated their findings to report another variant of the fileless implant in a new malicious document. This document had the same metadata properties and same information as the campaign discovered in January.

"It's an indication the attacker has resumed deploying a new version of this implant," says Ryan Sherstobitoff, senior analyst of major campaigns at McAfee. "Gold Dragon is a more persistent type of implant that gave them far-reaching capabilities on the network."

Targeted attacks have different stages of payloads, he explains. The first gives them access; the second installs something more persistent. In this case, the earlier fileless attack could have given a threat actor the entry to drop Gold Dragon on the target network.

Sherstobitoff emphasizes there is no indication the attacker behind the earlier campaign is connected to the Opening Ceremonies-timed attack. However, Gold Dragon could have given them the level of access to collect the information they needed to conduct it.

CrowdStrike identified samples of a previously unknown malware family seemingly designed for data destruction. Earliest samples were detected on Feb. 9, the day of the Opening Ceremonies. All samples have sets of hard-coded credentials belonging to Olympics-related targets that let threat actors spread in a target network. Several attackers had access to organizations related to the targets through malicious backdoors, CrowdStrike reports, but it can't confirm whether anyone used this access to deliver malware.

Too Soon to Determine Whodunnit

"I don't want to say it's trivial, but it's not the most complicated piece of malware," says Warren Mercer, Cisco Talos technical lead for engineering, of the attack his team studied. "There's no crazy effort to try and obfuscate their code; there are no super-advanced techniques."

However, he continues, it's likely a sophisticated attacker is at play given the previous access to Olympics systems and ability to hardcode lifted credentials. The question is, which one?

"It's a tricky question when it comes to who could be behind a threat like this," adds Williams. This could be a new threat actor or group, he says, adding that many well-funded campaigns have pockets of developers. Attribution is further complicated by the publicity of widespread attacks like NotPetya, which have given rise to "copycats" who may be responsible, he notes.

Meanwhile, the US-CERT has issued a statement on cybersecurity at the Olympics and offered guidance for attendees to protect themselves against threats including data theft and third-party monitoring, as attackers may take advantage of the large audience to spread messages.

Engin Kirda, cofounder and chief architect at Lastline, points out how denial-of-service attack campaigns are one of the easiest attacks against large events like the Olympics. Outside event attendees and organizers, and fans are often targeted with phishing emails, domain theft, ransomware, and fake social media posts. These days, employees can expect to see malicious emails related to the Games.

"If an employee falls victim to one of these attacks on a work machine, it may put their business at risk as well," Kirda notes. "IT teams should caution employees about clicking on links or attachments from Olympics-related emails."

How to Test If Your iPhone Is Slower Than It Should Be

In recent weeks, Apple has revealed that it intentionally slows down older model iPhones with the release of newer and shinier additions to the iOS lineup. Apple has justified the move, saying that they throttle the processor’s performance so as not to overwork aging batteries, denying that it has anything to do with forcing people to upgrade. Of course, replacing an iPhone battery is far more complicated than with any other phone since Apple doesn’t manufacture its phones with removable batteries. But with this revelation, Apple is offering discounted battery replacements.

How to Test If Your iPhone Is Being Slowed Down

How to Test If Your iPhone Is Slower Than It Should Be SlowApple

While there are a couple of paid apps like GeekBench and CPU DasherX that you can use to find out if your phone has been slowed down, there’s also a website that does it for free if you own an iPhone 6S and up.

Visit SlowApple on your phone and you can run a test that will give you a sense of just how much your phone is affected. If you have Low Power Mode turned on, turn it off before running the test.

Tap the Go button and if your phone completes the test in less than 8 seconds, you’re among the lucky few whose phone is just fine. Anything over 8 seconds means your phone is being slowed down.

You can also check on your iPhone battery status by going to Settings > Battery. If there is a problem with your battery, you may see this message: “Your iPhone battery may need to be serviced.”

What to Do About a Slowed Down iPhone

If your phone is slow and you aren’t in the market for a new phone, you can have the battery replaced. Apple is now offering $50 off for anyone looking to replace their battery. Instead of shelling out over $79 for a new battery, it will cost you $29.

