Olympic Destroyer Hack; a cyber attack that sounds like a large naval ship sent out on the seas to take down its adversaries in one fell swoop. By now I’m sure most of us are keen to the details of this breach, it has seen extensive coverage and analysis by numerous outlets including Cisco’s Talos Blog and Wired.com, and we know that what happened in Pyeongchang, South Korea was motivated by a desire to disrupt the Olympic games as much as possible. Be that as it may, we aren’t really here to talk about the details of the breach in depth. We are here to talk about the methods that our product, SNAP-Defense, would use to catch and respond to this attack and others like it (BadRabbit and NotPetya), giving security individuals the opportunity to detain threats before they are able to spread laterally through a network.
You may be wondering, how exactly was the Olympic Destroyer malware able to spread laterally? Cisco’s Talos Blog goes into detail on this subject, but we’ll give you a short answer for the time being. It starts by using the ARP table and a WMI query for computer objects in Active Directory. Once this list is built, it starts the lateral spreading mechanism. Utilizing PsExec, WMI, and VBScript, it copies and launches the malware. Screenshots below show the alert dialogue boxes for SNAP-Defense detecting this hacker activity.
In the alert dialogues below, we can see the malware using PsExec (utilization of the hidden ADMIN share is a direct giveaway) and launching services.exe to start the PsExec service: