WIPER : ATTACKING FROM INSIDE

Why some attackers are choosing to get in, delete files, and get out, rather than try to reap financial benefit from their malware.

AUTHORED BY VITOR VENTURA WITH CONTRIBUTIONS FROM MARTIN LEE EXECUTIVE SUMMARY from system impact. Some wipers will destroy systems, but not necessarily the data. On the In a digital era when everything and everyone other hand, there are wipers that will destroy is connected, malicious actors have the perfect data, but will not affect the systems. One cannot space to perform their activities. During the past determine which kind has the biggest impact, few years, organizations have suffered several because those impacts are specific to each kinds of attacks that arrived in many shapes organization and the specific context in which and forms. But none have been more impactful the attack occurs. However, an attacker with the than wiper attacks. Attackers who deploy wiper capability to perform one could perform the other. malware have a singular purpose of destroying or disrupting systems and/or data. The defense against these attacks often falls back to the basics. By having certain Unlike malware that holds data for ransom protections in place — a tested cyber security (), when a malicious actor decides incident response plan, a risk-based patch to use a wiper in their activities, there is no management program, a tested and cyber direct financial motivation. For businesses, this security-aware business continuity plan, often is the worst kind of attack, since there is and network and user segmentation on top no expectation of data recovery. of the regular software security stack — an Another crucial aspect of a wiper attack is the organization dramatically increases its fear, uncertainty and doubt that it generates. resilience against these kind of attacks. In the past, wiper attacks have been used by malicious actors with a dual purpose: Generate INTRODUCTION social destabilization and sending a public message, while also destroying all traces of Malware with destructive payloads has their activities. Given that the malicious actor been around since the early days of virus has just revealed its presence, the doubt and development. However, the delivery methods uncertainty about what happened before the and the destructive level have evolved. For attack raises a lot of questions. the past five years, we have seen the rise of ransomware with CryptoLocker and TeslaCrypt, •• How did they get in? among others. These have earned huge •• How long were they here? amounts of money for their operators. In •• Did they exfiltrate any of our data? these cases, the operators would go through •• Can we recover safely? a great deal of effort to establish a reputation regarding the recovery of data. The questions above become a CISO’s worst nightmare, preying on the mind while trying to But just as ransomware was on the rise in the support the recovery of business operations as mainstream, more attackers also began to use quickly and safely as possible. targeted wiper malware. A wiper is a malware with the sole intention of destroying systems A wiper’s destructive capability can vary, and/or data, usually causing great financial ranging from the overwriting of specific files, and/or reputation damage. The motivation to the destruction of the entire filesystem. behind these attacks may be political, aimed at The amount of data impacted will be a direct generating publicity, or it can also be pure and consequence of the technique used. Which, of simple artifact destruction with the intention of course, will have direct impact on the business preventing a forensic investigation. In the latter, — the harder the data/system recovery process this is usually preceded by data-gathering and becomes, the bigger the business impact. exfiltration operations, which recently became It is important to distinguish the data impact CISOs' biggest concerns regarding cyber attacks.

