wiper malware - amazon web services · targeted wiper malware. a wiper is a malware with the sole...

AUTHORED BY VITOR VENTURA WITH CONTRIBUTIONS FROM MARTIN LEE

WIPER MALWARE: ATTACKING FROM INSIDE

Why some attackers are choosing to get in, delete files, and get out, rather than try to reap financial benefit from their malware.

of 11© 2018 Cisco. All rights reserved. | [email protected] | talosintelligence.com

EXECUTIVE SUMMARYIn a digital era when everything and everyone is connected, malicious actors have the perfect space to perform their activities. During the past few years, organizations have suffered several kinds of attacks that arrived in many shapes and forms. But none have been more impactful than wiper attacks. Attackers who deploy wiper malware have a singular purpose of destroying or disrupting systems and/or data.

Unlike malware that holds data for ransom (ransomware), when a malicious actor decides to use a wiper in their activities, there is no direct financial motivation. For businesses, this often is the worst kind of attack, since there is no expectation of data recovery.

Another crucial aspect of a wiper attack is the fear, uncertainty and doubt that it generates. In the past, wiper attacks have been used by malicious actors with a dual purpose: Generate social destabilization and sending a public message, while also destroying all traces of their activities. Given that the malicious actor has just revealed its presence, the doubt and uncertainty about what happened before the attack raises a lot of questions.

• How did they get in?

• How long were they here?

• Did they exfiltrate any of our data?

• Can we recover safely?

The questions above become a CISO’s worst nightmare, preying on the mind while trying to support the recovery of business operations as quickly and safely as possible.

A wiper’s destructive capability can vary, ranging from the overwriting of specific files, to the destruction of the entire filesystem. The amount of data impacted will be a direct consequence of the technique used. Which, of course, will have direct impact on the business — the harder the data/system recovery process becomes, the bigger the business impact.

It is important to distinguish the data impact

from system impact. Some wipers will destroy systems, but not necessarily the data. On the other hand, there are wipers that will destroy data, but will not affect the systems. One cannot determine which kind has the biggest impact, because those impacts are specific to each organization and the specific context in which the attack occurs. However, an attacker with the capability to perform one could perform the other.

The defense against these attacks often falls back to the basics. By having certain protections in place — a tested cyber security incident response plan, a risk-based patch management program, a tested and cyber security-aware business continuity plan, and network and user segmentation on top of the regular software security stack — an organization dramatically increases its resilience against these kind of attacks.

INTRODUCTIONMalware with destructive payloads has been around since the early days of virus development. However, the delivery methods and the destructive level have evolved. For the past five years, we have seen the rise of ransomware with CryptoLocker and TeslaCrypt, among others. These have earned huge amounts of money for their operators. In these cases, the operators would go through a great deal of effort to establish a reputation regarding the recovery of data.

But just as ransomware was on the rise in the mainstream, more attackers also began to use targeted wiper malware. A wiper is a malware with the sole intention of destroying systems and/or data, usually causing great financial and/or reputation damage. The motivation behind these attacks may be political, aimed at generating publicity, or it can also be pure and simple artifact destruction with the intention of preventing a forensic investigation. In the latter, this is usually preceded by data-gathering and exfiltration operations, which recently became CISOs' biggest concerns regarding cyber attacks.

http://talosintelligence.com


One of the first incidents of wiper malware was the Shamoon attack in 2012, after which several additional events have occurred, such as Shamoon2, BlackEnergy and Nyetya/NotPetya where the pure destruction/disruption of operations seemed to be the objective.

ANATOMY OF A WIPER

DESTRUCTIVE PAYLOAD

A wiper can go through several steps during its activity, depending on its capabilities and techniques used to perform the data/system destruction. The effectiveness of the destructive component of a wiper is directly related to the speed at which it can perform the activities. Usually a wiper has three attack vectors: files (data), boot section of the operating system and backups of system and data. The backup destruction is commonly done by deleting the volume shadow copies and the backups. This can be done easily by the execution of some legitimate operating system command-line tools. The boot section can be done in two ways, depending on the purpose. It can simply erase the first 10 sectors of the physical disks (master boot record location), or the malware can rewrite these first 10 sectors with a new boot loader that will perform additional damage. Either way, the original operating system becomes unbootable. Usually, along with master boot record destruction, the wipers will also use operating system command-line utilities to destroy the recovery console. Both actions — boot section and backup destruction — can be performed quickly. The activity that takes the longest to perform is the actual file destruction.