This offer is available until the end of 2018 and you can initiate the request through their support page.

iPhone users with the following models are eligible for one battery replacement:

  • iPhone SE,
  • iPhone 6, iPhone 6 Plus
  • iPhone 6s, iPhone 6s Plus
  • iPhone 7, iPhone 7 Plus
  • iPhone 8, iPhone 8 Plus
  • iPhone X

Using their support page, contact Apple Support by phone or chat to reserve a battery before visiting an Apple Store. You can also mail your phone to have the battery replaced, but will have to pay an extra $6.95 for shipping.

Under Armour’s HOVR Smart Running Shoes are a Game Changer

Both of these come with a sensor built in that can track your cadence, distance, pace, stride and, of course, steps -- all the important metrics runners care about. Under Armour developed this Record sensor in-house, and it has been drastically improved since it debuted on the SpeedForm Gemini 2 running shoes in 2016; it's now able to track more data than before, such as stride length. The Bluetooth-powered sensors are located inside the thickest part of the midsole, which ensures that they can work even during your rainy-day runs.

As far as power goes, you don't need to worry about charging the HOVRs, since the batteries in the sensors are self-contained. According to Under Armour, the Record chip is designed to outlast the life of the running shoes themselves, so longevity will depend on each individual and how much they work out. That said, the company is confident that you won't ever have to worry about running out of power.

Of course, you'll need an app to digest all the data captured by the shoes. For that, you'll use Under Armour's Map My Run application, available for iOS and Android. Pairing the Phantoms to my iPhone was surprisingly quick and seamless: I took the pair out of the box, placed my phone near them, opened the Map My Run app and, within seconds, a message popped up prompting me to connect my shoes. After I accepted and hit continue, the app pushed an update to them, added them to my "Gear Tracker" tab in Map My Run and then the setup process was complete.

Altogether, it only took about four minutes before my Phantoms were paired to the app. If, for some reason your iOS or Android device doesn't automatically pick up the Bluetooth signal from the HOVRs, Under Armour says it'll give customers a walkthrough of how to connect the shoes to the Map My Run app, which may include telling you to turn on Bluetooth or having to shake the right shoe to wake it up from sleep mode.

One of the main differences between Under Armour's latest Record sensor, compared to the previous version, is that it now lets you go on smarter untethered runs. This means you don't need to have your phone with you with the Map My Run app open to track your stats, since the HOVRs measure your data as soon as you start running. You can then sync that to your app when you get back home if, say, you forgot to take your phone with you. It's a great option for those who like to be as light as possible during their training or workout, or if you simply want to use the HOVRs as an unobtrusive step counter.

Later this month, Under Armour plans to roll out a coaching feature that will add more functionality to the HOVRs and the Map My Run app, both for iOS and Android users. You'll be able to monitor your gait/stride length mile after mile, and the application will show you how that impacts your pace and cadence. Under Armour says that, by interpreting that data, Map My Run can offer you tips on how to improve your pace and splits by changing your form, like if you should be taking shorter or longer strides as you run.

Comfort-wise, the Phantom HOVRs are bouncy yet stiff enough to reduce the amount of impact you feel every time your feet hit the ground. Under Armour says its HOVR foam tech is meant to provide a "zero gravity feel," an element that's complemented by an Energy Web material that's spread through various areas of the shoe's midsole and a knit upper that wraps around your foot like a sock. It's definitely one of the most comfortable running shoes I've tried on, right up there with Adidas' popular Ultra Boost.

The Sonic and Phantom HOVR connected sneakers are available now for $110 and $140, respectively. And if you like the shoes but don't care about making them work with the Map My Run app, Under Armour also has versions without the Record sensor for $10 less per pair.