© 2018 Cisco. All rights reserved. | [email protected] | talosintelligence.com page 2 of 11 One of the first incidents of wiper malware that amount. This is just enough to destroy was the attack in 2012, after which the headers of the files, which renders them several additional events have occurred, useless. Other wipers will write a certain such as Shamoon2, BlackEnergy and Nyetya/ amount of bytes every other amount. For NotPetya where the pure destruction/disruption instance, the malware will write 100 kilobytes of operations seemed to be the objective. of data every five megabytes sequentially through the hard disk. This means that the wiper will destroy files at random without any ANATOMY OF A WIPER predictable pattern. Both methods may be followed by the destruction of the master file DESTRUCTIVE table, which is where the Windows file system A wiper can go through several steps during (NTFS for recent versions) keeps records of its activity, depending on its capabilities the file locations and associated metadata. and techniques used to perform the data/ This last step makes advanced recovery tools system destruction. The effectiveness of the practically impossible to use due to the lack of destructive component of a wiper is directly information to recover the files. related to the speed at which it can perform As mentioned before, in order to perform these the activities. Usually a wiper has three activities, the wiper may need to use a custom attack vectors: files (data), boot section of the bootloader, which will perform the destruction operating system and backups of system and upon reboot, thus bypassing the operating data. The backup destruction is commonly system protections. done by deleting the volume shadow copies But there is another way. In the Shamoon attacks, and the backups. This can be done easily by the authors used a trial version of a legitimate the execution of some legitimate operating driver to get access to the filesystem, bypassing system command-line tools. The boot section the operating system API. This bypasses any can be done in two ways, depending on the protections to files enforced by the operating purpose. It can simply erase the first 10 system, and allows for the destruction of files sectors of the physical disks (master boot while the system is still running. record location), or the malware can rewrite these first 10 sectors with a new boot loader Obviously, these techniques require the that will perform additional damage. Either adequate privilege level and/or operating way, the original operating system becomes system. That is why some wipers will fall back unbootable. Usually, along with master boot from one technique to the other depending on record destruction, the wipers will also use the conditions of the victim’s system. operating system command-line utilities to Recently, we have also saw Olympic Destroyer destroy the recovery console. Both actions — disabling all services on the operating system. boot section and backup destruction — can be This alone does not destroy data, but it makes performed quickly. The activity that takes the the recovery of the system almost impossible longest to perform is the actual file destruction. without reinstallation, which creates a service To be more efficient, most wipers don’t unavailability. overwrite the entire hard disk. There are wipers that will create a list of targeted files. Others PROPAGATION MECHANISM will list all files in specific folders. Some of them will only rewrite a certain amount of bytes A wiper is not only made of the destructive at the beginning of each file. They will overwrite module. In the latest incident, Olympic the file completely if the files are smaller than Destoryer, a wiper (see figure 1) was released in the form of wiper worms, performing self-

© 2018 Cisco. All rights reserved. | [email protected] | talosintelligence.com page 3 of 11 replication and lateral movement inside the Figure 1. Timeline of Wiper attacks since 2012. networks. Replication modules usually are used in conjunction with credential-harvesting SHAMOON1 modules. The malware will harvest credentials Aug. 2012 from the system, which are then used to perform Targets: Refineries in KSA remote copy and execution of the wiper, hopping from system to system. The most popular way to do this remote execution is the usage of the DARK SEOUL psexec tool and the Windows Management March 2013 Instrumentation command-line utility (WMIC) Targets: Broadcast and — both legitimate administration mechanisms 2013 ATMs in South Korea present in the Windows operating system. The usage of legitimate tools and credentials makes it harder for the system administrators to detect the malicious activity in such a small time frame. It is important to keep in mind that the wipers will try to be as fast as they can on their 2014 destructive activity. Some of the worms also carry the code to exploit GUARDIANS OF PEACE vulnerabilities that allow remote code execution, Nov.2014 when all other means of propagation fail. Target: Sony

PAST INCIDENTS 2015

TIMELINE BLACK ENERGY Nov. 2015 For the past eight to 10 years, whenever wipers Targets: have been used, there is almost always some ICS, Energy Sector in Ukraine kind of political connection that has been made by the media. 2016 This tendency is supported by the fact that there is no clear financial gain from the SHAMOON2 Nov. 2016 attackers, and there is a huge amount of Target: Refineries in Saudi capability lost following the wiper action. Arabia Our timeline (figure 1) shows that since 2012, WANNA CRY at least one big wiper attack has happened May 2017 2017 per year. A wiper usually has public visibility Targets: Worldwide attack and/or political motivations. But during some incidents, wipers have been used after NYETYA June 2017 data exfiltration to cover attacker’s tracks. The public disruption of services gives high Target: Ukreain generic ally, spread all over the world visibility to the attack, which is often the purpose. The attacker may also be looking to OLYMPIC DESTROYER cause economic damage. 2018 Feb. 2018 Target: Winter Olympic Over the years, the different wipers have used games in South Korea

© 2018 Cisco. All rights reserved. | [email protected] | talosintelligence.com page 4 of 11 different techniques to achieve their goals. The Figure 2. Timeline of Nyetya attack first ones in figure 1 used a demo version of a driver for Windows to bypass the operating APRIL 14, 2017 system protections and gain direct access 01.175-10.01.176 version of MeDoc to the filesystem. This technique allowed the is released with a . malware to destroy any file on the system, even if the applications were protecting MAY 15, 2017 such resources using the operating system 01.180-10.01.181 version of MeDoc primitives. This also meant that the malware is released with a backdoor. would only work in a small timeframe, since the demo version was time-limited. These first JUNE 22, 2017 attacks were mostly deployed manually, or as 01.188-10.01.189 version of MeDoc part of the malicious actor’s script toolkits. is released with a backdoor. They were not used as a component of a worm released into their victim’s environment. 8:59:14 UTC In the Sony attack by the Guardians of Peace, Malicious actor used stolen there was a large amount of data exfiltrated and credentials and “su” to obtain root released into the public domain. This is one of the privileges on the update server. examples where a wiper was clearly used to hide the activities performed by the malicious actors.

JUNE 27, 2017 27, JUNE Between 9:11:59 Historically, critical infrastructure is one of and 9:14:58 UTC the sectors where wipers were mostly used. The actor modifies the web Good examples are the Shamoon attacks server configuration to proxy to an OVH server. and BlackEnergy, which dealt a great deal of damage to their victims in the oil and energy sectors, respectively. 9:14:58 UTC However, 2017 was the year when the big Logs confirm proxied traffic to OVH. wiper worms got worldwide public attention. In May 2017, WannaCry was released, targeting 12:31:12 UTC everyone that was exposing The last confirmed proxy SMB protocols to the internet. This worm was connection to OVH is designed to be a ransomware attack, and was observed. This marks the end of the active infection period. really encrypting files in a recoverable way. However, for a ransomware operation to be 12:33:00 UTC successful, it needs to have a backend system The original server that can handle the victim’s payments and configuration is restored. reply with the decryption keys. This was where WannaCry failed. The whole operation ramped 14:11:07 UTC up so quickly that the backend was not robust Received SSH disconnect from enough to handle all the victims, which pretty Latvian IP 159.148.186.214. much rendered recovery impossible. WannaCry was the first worm since Conficker to use a 19:46:26 UTC vulnerability on Windows protocols to spread. The OVH server, 176.31.182.167, That is one of the reasons why it fell out of control is wiped using “dd if=/dev/zero”, filling the hard drive with 0x00. by their operators. This is the main reason why we decided to include WannaCry in this report:

© 2018 Cisco. All rights reserved. | [email protected] | talosintelligence.com page 5 of 11 Although it seemed intended as a ransomware, in Nyetya should be a wake-up call to anyone that the end, it worked just like a wiper. has responsibilities for cyber security in their organizations. It doesn’t matter the sector, A few months after WannaCry, Nyetya/NotPetya location or size of your business — anyone was released, probably the most devastating can suffer from these attacks, whether it be cyber security incident to be publicly known. as a target or collateral damage. This means This was not a random attack, nor a mass-driven that everyone needs to take action in order to attack. It was a targeted attack that used the protect their organization from these attacks. supply chain as an attack vector. This attack vector uses vendors in the supply chain as a way The most recent wiper attack was the Olympic into their target’s environments. In the case of Destroyer (OD). This attack targeted the Winter NotPetya, the malicious actors compromised the Olympic Games in PeyongChang, South Korea. vendor, M.E.Doc, using the software as a way to OD showed that these attacks are constantly execute their own code in their victim’s systems. evolving. Just like Nyetya, OD also had a password-harvesting module. However, in The attackers had access to their victims’ order to improve the spreading capabilities, systems for several months, and their last OD patched itself with the newly collected action was the release of a highly destructive passwords before replicating to other systems. payload with very effective spreading This mechanism ensured the propagation of mechanisms. The payload was also designed all passwords found, increasing the probability to deceive investigators as to the identity of of accessing a new system by growing its the authors. The spreading mechanism was credential dictionary upon each hop. A side designed to take advantage of legitimate effect of this is the constant change of hash Windows protocols and tools. It used a value for the malware. This change means that password-harvesting tool to obtain the tools that rely on hash values for detection credentials. By using legitimate tools and and data correlation would fail to make the credentials, it was able to mimic business-as- containment and recovery processes much usual behavior and traffic patterns, making harder for the defenders. detection harder for the defenders. Nyetya/ NotPetya also adjusted its destruction Another unique feature of OD is that it disabled mechanisms to the anti-virus present on the services in Windows. From the destructive system. It is clear that it was designed to be power point-of-view, this doesn’t necessarily effective and fast, and to deliver the largest mean it’s a big threat. However, for the system amount of damage possible in the shortest recovery and problem assertion, it posed amount of time. interesting challenges, since no system will ever boot with all services in disable mode. The Figure 2 shows the timeline of the attack, which destructive payload of OD seems to be directed clearly shows that the attackers had access at system/service availability more than data to the systems for several months, prior to the destruction. OD only destroyed files on remote release of such a destructive payload. That led to shares and does not destroy local data. It the loss of a considerable amount of capability. prevented the system from booting by changing The release of Nyetya was clearly not undertaken the boot system configuration and disabling all for direct financial gain, even though the authors services in the operating system. tried to make it look like a ransomware attack. For the authors, Nyetya served two purposes: It sent a clear public message saying that no one DEFENSIVE MECHANISMS is safe, and any evidence of what was done by The defense for wiper attacks does not differ the attackers prior to the Nyetya release was much from other malware, namely ransomware. probably destroyed.

© 2018 Cisco. All rights reserved. | [email protected] | talosintelligence.com page 6 of 11 Organizations, in order to defend themselves CYBER SECURITY-AWARE BUSINESS from these attacks, need to ensure that they CONTINUITY PLAN are ready to act swiftly and with determination. Most organizations have business continuity The amount of damage dealt by a wiper is plans, which cover things such as natural directly related to the amount of time that it has disasters and office moves. It is crucial that to execute its destruction. these plans are updated to take into account the As such, in order to reduce the damage and destructive power of a wiper or ransomware. The impact, an organization needs to be ready to backup policy needs to take into consideration promptly contain, mitigate and recover from the full or partial data destruction. It needs to these attacks. The way to do this cannot be ensure that recovery is possible, and what the based in technology alone. That’s not to say recovery path for business critical applications that technology is not important, but must be is. These plans must consider situations where clear that it is just a piece of the solution. the backup infrastructure was affected. Actions must be taken to avoid the possible impact on CYBER SECURITY INCIDENT the recovery infrastructure, but also to avoid RESPONSE PLAN (CSIRP) bottlenecks during the recovery process. This can be achieved by simple actions, such as Knowing what to do is crucial when having the backup software running on non- responding to a crisis. That is why a cyber Windows systems, segmenting a backup security incident response plan (CSIRP) network and using a completely different set of is a crucial component of a cyber security password rules and usernames. resilience strategy. The CSIRP needs to have clear definition of roles and responsibilities. These cannot be limited to the cyber security RISK-BASED PATCH department, or even to the IT department. MANAGEMENT PROGRAM Under the appropriate circumstances, the Patching is a critical component of security actions must reach the business, so that operations. However, it is an extremely complex business-impacting decisions can be taken. activity. A patching program must be more than Decisions like isolating a branch, factory, a simple list of patches to apply to a system- department or even a VLAN may have a patching window. Prioritization needs to be huge impact on the business. Not making done based on predetermined parameters, the decision, or making it too late, can make which must be risk- and business-related. It the difference between a couple of hours of should foresee the possibility that a system downtime or a couple of weeks. Everyone in is unpatchable. In such cases, the risk can the organization needs to know their role, be mitigated by using network isolation, or and what kind of decisions are expected by deploying intrusion detection/prevention from them. This includes the legal and public systems, which can reduce the exposure. Other relations departments. Organizations need systems may have a reduced exposure, and can to be aware which industry regulations and delay the patching. Actions should be previously country-level laws are applicable, just as defined if a patch deployment is cancelled. public image may need to be addressed These actions can be the implementation during a cyber security incident whether it’s a of mitigating measures, or the rescheduling wiper attack or not. The corresponding work of the patch to the next patch window. It is instructions must also be created and tested, inconceivable that an organization goes months so that when actions need to be taken, they without patching a vulnerability, but it’s also not can be executed swiftly and without surprises. expected that a task force should be created each time a vulnerability is disclosed.

© 2018 Cisco. All rights reserved. | [email protected] | talosintelligence.com page 7 of 11 NETWORK AND USER SEGREGATION or layer. Organizations need overlapping layers of security in order to detect and block threats. Segmenting the network gives the The threats can be detected and blocked at the organizations the capability to contain perimeter, but they also need to be addressed malicious activities within a branch, factory at the endpoint, which are often targeted as or VLAN. It is one of the most important the initial vector through email or drive-by components of damage control and mitigation. downloads. As we explained before, wipers are Network segregation can be complex given known to deploy techniques to detect certain the distributed nature of modern applications. types of anti-malware technology. Antivirus Intent-based networks can make this task is still an important component to detect and much easier and quicker. Even if the network prevent the execution of known malware. But segregation is not applied during business- EDR technology is crucial to enable the fast as-usual operations, having the capability to understanding and recovery from targeted and/ perform emergency segregation can make or unknown malware. The ability to quickly the difference between an attack having understand the extent of the compromise a severe impact on your business, or just and the tools being used is crucial to enable being a minor disruption. At the same time, a quick reaction and mitigation. Sandboxed logical user segregation cannot be done as execution is an important technology in an emergency, it must be at the core of an detecting unknown attacks. By analyzing organization’s operations. Not all users need the behavior of the programs, it is possible to log on to all systems, and especially not to determine its malicious disposition, thus all users must log on from all the systems. allowing preventative actions. Network-level Having the knowledge of the intention of a tools also play a huge role in this stack: user inside a network enables a self-learning Intrusion detection and prevention systems network to detect out-of-pattern behaviors and can detect and contain threats and stop their apply self-containment. That prevents lateral lateral movement. The new generation of movement and the spreading of worms and tools that analyze encrypted traffic and find other malicious actors. malware patterns are also incredibly useful in Privileged credentials must not be used on the detection and prevention of data exfiltration regular workstations or servers. The usage of and ransomware. such credentials must be segregated. They should only be used on trusted workstations built to be used on administrative tasks. The CONCLUSION adoption of logical user segregation keeps Wipers are likely to continue to evolve and be credentials safe from password stealers, which used as economical and political weapons are often used by worms to propagate within an against states and organizations. environment. Organizations must plan under the assumption that they will be breached and may be victims CYBER SECURITY TECHNOLOGY STACK of a wiper attack. The NotPetya attacks in June The technological stack plays a huge role in 2017 proved this. This specific attack showed the defense and recovery from any kind of the world that organizations can fall to their cyber security attacks. In the wiper attacks, it knees while just being collateral damage. The plays an extremely important role, especially other important assumption that organizations in the prevention. Taking into consideration need to work upon is that their internal network the modern landscape, an organization cannot is not 100 percent trustworthy. Supply chain trust their environment to a single technology attacks like NotPetya and CCleaner bypassed

© 2018 Cisco. All rights reserved. | [email protected] | talosintelligence.com page 8 of 11 perimeter defenses, and even host defenses policy. All responsible personnel need to have due to the implied trust that organizations have in mind that wiper attacks’ main purpose are to in their vendors. This means that the internal create chaos, while they can also be motivated network needs to be treated, at most, as a by the desire to conceal malicious activity. They yellow zone. Its traffic needs to be monitored could also simply be used to generate publicity. and when the need arises, with the right Defense against wipers needs to be done under procedures and technological stack, segregate the assumptions already mentioned. This the compromised segments. This is the way to philosophy will allow a CISO to be prepared to detect and contain an attack. respond, mitigate and recover much faster. This Looking back at the defensive mechanisms also means that the crisis mode of operations, outlined in the previous section, it’s clear that and its costs, will be reduced, and the move most of them are part of a “back to basics” back to business as usual will happen faster.

© 2018 Cisco. All rights reserved. | [email protected] | talosintelligence.com page 9 of 11 ANNEX A