To be more efficient, most wipers don’t overwrite the entire hard disk. There are wipers that will create a list of targeted files. Others will list all files in specific folders. Some of them will only rewrite a certain amount of bytes at the beginning of each file. They will overwrite the file completely if the files are smaller than

that amount. This is just enough to destroy the headers of the files, which renders them useless. Other wipers will write a certain amount of bytes every other amount. For instance, the malware will write 100 kilobytes of data every five megabytes sequentially through the hard disk. This means that the wiper will destroy files at random without any predictable pattern. Both methods may be followed by the destruction of the master file table, which is where the Windows file system (NTFS for recent versions) keeps records of the file locations and associated metadata. This last step makes advanced recovery tools practically impossible to use due to the lack of information to recover the files.

As mentioned before, in order to perform these activities, the wiper may need to use a custom bootloader, which will perform the destruction upon reboot, thus bypassing the operating system protections.

But there is another way. In the Shamoon attacks, the authors used a trial version of a legitimate driver to get access to the filesystem, bypassing the operating system API. This bypasses any protections to files enforced by the operating system, and allows for the destruction of files while the system is still running.

Obviously, these techniques require the adequate privilege level and/or operating system. That is why some wipers will fall back from one technique to the other depending on the conditions of the victim’s system.

Recently, we have also saw Olympic Destroyer disabling all services on the operating system. This alone does not destroy data, but it makes the recovery of the system almost impossible without reinstallation, which creates a service unavailability.

PROPAGATION MECHANISM

A wiper is not only made of the destructive module. In the latest incident, Olympic Destoryer, a wiper (see figure 1) was released in the form of wiper worms, performing self-



replication and lateral movement inside the networks. Replication modules usually are used in conjunction with credential-harvesting modules. The malware will harvest credentials from the system, which are then used to perform remote copy and execution of the wiper, hopping from system to system. The most popular way to do this remote execution is the usage of the psexec tool and the Windows Management Instrumentation command-line utility (WMIC) — both legitimate administration mechanisms present in the Windows operating system. The usage of legitimate tools and credentials makes it harder for the system administrators to detect the malicious activity in such a small time frame. It is important to keep in mind that the wipers will try to be as fast as they can on their destructive activity.

Some of the worms also carry the code to exploit vulnerabilities that allow remote code execution, when all other means of propagation fail.

PAST INCIDENTS

TIMELINE

For the past eight to 10 years, whenever wipers have been used, there is almost always some kind of political connection that has been made by the media.

This tendency is supported by the fact that there is no clear financial gain from the attackers, and there is a huge amount of capability lost following the wiper action.

Our timeline (figure 1) shows that since 2012, at least one big wiper attack has happened per year. A wiper usually has public visibility and/or political motivations. But during some incidents, wipers have been used after data exfiltration to cover attacker’s tracks. The public disruption of services gives high visibility to the attack, which is often the purpose. The attacker may also be looking to cause economic damage.

Over the years, the different wipers have used

2013

2014

2016

2015

2017

2018

SHAMOON1 Aug. 2012

Targets: Refineries in KSA

SHAMOON2 Nov. 2016

Target: Refineries in Saudi Arabia

NYETYA June 2017

Target: Ukreain generic ally, spread all over the world

OLYMPIC DESTROYER Feb. 2018

Target: Winter Olympic games in South Korea

DARK SEOUL March 2013

Targets: Broadcast and ATMs in South Korea

WANNA CRY May 2017

Targets: Worldwide attack

Figure 1. Timeline of Wiper attacks since 2012.

GUARDIANS OF PEACE Nov.2014

Target: Sony

BLACK ENERGY Nov. 2015

Targets: ICS, Energy Sector in Ukraine



different techniques to achieve their goals. The first ones in figure 1 used a demo version of a driver for Windows to bypass the operating system protections and gain direct access to the filesystem. This technique allowed the malware to destroy any file on the system, even if the applications were protecting such resources using the operating system primitives. This also meant that the malware would only work in a small timeframe, since the demo version was time-limited. These first attacks were mostly deployed manually, or as part of the malicious actor’s script toolkits. They were not used as a component of a worm released into their victim’s environment.

In the Sony attack by the Guardians of Peace, there was a large amount of data exfiltrated and released into the public domain. This is one of the examples where a wiper was clearly used to hide the activities performed by the malicious actors.

Historically, critical infrastructure is one of the sectors where wipers were mostly used. Good examples are the Shamoon attacks and BlackEnergy, which dealt a great deal of damage to their victims in the oil and energy sectors, respectively.

However, 2017 was the year when the big wiper worms got worldwide public attention. In May 2017, WannaCry was released, targeting everyone that was exposing Microsoft Windows SMB protocols to the internet. This worm was designed to be a ransomware attack, and was really encrypting files in a recoverable way. However, for a ransomware operation to be successful, it needs to have a backend system that can handle the victim’s payments and reply with the decryption keys. This was where WannaCry failed. The whole operation ramped up so quickly that the backend was not robust enough to handle all the victims, which pretty much rendered recovery impossible. WannaCry was the first worm since Conficker to use a vulnerability on Windows protocols to spread. That is one of the reasons why it fell out of control by their operators. This is the main reason why we decided to include WannaCry in this report:

APRIL 14, 201701.175-10.01.176 version of MeDoc is released with a backdoor.

JUNE 22, 201701.188-10.01.189 version of MeDoc is released with a backdoor.

8:59:14 UTCMalicious actor used stolen credentials and “su” to obtain root privileges on the update server.

9:14:58 UTCLogs confirm proxied traffic to OVH.

12:33:00 UTCThe original server configuration is restored.

14:11:07 UTCReceived SSH disconnect from Latvian IP 159.148.186.214.

19:46:26 UTCThe OVH server, 176.31.182.167, is wiped using “dd if=/dev/zero”, filling the hard drive with 0x00.

12:31:12 UTCThe last confirmed proxy connection to OVH is observed. This marks the end of the active infection period.

MAY 15, 201701.180-10.01.181 version of MeDoc is released with a backdoor.

Between 9:11:59 and 9:14:58 UTCThe actor modifies the web server configuration to proxy to an OVH server.

JUN

E 27

, 201

7

Figure 2. Timeline of Nyetya attack



Although it seemed intended as a ransomware, in the end, it worked just like a wiper.

A few months after WannaCry, Nyetya/NotPetya was released, probably the most devastating cyber security incident to be publicly known. This was not a random attack, nor a mass-driven attack. It was a targeted attack that used the supply chain as an attack vector. This attack vector uses vendors in the supply chain as a way into their target’s environments. In the case of NotPetya, the malicious actors compromised the vendor, M.E.Doc, using the software as a way to execute their own code in their victim’s systems.

The attackers had access to their victims’ systems for several months, and their last action was the release of a highly destructive payload with very effective spreading mechanisms. The payload was also designed to deceive investigators as to the identity of the authors. The spreading mechanism was designed to take advantage of legitimate Windows protocols and tools. It used a password-harvesting tool to obtain the credentials. By using legitimate tools and credentials, it was able to mimic business-as-usual behavior and traffic patterns, making detection harder for the defenders. Nyetya/NotPetya also adjusted its destruction mechanisms to the anti-virus present on the system. It is clear that it was designed to be effective and fast, and to deliver the largest amount of damage possible in the shortest amount of time.

Figure 2 shows the timeline of the attack, which clearly shows that the attackers had access to the systems for several months, prior to the release of such a destructive payload. That led to the loss of a considerable amount of capability. The release of Nyetya was clearly not undertaken for direct financial gain, even though the authors tried to make it look like a ransomware attack. For the authors, Nyetya served two purposes: It sent a clear public message saying that no one is safe, and any evidence of what was done by the attackers prior to the Nyetya release was probably destroyed.

Nyetya should be a wake-up call to anyone that has responsibilities for cyber security in their organizations. It doesn’t matter the sector, location or size of your business — anyone can suffer from these attacks, whether it be as a target or collateral damage. This means that everyone needs to take action in order to protect their organization from these attacks.

The most recent wiper attack was the Olympic Destroyer (OD). This attack targeted the Winter Olympic Games in PeyongChang, South Korea. OD showed that these attacks are constantly evolving. Just like Nyetya, OD also had a password-harvesting module. However, in order to improve the spreading capabilities, OD patched itself with the newly collected passwords before replicating to other systems. This mechanism ensured the propagation of all passwords found, increasing the probability of accessing a new system by growing its credential dictionary upon each hop. A side effect of this is the constant change of hash value for the malware. This change means that tools that rely on hash values for detection and data correlation would fail to make the containment and recovery processes much harder for the defenders.

Another unique feature of OD is that it disabled services in Windows. From the destructive power point-of-view, this doesn’t necessarily mean it’s a big threat. However, for the system recovery and problem assertion, it posed interesting challenges, since no system will ever boot with all services in disable mode. The destructive payload of OD seems to be directed at system/service availability more than data destruction. OD only destroyed files on remote shares and does not destroy local data. It prevented the system from booting by changing the boot system configuration and disabling all services in the operating system.

DEFENSIVE MECHANISMSThe defense for wiper attacks does not differ much from other malware, namely ransomware.



Organizations, in order to defend themselves from these attacks, need to ensure that they are ready to act swiftly and with determination. The amount of damage dealt by a wiper is directly related to the amount of time that it has to execute its destruction.

As such, in order to reduce the damage and impact, an organization needs to be ready to promptly contain, mitigate and recover from these attacks. The way to do this cannot be based in technology alone. That’s not to say that technology is not important, but must be clear that it is just a piece of the solution.

CYBER SECURITY INCIDENT RESPONSE PLAN (CSIRP)

Knowing what to do is crucial when responding to a crisis. That is why a cyber security incident response plan (CSIRP) is a crucial component of a cyber security resilience strategy. The CSIRP needs to have clear definition of roles and responsibilities. These cannot be limited to the cyber security department, or even to the IT department. Under the appropriate circumstances, the actions must reach the business, so that business-impacting decisions can be taken. Decisions like isolating a branch, factory, department or even a VLAN may have a huge impact on the business. Not making the decision, or making it too late, can make the difference between a couple of hours of downtime or a couple of weeks. Everyone in the organization needs to know their role, and what kind of decisions are expected from them. This includes the legal and public relations departments. Organizations need to be aware which industry regulations and country-level laws are applicable, just as public image may need to be addressed during a cyber security incident whether it’s a wiper attack or not. The corresponding work instructions must also be created and tested, so that when actions need to be taken, they can be executed swiftly and without surprises.

CYBER SECURITY-AWARE BUSINESS CONTINUITY PLAN

Most organizations have business continuity plans, which cover things such as natural disasters and office moves. It is crucial that these plans are updated to take into account the destructive power of a wiper or ransomware. The backup policy needs to take into consideration the full or partial data destruction. It needs to ensure that recovery is possible, and what the recovery path for business critical applications is. These plans must consider situations where the backup infrastructure was affected. Actions must be taken to avoid the possible impact on the recovery infrastructure, but also to avoid bottlenecks during the recovery process. This can be achieved by simple actions, such as having the backup software running on non-Windows systems, segmenting a backup network and using a completely different set of password rules and usernames.

RISK-BASED PATCH MANAGEMENT PROGRAM

Patching is a critical component of security operations. However, it is an extremely complex activity. A patching program must be more than a simple list of patches to apply to a system-patching window. Prioritization needs to be done based on predetermined parameters, which must be risk- and business-related. It should foresee the possibility that a system is unpatchable. In such cases, the risk can be mitigated by using network isolation, or by deploying intrusion detection/prevention systems, which can reduce the exposure. Other systems may have a reduced exposure, and can delay the patching. Actions should be previously defined if a patch deployment is cancelled. These actions can be the implementation of mitigating measures, or the rescheduling of the patch to the next patch window. It is inconceivable that an organization goes months without patching a vulnerability, but it’s also not expected that a task force should be created each time a vulnerability is disclosed.



NETWORK AND USER SEGREGATION

Segmenting the network gives the organizations the capability to contain malicious activities within a branch, factory or VLAN. It is one of the most important components of damage control and mitigation. Network segregation can be complex given the distributed nature of modern applications. Intent-based networks can make this task much easier and quicker. Even if the network segregation is not applied during business-as-usual operations, having the capability to perform emergency segregation can make the difference between an attack having a severe impact on your business, or just being a minor disruption. At the same time, logical user segregation cannot be done as an emergency, it must be at the core of an organization’s operations. Not all users need to log on to all systems, and especially not all users must log on from all the systems. Having the knowledge of the intention of a user inside a network enables a self-learning network to detect out-of-pattern behaviors and apply self-containment. That prevents lateral movement and the spreading of worms and other malicious actors.

Privileged credentials must not be used on regular workstations or servers. The usage of such credentials must be segregated. They should only be used on trusted workstations built to be used on administrative tasks. The adoption of logical user segregation keeps credentials safe from password stealers, which are often used by worms to propagate within an environment.

CYBER SECURITY TECHNOLOGY STACK

The technological stack plays a huge role in the defense and recovery from any kind of cyber security attacks. In the wiper attacks, it plays an extremely important role, especially in the prevention. Taking into consideration the modern landscape, an organization cannot trust their environment to a single technology

or layer. Organizations need overlapping layers of security in order to detect and block threats. The threats can be detected and blocked at the perimeter, but they also need to be addressed at the endpoint, which are often targeted as the initial vector through email or drive-by downloads. As we explained before, wipers are known to deploy techniques to detect certain types of anti-malware technology. Antivirus is still an important component to detect and prevent the execution of known malware. But EDR technology is crucial to enable the fast understanding and recovery from targeted and/or unknown malware. The ability to quickly understand the extent of the compromise and the tools being used is crucial to enable a quick reaction and mitigation. Sandboxed execution is an important technology in detecting unknown attacks. By analyzing the behavior of the programs, it is possible to determine its malicious disposition, thus allowing preventative actions. Network-level tools also play a huge role in this stack: Intrusion detection and prevention systems can detect and contain threats and stop their lateral movement. The new generation of tools that analyze encrypted traffic and find malware patterns are also incredibly useful in the detection and prevention of data exfiltration and ransomware.

CONCLUSION Wipers are likely to continue to evolve and be used as economical and political weapons against states and organizations.

Organizations must plan under the assumption that they will be breached and may be victims of a wiper attack. The NotPetya attacks in June 2017 proved this. This specific attack showed the world that organizations can fall to their knees while just being collateral damage. The other important assumption that organizations need to work upon is that their internal network is not 100 percent trustworthy. Supply chain attacks like NotPetya and CCleaner bypassed



perimeter defenses, and even host defenses due to the implied trust that organizations have in their vendors. This means that the internal network needs to be treated, at most, as a yellow zone. Its traffic needs to be monitored and when the need arises, with the right procedures and technological stack, segregate the compromised segments. This is the way to detect and contain an attack.

Looking back at the defensive mechanisms outlined in the previous section, it’s clear that most of them are part of a “back to basics”

policy. All responsible personnel need to have in mind that wiper attacks’ main purpose are to create chaos, while they can also be motivated by the desire to conceal malicious activity. They could also simply be used to generate publicity.

Defense against wipers needs to be done under the assumptions already mentioned. This philosophy will allow a CISO to be prepared to respond, mitigate and recover much faster. This also means that the crisis mode of operations, and its costs, will be reduced, and the move back to business as usual will happen faster.



SHAMOON 1 - AUGUST 2012

This attack was clearly politically motivated. The attack destroyed more than 35,000 computers within the oil and gas industry based in the Gulf of Arabia. In order to perform its intended task, the wiper used a legitimate driver1 to gain access to the filesystem structures while bypassing the Windows API. This wiper does not encrypt all files, but it generates a list of files to encrypt. Finally, the malware will overwrite the MBR, preventing system boot.