Russian Scientists Arrested for Using Nuclear Weapon Facility to Mine Bitcoins

bitcoin-mining

Two days ago when infosec bods claimed to have uncovered what's believed to be the first case of a SCADA network (a water utility) infected with cryptocurrency-mining malware, a batch of journalists accused other authors of making fear-mongering headlines, taunting that the next headline could be about cryptocurrency-miner detected in a nuclear plant.

It seems that now they have to run a story themselves with such headlines on their website because Russian Interfax News Agency yesterday reported that several scientists at Russia's top nuclear research facility had been arrested for mining cryptocurrency with "office computing resources."

The suspects work as engineers at the Russian Federation Nuclear Center facility—also known as the All-Russian Research Institute of Experimental Physics—which works on developing nuclear weapons.The center is located in Sarov, Sarov is still a restricted area with high security. It is also the birthplace of the Soviet Union's first nuclear bomb.

In 2011, the Russian Federation Nuclear Center switched on a new supercomputer with a capacity of 1 petaflop, making it the twelfth most powerful in the world at the time.

According to Russian media reports, the engineers had tried to use one of Russia's most powerful supercomputers housed in the Federal Nuclear Center to mine Bitcoins.

The suspects were caught red-handed while attempting to connect the lab's supercomputer to the internet, which was supposed to be offline to ensure security, the nuclear center's security department was alerted.

Once caught, the engineers were handed over to the Federal Security Service (FSB).

"There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining," Tatyana Zalesskaya, head of the Institute's press service, told Interfax news agency.

"Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them," Zalesskaya added, without revealing the exact number of employees detained.

The Federal Security Service (FSB) has yet to issue a statement on the arrests and criminal charges.

Cryptocurrency has gained tremendous popularity over the past year. Mining a single Bitcoin is not an ice cakewalk, as it requires an enormous amount of computational power and huge amounts of energy.

According to media reports, Russia is becoming a hotbed of cryptocurrency mining due to its low-cost energy reserves. One Russian businessman, Alexey Kolesnik, reportedly also bought two power stations exclusively to generate electricity for Bitcoin-mining data centers.

New Point-of-Sale Malware Steals Credit Card Data via DNS Queries

Cybercriminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect. A new strain of malware has now been discovered that relies on a unique technique to steal payment card information from point-of-sale (PoS) systems.

Since the new POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit card information, security researchers at Forcepoint Labs, who have uncovered the malware, dubbed it UDPoS.

Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that has been used by most POS malware in the past. This malware is also thought to be first of its kind.

Besides using 'unusual' DNS requests to exfiltrate data, the UDPoS malware disguises itself as an update from LogMeIn—a legitimate remote desktop control service used to manage computers and other systems remotely—in an attempt to avoid detection while transferring stolen payment card data pass firewalls and other security controls.

"We recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of 'unusual' DNS requests," Forcepoint researchers said in a blogpost published Thursday.

"Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware."

The malware sample analyzed by the researchers links to a command and control (C&C) server hosted in Switzerland rather than the usual suspects of the United States, China, Korea, Turkey or Russia. The server hosts a dropper file, which is a self-extracting archive containing the actual malware.

It should be noted that the UDPoS malware can only target older POS systems that use LogMeIn.

Like most malware, UDPoS also actively searches for antivirus software and virtual machines and disable if find any. The researchers say it's unclear "at present whether this is a reflection of the malware still being in a relatively early stage of development/testing."

Although there is no evidence of the UDPoS malware currently being in use to steal credit or debit card data, the Forcepoint's tests have shown that the malware is indeed capable of doing so successfully.

Moreover, one of the C&C servers with which the UDPoS malware sample communicates was active and responsive during the investigation of the threat, suggesting the authors were at least prepared to deploy this malware in the wild.

It should be noted that the attackers behind the malware have not been compromised the LogMeIn service itself—it's just impersonated. LogMeIn itself published a blogpost this week, warning its customers not to fall for the scam.

"According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name," LogMeIn noted.

"This link, file or executable isn't provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You'll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update."

According to Forcepoint researchers, protecting against such threat could be a tricky proposition, as "nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications," but DNS is still often treated differently, providing a golden opportunity for hackers to leak data.