SHAMOON 1 - AUGUST 2012 wiper was used to send a message, but also to cover the attacker’s tracks. This attack was clearly politically motivated. The attack destroyed more than 35,000 computers within the oil and gas industry BLACKENERGY - NOVEMBER 2015 based in the Gulf of Arabia. In order to perform BlackEnergy is a malware known for attacking its intended task, the wiper used a legitimate industrial control systems specially targeting driver1 to gain access to the filesystem Ukraine. This is a modular malware, which was structures while bypassing the Windows API. already known, but in 2015, a new component This wiper does not encrypt all files, but it was added called KillDisk, which would destroy generates a list of files to encrypt. Finally, the data and render the system unbootable. This malware will overwrite the MBR, preventing wiper would overwrite files with extensions system boot. belonging to a target list. The target extension list differs from KillDisk variant to variant, DARK SEOUL - MARCH 2013 depending on the targeted sector: media, electricity or oil. This level of specialization This wiper attack involved multiple wiper shows that the malicious actors are adaptable , which were delivered by a third- and flexible enough to tweak their tools to their party malware. None of the wipers had built-in targets. replication capabilities. It is the only one from our list that searches for popular SSH clients in order to harvest credentials and use them SHAMOON 2 - NOVEMBER 2016 to wipe Unix systems. On Windows platforms, Being the second attack of its kind, surprisingly, the different variants perform MBR and VBR this wiper did not change its destruction destruction by overwriting with the work of methods. It still uses the same driver to bypass Hastani or Principles. The files and directories the operating system file system protections. were also destroyed either by using the Windows However, this version used hardcoded credentials API or by writing 100 KB of data every 5.3 MB. for spreading. Again, this attack targeted the Arabian peninsula’s oil and gas sectors, and GUARDIANS OF PEACE - technically didn’t use any new techniques when NOVEMBER 2014 compared with the first of its kind. This attack is a good example of malicious actors using malware to cover their tracks. WANNACRY - MAY 2017 Sony was only aware of the attack when the This malware used the EternalBlue/ computers were rendered inoperable by the DoublePulsar exploits to replicate itself across wiper. This wiper was deployed by a dropper the network. Once on the system, it starts the and used the same legitimate driver used in encryption of certain files on the system. At the the Shamoon 1 incident. After the incident same time, it starts the replication process to was made public, several archives with Sony’s spread to other systems. internal data were released to the public. This Some will dispute that WannaCry should release of information made it clear that the be listed as a wiper malware. But in reality, attack had started much earlier, and that the

1 Eldos- software RawDisk

© 2018 Cisco. All rights reserved. | [email protected] | talosintelligence.com page 10 of 11 WannaCry's authors weren’t able to obtain order to be efficient on the file destruction, significant gains from this attack, especially it encrypted the first megabyte of each file. when compared to ransomwares such as If it had enough privileges, it would replace Locky, Cryptowall or Teslacrypt. WannaCry was the MBR with a custom bootloader which the first worm with a wide distribution since would perform the file destruction, completely Confiker2. The problem is, with such a huge bypassing the operating system. number of victims in such a small amount of time, it became unmanageable for the OLYMPIC DESTROYER - attackers to collect their earnings. Which raises FEBRUARY 2018 the question of if there was ever the intent of making any earnings at all. The most interesting aspect of this wiper was its capability to perform a lot of damage without explicitly doing it. Even though it NYETYA - JUNE 20W17 had the capability, the destructive payload This is the malware attack with the largest was not designed to destroy all the data on financial impact known to date. The Nyetya the systems. It was designed to render the worm applied well-known lateral movement systems unbootable and to only destroy data techniques as a means for rapid replication and on remote drives. This was also the first wiper destruction. The wiper uses Mimikatz to harvest to patch itself with the harvested credentials, credentials from memory. Which will be used for greatly improving the propagation capability. the replication process. The usage of remote As a side effect, the malware changed its execution through psexec and WMIC is often hash value on each credential harvested, used by adversaries on compromises to perform which makes the detection and recovery much lateral movement. However, this was the first harder during the incident. It was clear during worm to use them as a means for replication. the incident that the objective of the malicious For the propagation, the malware also exploited actors was not to completely destroy the the MS017-010 vulnerabilities. However, since Winter Olympic Games infrastructure, but the WannaCry worm already exploited this rather, it was to disable it and create chaos vulnerability, a lot of organizations had already during a limited amount of time, thus making patched their systems. this a very good example of a wiper used to achieve publicity and worldwide attention. Nyetya’s destructive payload used two methods to ensure the file destruction. In

2 http://blog.talosintelligence.com/2009/02/conficker-variant-b-still-detected.html

© 2018 Cisco. All rights reserved. | [email protected] | talosintelligence.com page 11 of 11