DARK SEOUL - MARCH 2013

This wiper attack involved multiple wiper malwares, which were delivered by a third-party malware. None of the wipers had built-in replication capabilities. It is the only one from our list that searches for popular SSH clients in order to harvest credentials and use them to wipe Unix systems. On Windows platforms, the different variants perform MBR and VBR destruction by overwriting with the work of Hastani or Principles. The files and directories were also destroyed either by using the Windows API or by writing 100 KB of data every 5.3 MB.

GUARDIANS OF PEACE - NOVEMBER 2014

This attack is a good example of malicious actors using malware to cover their tracks. Sony was only aware of the attack when the computers were rendered inoperable by the wiper. This wiper was deployed by a dropper and used the same legitimate driver used in the Shamoon 1 incident. After the incident was made public, several archives with Sony’s internal data were released to the public. This release of information made it clear that the attack had started much earlier, and that the

wiper was used to send a message, but also to cover the attacker’s tracks.

BLACKENERGY - NOVEMBER 2015

BlackEnergy is a malware known for attacking industrial control systems specially targeting Ukraine. This is a modular malware, which was already known, but in 2015, a new component was added called KillDisk, which would destroy data and render the system unbootable. This wiper would overwrite files with extensions belonging to a target list. The target extension list differs from KillDisk variant to variant, depending on the targeted sector: media, electricity or oil. This level of specialization shows that the malicious actors are adaptable and flexible enough to tweak their tools to their targets.

SHAMOON 2 - NOVEMBER 2016

Being the second attack of its kind, surprisingly, this wiper did not change its destruction methods. It still uses the same driver to bypass the operating system file system protections. However, this version used hardcoded credentials for spreading. Again, this attack targeted the Arabian peninsula’s oil and gas sectors, and technically didn’t use any new techniques when compared with the first of its kind.

WANNACRY - MAY 2017

This malware used the EternalBlue/DoublePulsar exploits to replicate itself across the network. Once on the system, it starts the encryption of certain files on the system. At the same time, it starts the replication process to spread to other systems.

Some will dispute that WannaCry should be listed as a wiper malware. But in reality,

1 Eldos- software RawDisk

ANNEX A



WannaCry's authors weren’t able to obtain significant gains from this attack, especially when compared to ransomwares such as Locky, Cryptowall or Teslacrypt. WannaCry was the first worm with a wide distribution since Confiker2. The problem is, with such a huge number of victims in such a small amount of time, it became unmanageable for the attackers to collect their earnings. Which raises the question of if there was ever the intent of making any earnings at all.

NYETYA - JUNE 20W17

This is the malware attack with the largest financial impact known to date. The Nyetya worm applied well-known lateral movement techniques as a means for rapid replication and destruction. The wiper uses Mimikatz to harvest credentials from memory. Which will be used for the replication process. The usage of remote execution through psexec and WMIC is often used by adversaries on compromises to perform lateral movement. However, this was the first worm to use them as a means for replication. For the propagation, the malware also exploited the MS017-010 vulnerabilities. However, since the WannaCry worm already exploited this vulnerability, a lot of organizations had already patched their systems.

Nyetya’s destructive payload used two methods to ensure the file destruction. In

order to be efficient on the file destruction, it encrypted the first megabyte of each file. If it had enough privileges, it would replace the MBR with a custom bootloader which would perform the file destruction, completely bypassing the operating system.

OLYMPIC DESTROYER - FEBRUARY 2018

The most interesting aspect of this wiper was its capability to perform a lot of damage without explicitly doing it. Even though it had the capability, the destructive payload was not designed to destroy all the data on the systems. It was designed to render the systems unbootable and to only destroy data on remote drives. This was also the first wiper to patch itself with the harvested credentials, greatly improving the propagation capability. As a side effect, the malware changed its hash value on each credential harvested, which makes the detection and recovery much harder during the incident. It was clear during the incident that the objective of the malicious actors was not to completely destroy the Winter Olympic Games infrastructure, but rather, it was to disable it and create chaos during a limited amount of time, thus making this a very good example of a wiper used to achieve publicity and worldwide attention.

2 http://blog.talosintelligence.com/2009/02/conficker-variant-b-still-detected.html


wiper malware - amazon web services · targeted wiper malware. a wiper is a malware with the sole...

Documents